Skip to content

Troubleshooting

Rate limits

By default, you may issue up to 15 certificates per minute. Only successful submissions (POSTs that return 200) are counted towards your limit. If you exceed your limit, you will be prevented from issuing new certificates for 30 seconds.

If you require a higher rate limit, contact your Customer Success Manager.


Purge cache

To remove specific files from Cloudflare’s cache, purge the cache while specifying one or more hosts.


Resolution error 1016 (Origin DNS error) when accessing the custom hostname

Cloudflare returns a 1016 error when the custom hostname cannot be routed or proxied.

There are three main causes of error 1016:

  1. Custom Hostname ownership validation is not complete. To check validation status, run an API call to search for a certificate by hostname and check the verification error field: "verification_errors": ["custom hostname does not CNAME to this zone."].
  2. Fallback Origin is not correctly set. Confirm that you have created a DNS record for the fallback origin and also set the fallback origin.
  3. A Wildcard Custom Hostname has been created, but the requested hostname is associated with a domain that exists in Cloudflare as a standalone zone. In this case, the hostname priority for the standalone zone will take precedence over the wildcard custom hostname. This behavior applies even if there is no DNS record for this standalone zone hostname.

In this scenario each hostname that needs to be served by the Cloudflare for SaaS parent zone needs to be added as an individual Custom Hostname.


Custom hostname in Moved status

To move a custom hostname back to an Active status, send a PATCH request to restart the hostname validation. A Custom Hostname in a Moved status is deleted after 7 days.

In some circumstances, custom hostnames can also enter a Moved state if your customer changes their DNS records pointing to your SaaS service. For more details, refer to Remove custom hostnames.


CAA Errors

The caa_error in the status of a custom hostname means that the CAA records configured on the domain prevented the Certificate Authority to issue the certificate.

You can check which CAA records are configured on a domain using the dig command: dig CAA example.com

You will need to ensure that the required CAA records for the selected Certificate Authority are configured. For example, here are the records required to issue Let’s Encrypt and Google Trust Services certificates:

example.com CAA 0 issue "letsencrypt.org"
example.com CAA 0 issuewild "letsencrypt.org"
example.com CAA 0 issue "pki.goog; cansignhttpexchanges=yes"
example.com CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"

More details can be found on the CAA records FAQ.

Older devices have issues connecting

As Let’s Encrypt - one of the certificate authorities (CAs) used by Cloudflare - has announced changes in its chain of trust, starting September 9, 2024, there may be issues with older devices trying to connect to your custom hostname certificate.

Refer to the full migration guide for details and consider the following solutions:

  • Use the Edit Custom Hostname endpoint to set the certificate_authority parameter to an empty string (""): this sets the custom hostname certificate to “default CA”, leaving the choice up to Cloudflare. Cloudflare will always attempt to issue the certificate from a more compatible CA, such as Google Trust Services, and will only fall back to using Let’s Encrypt if there is a CAA record in place that blocks Google from issuing a certificate.

    Example API call

    Terminal window
    curl --request PATCH \\
    https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_hostnames/{custom_hostname_id} \\
    --header "X-Auth-Email: <EMAIL>" \\
    --header "X-Auth-Key: <API_KEY>" \\
    --header "Content-Type: application/json" \\
    --data '{
    "ssl": {
    "method": "txt",
    "type": "dv",
    "certificate_authority": ""
    }
    }'
  • Use the Edit Custom Hostname endpoint to set the certificate_authority parameter to google: this sets Google Trust Services as the CA for your custom hostnames.

  • If you are using a custom certificate for your custom hostname, refer to the custom certificates troubleshooting.

Custom hostname fails to verify because the zone is held

The zone hold feature is a toggle that will prevent their zone from being activated on other Cloudflare account. When the option Also prevent subdomains is enabled, this prevents the verification of custom hostnames for this domain. The custom hostname will remain in the Blocked status, with the following error message: The hostname is associated with a held zone. Please contact the owner of this domain to have the hold removed. In this case, the owner of the zone needs to release the hold before the custom hostname can become activated.

Hostnames over 64 characters

The Common Name (CN) restriction establishes a limit of 64 characters (RFC 5280). If you have a hostname that exceeds this length, you may find the following error:

Since no host is 64 characters or fewer, Cloudflare Branding is required. Please check your input and try again. (1469)

To solve this, you can set cloudflare_branding to true when creating your custom hostnames via API.

Cloudflare branding means that sni.cloudflaressl.com will be added as the certificate Common Name (CN) and the long hostname will be included as a part of the Subject Alternative Name (SAN).