From 2f3b0eaa4b00fd026fb2e8fb49c58406a8ecb1dc Mon Sep 17 00:00:00 2001 From: Nicolas Gayerie Date: Mon, 18 May 2026 14:25:06 +0200 Subject: [PATCH 1/2] [SSL] Expand DCV troubleshooting with all CA error messages Documents all DCV error messages returned by certificate authorities: - Rate limiting errors with expiration time - CAA records block issuance - Multiple perspective validation errors (MPIC) - DNS lookup errors (SERVFAIL, NXDOMAIN, DNSSEC) - Rejected identifier errors - Internal CA errors Each error now includes a clear Resolution section with actionable steps. Addresses SPM-3368 --- .../changing-dcv-method/troubleshooting.mdx | 38 +++++++++++++++---- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx index 5dd7b8559a90061..45c0b657a28c048 100644 --- a/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx +++ b/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx @@ -87,17 +87,41 @@ Resolve-DnsName -Name example.com -Type CAA -### Multiple perspective CAA check error +When you see `The authority has rate limited these domains. Please wait for the rate limit to expire or try another authority`, the certificate authority has temporarily blocked certificate issuance for your domain due to too many recent requests. -The error `Certificate authority encountered a multiple perspective CAA check error, please ensure your DNS is configured to allow CAA queries` means that the CA was not able to resolve the CAA records related to your domain from specific geographic locations. +**Resolution**: Wait for the rate limit to expire (the error message includes the expiration time), or select a different [certificate authority](/ssl/reference/certificate-authorities/). -You can investigate for resolution error using the [ping.pe tool](https://dig.ping.pe/). -For example, for a [Google Trust Services](/ssl/reference/certificate-authorities/#google-trust-services) certificate encountering this issue, you can check for: `:CAA:8.8.8.8`. +### CAA records block issuance -Read more from Certificate Authorities specific documentation: [SSL.com](https://www.ssl.com/blogs/multi-perspective-issuance-corroboration-mpic-arrives/), [Let's Encrypt](https://letsencrypt.org/2020/02/19/multi-perspective-validation), and [Google Trust Services](https://pki.goog/faq/#faq-mpic). +The error `CAA records block issuance. Please remove all CAA records or add records for this authority` indicates that your domain's [CAA records](/ssl/edge-certificates/caa-records/) do not allow the selected certificate authority to issue certificates. + +**Resolution**: Either remove all CAA records from your domain, or add CAA records that explicitly allow [Cloudflare's partner certificate authorities](/ssl/reference/certificate-authorities/). + +### Multiple perspective validation errors + +Certificate authorities perform domain validation from multiple geographic locations to prevent certain attacks. You may encounter one of these errors: + +- `Certificate authority encountered a multiple perspective CAA check error, please ensure your DNS is configured to allow CAA queries from all geographic perspectives` +- `Certificate authority was unable to verify domain ownership from multiple geographic locations (MPIC failure). Please ensure your DNS records are reachable from all geographic perspectives and try again.` + +**Resolution**: Ensure your DNS records (including CAA records) are consistently resolvable from all geographic locations. You can investigate resolution errors using the [ping.pe tool](https://dig.ping.pe/). For example, for a [Google Trust Services](/ssl/reference/certificate-authorities/#google-trust-services) certificate, check: `:CAA:8.8.8.8`. + +Read more from certificate authority documentation: [SSL.com](https://www.ssl.com/blogs/multi-perspective-issuance-corroboration-mpic-arrives/), [Let's Encrypt](https://letsencrypt.org/2020/02/19/multi-perspective-validation), and [Google Trust Services](https://pki.goog/faq/#faq-mpic). + +### DNS lookup errors + +The error `the Certificate Authority had trouble performing a DNS lookup` indicates that the CA could not resolve your domain's DNS records. Common causes include SERVFAIL responses, NXDOMAIN, or DNSSEC validation failures. + +**Resolution**: Verify that your DNS records are correctly configured and resolvable. Use tools like [DNSViz](https://dnsviz.net/) to check for DNSSEC issues, and ensure your authoritative nameservers are responding correctly. + +### Rejected identifier + +The error `The certificate authority will not issue for this domain. Please check your input or try another authority` means the CA has policies that prevent issuing certificates for your specific domain. + +**Resolution**: Verify that your