| title | pcx_content_type | weight | meta | ||
|---|---|---|---|---|---|
Troubleshooting |
troubleshooting |
3 |
|
Taking into account the steps involved in DCV, some situations may interfere with certificate issuance and renewal.
Blocked validation URLs or misconfigured DNS settings might interfere with the {{}}certificate authority's{{}} ability to finish the validation process. In these situations, you may need to update your configuration at Cloudflare or at your authoritative DNS provider. Additionally, there can also be errors on the CA side.
{{
}} If you are using the Cloudflare API, error messages are presented under thevalidation_errors parameter.
{{}}
If you have issues while HTTP DCV is in place, review the following settings:
-
Anything affecting
/.well-known/*: Review WAF custom rules, IP Access Rules, and other configuration rules to make sure that your rules do not enable interactive challenge on the validation URL. -
Cloudflare Account Settings and Page Rules: Review your account settings, Configuration Rules, and Page Rules to ensure you have not enabled I'm Under Attack Mode on the validation URL.
{{
}} {{}} {{}}
The errors below refer to situations that have to be addressed at the authoritative DNS provider:
the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for nsheiapp.codeacloud.com: dnssec: bogusCertificate authority encountered a SERVFAIL during DNS lookup, please check your DNS reachability.
Consider the following when troubleshooting:
- DNSSEC must be configured correctly. You can use DNSViz to understand and troubleshoot the deployment of DNSSEC.
- Your CAA records should allow Cloudflare's partner certificate authorities (CAs) to issue certificates on your behalf.
- The HTTP verification process is done preferably over IPv6, so if any
AAAArecord exists and does not point to the same dual-stack location as theArecord, the validation will fail.
{{}}
When the certificate authority finds an issue during the CA check portion of the DCV flow, you may see a Internal error with Certificate Authority message. In this case, either wait or try a different certificate authority.
When the error states that the certificate authority will not issue for this domain, you can try a different certificate authority or contact the CA directly.