Troubleshooting Domain Control Validation
Taking into account the steps involved in DCV, some situations may interfere with certificate issuance and renewal.
If these issues occur while HTTP DCV is in place, review the following settings:
/.well-known/*: Review WAF custom rules and other configuration rules to make sure no Cloudflare settings are targeting your zone’s path for
Cloudflare WAF rules: Review your WAF custom rules to ensure that your rules do not enable interactive challenge on the validation URL.
Cloudflare Account Settings and Page Rules: Review your account settings, Configuration Rules, and Page Rules to ensure you have not enabled I’m Under Attack Mode on the validation URL.
Authoritative DNS provider: Check your settings at your authoritative DNS provider to make sure that:
- DNSSEC is configured correctly.
- Your CAA records allow Cloudflare’s partner Certificate Authorities to issue certificates on your behalf.
The HTTP verification process is done preferably over IPv6, so if any
AAAA record exists and does not point to the same dual-stack location as the
A record, the validation will fail.