domain name is correctly spelled and does not violate the CA's issuance policies. If the domain is valid, try selecting a different [certificate authority](/ssl/reference/certificate-authorities/). ### Internal errors -When the certificate authority finds an issue during the CA check portion of the [DCV flow](/ssl/edge-certificates/changing-dcv-method/dcv-flow/), you may see a `Internal error with Certificate Authority` message. In this case, either wait or try a different certificate authority. +When you see `Internal error with Certificate Authority. Please check later`, the certificate authority encountered a temporary issue during validation. -When the error states that the `certificate authority will not issue for this domain`, you can try a different certificate authority or contact the CA directly. +**Resolution**: Wait a few minutes and retry. If the issue persists, try selecting a different [certificate authority](/ssl/reference/certificate-authorities/). Cloudflare will automatically retry validation according to the [validation backoff schedule](/ssl/edge-certificates/changing-dcv-method/validation-backoff-schedule/). From 059b007274daafded1dc43f258772879d2ae26e6 Mon Sep 17 00:00:00 2001 From: Nicolas Gayerie Date: Tue, 19 May 2026 15:17:48 +0200 Subject: [PATCH 2/2] Reorganize DCV troubleshooting with quick checklist and redirect examples - Add clear intro explaining certificates stuck in 'Pending Validation' - Add TL;DR checklist at top with links to detailed sections - Add example rule expressions for excluding .well-known from redirects --- .../changing-dcv-method/troubleshooting.mdx | 29 +++++++++++++++---- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx index 45c0b657a28c048..016f457a0a0fdf2 100644 --- a/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx +++ b/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx @@ -13,15 +13,24 @@ head: import { GlossaryTooltip, Render, Tabs, TabItem } from "~/components"; -Taking into account the [steps involved in DCV](/ssl/edge-certificates/changing-dcv-method/dcv-flow/), some situations may interfere with certificate issuance and renewal. - -[Blocked validation URLs](#blocked-validation-url) or [misconfigured DNS settings](#dns-settings-and-records) might interfere with the certificate authority's ability to finish the validation process. In these situations, you may need to update your configuration at Cloudflare or at your authoritative DNS provider. Additionally, there can also be [errors on the CA side](#ca-errors). +If your certificate is stuck in **Pending Validation** or failing to issue, the certificate authority (CA) may be unable to complete [domain control validation (DCV)](/ssl/edge-certificates/changing-dcv-method/dcv-flow/). This page helps you identify and resolve common DCV issues. :::note - If you are using the Cloudflare API, error messages are presented under the `validation_errors` parameter. ::: +## Quick checklist + +Use this checklist to identify common DCV issues: + +- [ ] [No rules blocking the validation URL](#blocked-validation-url) - WAF rules, IP access rules, or Under Attack mode can block the CA +- [ ] [No redirects on the validation path](#redirection) - The `/.well-known/*` path must not redirect (especially HTTP to HTTPS in partial setups) +- [ ] [DNS records are resolvable](#dns-settings-and-records) - DNSSEC must be valid, and records must resolve from all locations +- [ ] [CAA records allow the CA](#caa-records) - CAA records must permit Cloudflare's partner CAs to issue certificates +- [ ] [No CA-side errors](#ca-errors) - Rate limits, policy blocks, or temporary CA issues + +--- + ## Blocked validation URL If you have issues while HTTP DCV is in place, review the following settings: @@ -42,7 +51,17 @@ Enabling [Always Use HTTPS](/ssl/edge-certificates/additional-options/always-use In a [Partial (CNAME) setup](/ssl/edge-certificates/changing-dcv-method/#partial-dns-setup---action-sometimes-required) where you are managing the token on the origin side, please ensure that no redirection from HTTP to HTTPS occurs on the `/.well-known/*` path. -When using [Redirect Rules](/rules/url-forwarding/single-redirects/) the `/.well-known/*` path should be excluded from redirections. +When using [Redirect Rules](/rules/url-forwarding/single-redirects/), exclude the `/.well-known/*` path from redirections by adding a condition to your rule: + +```txt +not starts_with(http.request.uri.path, "/.well-known/") +``` + +For example, if you have a rule that redirects all HTTP traffic to HTTPS, modify the rule expression to: + +```txt +(http.request.scheme eq "http") and not starts_with(http.request.uri.path, "/.well-known/") +``` ## DNS settings and records