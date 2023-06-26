Domain control validation backoff schedule

Domain control validation (DCV) has to happen before a Certificate Authority (CA) will issue a certificate for a domain. If DCV fails during issuance or renewal, Cloudflare automatically retries it on a schedule.

The DCV process relies on tokens that are generated by the issuing Certificate Authority. These tokens have a validity period defined by each CA:

DigiCert - 30 days

Google Trust Services - 14 days

Let’s Encrypt - 7 days

After this period, DCV tokens expire as dictated by the CA/B Baseline Requirements External link icon Open external link , and new, valid tokens must be placed.

If you use Delegated DCV or if Cloudflare automatically performs DCV for you, this page is only informational. If you have to manually perform DCV, remember that DCV tokens have a fixed validity period and consider the following information on how often Cloudflare checks for a valid token.

​​ Successive checks function

Cloudflare caps the check backoff to a maximum of four hours to avoid the function growing exponentially, which would result in large gaps between checks towards the end of the month.

now() + min((floor(60 * pow(1.05, retry_attempt)) * INTERVAL '1 second'), INTERVAL '4 hours')

​​ Capped attempts reference table

As presented in the following table, most of the checks take place on the first day after the DCV token is generated.

In manual processes, it is possible that you fall behind schedule when you place the token, meaning that it may not be validated immediately.

In automatic processes, most validations complete within the first five minutes, unless there is a setup misconfiguration.