Skip to content

Troubleshooting

Taking into account the steps involved in DCV, some situations may interfere with certificate issuance and renewal.

Blocked validation URLs or misconfigured DNS settings might interfere with the certificate authority's ability to finish the validation process. In these situations, you may need to update your configuration at Cloudflare or at your authoritative DNS provider. Additionally, there can also be errors on the CA side.

Blocked validation URL

If you have issues while HTTP DCV is in place, review the following settings:

  • Anything affecting /.well-known/*: Review WAF custom rules, IP Access Rules, and other configuration rules to make sure that your rules do not enable interactive challenge on the validation URL.

  • Cloudflare Account Settings and Page Rules: Review your account settings, Configuration Rules, and Page Rules to ensure you have not enabled I'm Under Attack Mode on the validation URL.

Redirection

Enabling Always Use HTTPS does not impact the validation process.

In a Partial (CNAME) setup where you are managing the token on the origin side, please ensure that no redirection from HTTP to HTTPS occurs on the /.well-known/* path.

When using Redirect Rules the /.well-known/* path should be excluded from redirections.

DNS settings and records

The errors below refer to situations that have to be addressed at the authoritative DNS provider:

  • the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for nsheiapp.codeacloud.com: dnssec: bogus
  • Certificate authority encountered a SERVFAIL during DNS lookup, please check your DNS reachability.

Consider the following when troubleshooting:

  • DNSSEC must be configured correctly. You can use DNSViz to understand and troubleshoot the deployment of DNSSEC.
  • Your CAA records should allow Cloudflare's partner certificate authorities (CAs) to issue certificates on your behalf.
  • The HTTP verification process is done preferably over IPv6, so if any AAAA record exists and does not point to the same dual-stack location as the A record, the validation will fail.

CA errors

Rate limiting

As mentioned in Certificate authorities, specific CAs may have their own limitations. If you use Let’s Encrypt and receive the error below, it means you hit the duplicate certificate limit imposed by Let's Encrypt.

The authority has rate limited these domains. Please wait for the rate limit to expire or try another authority.

A certificate is considered a duplicate of an earlier certificate if it contains the exact same set of hostnames.

In this case, you can either wait for the rate limit window to end or choose a different certificate authority.

Internal errors

When the certificate authority finds an issue during the CA check portion of the DCV flow, you may see a Internal error with Certificate Authority message. In this case, either wait or try a different certificate authority.

When the error states that the certificate authority will not issue for this domain, you can try a different certificate authority or contact the CA directly.