Troubleshooting

If your certificate is stuck in Pending Validation or failing to issue, the certificate authority (CA) may be unable to complete domain control validation (DCV). This page helps you identify and resolve common DCV issues.

Quick checklist

Use this checklist to identify common DCV issues:

No rules blocking the validation URL - WAF rules, IP access rules, or Under Attack mode can block the CA
No redirects on the validation path - The /.well-known/* path must not redirect (especially HTTP to HTTPS in partial setups)
DNS records are resolvable - DNSSEC must be valid, and records must resolve from all locations
CAA records allow the CA - CAA records must permit Cloudflare's partner CAs to issue certificates
No CA-side errors - Rate limits, policy blocks, or temporary CA issues

Blocked validation URL

If you have issues while HTTP DCV is in place, review the following settings:

Anything affecting /.well-known/*: Review WAF custom rules, IP Access Rules, and other configuration rules to make sure that your rules do not enable interactive challenge on the validation URL.
Workers routes: If you have Workers routes matching */* or paths that include /.well-known/pki-validation/* or /.well-known/acme-challenge/*, your Worker may intercept DCV requests from the certificate authority. Make sure your Worker either passes through requests to these paths or does not match them. This is especially relevant for Cloudflare for SaaS zones that use a Worker as the fallback origin.
Cloudflare Account Settings and Page Rules: Review your account settings, Configuration Rules, and Page Rules to ensure you have not enabled Under Attack mode on the validation URL.

When your certificate is in pending_validation and valid tokens are in place, some security features targeting your zone's path for /.well-known/* can be automatically bypassed.

Redirection

Enabling Always Use HTTPS does not impact the validation process.

In a Partial (CNAME) setup where you are managing the token on the origin side, please ensure that no redirection from HTTP to HTTPS occurs on the /.well-known/* path.

When using Redirect Rules, exclude the /.well-known/* path from redirections by adding a condition to your rule:

not starts_with(http.request.uri.path, "/.well-known/")

For example, if you have a rule that redirects all HTTP traffic to HTTPS, modify the rule expression to:

(http.request.scheme eq "http") and not starts_with(http.request.uri.path, "/.well-known/")

DNS settings and records

The errors below refer to situations that have to be addressed at the authoritative DNS provider:

the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for <hostname>: dnssec: bogus
Certificate authority encountered a SERVFAIL during DNS lookup, please check your DNS reachability.

Consider the following when troubleshooting:

DNSSEC ↗ must be configured correctly. You can use DNSViz ↗ to understand and troubleshoot the deployment of DNSSEC.
The HTTP verification process is done preferably over IPv6, so if any AAAA record exists and does not point to the same dual-stack location as the A record, the validation will fail.
If an NS record is present for the hostname or its parent, DNS resolution will be managed externally by the DNS provider defined in the NS target. In this case, you must either add the DCV TXT record at the external DNS provider, or remove the NS record at Cloudflare.

CAA records

Your CAA records must be resolvable from all locations.
Your CAA records should allow Cloudflare's partner certificate authorities (CAs) to issue certificates on your behalf.
If you are using a subdomain setup (subdomain.example.com) and Cloudflare is not the authoritative DNS provider for the parent domain (example.com), you should make sure that the parent domain (example.com) either has CAA records that allow Cloudflare's partner CAs, or has no CAA records at all.

You can check the CAA records by running the following command:

macOS and Linux
Windows

dig example.com CAA +short

Resolve-DnsName -Name example.com -Type CAA

Certificate authority (CA) errors

A certificate authority (CA) is the organization that issues your SSL/TLS certificate. Cloudflare partners with multiple CAs to provide certificates for your domain.

Rate limiting

As mentioned in Certificate authorities, specific CAs may have their own limitations. If you use Let’s Encrypt and receive the error below, it means you hit the duplicate certificate limit ↗ imposed by Let's Encrypt.

The authority has rate limited these domains. Please wait for the rate limit to expire or try another authority.

A certificate is considered a duplicate of an earlier certificate if it contains the exact same set of hostnames.

In this case, you can either wait for the rate limit window to end or choose a different certificate authority.

When you see The authority has rate limited these domains. Please wait for the rate limit to expire or try another authority, the certificate authority has temporarily blocked certificate issuance for your domain due to too many recent requests.

Rate limit windows vary by CA:

Let's Encrypt: 7 days for most rate limits (refer to Let's Encrypt rate limits ↗)
Google Trust Services: Varies by limit type (refer to Google Trust Services documentation ↗)

Resolution: Wait for the rate limit window to expire, or select a different CA.

CAA records block issuance

The error CAA records block issuance. Please remove all CAA records or add records for this authority indicates that your domain's CAA records do not allow the selected certificate authority to issue certificates.

Resolution: Either remove all CAA records from your domain, or add CAA records that explicitly allow Cloudflare's partner certificate authorities.

Multiple perspective validation errors

Certificate authorities perform domain validation from multiple geographic locations to prevent certain attacks. You may encounter one of these errors:

Certificate authority encountered a multiple perspective CAA check error, please ensure your DNS is configured to allow CAA queries from all geographic perspectives
Certificate authority was unable to verify domain ownership from multiple geographic locations (MPIC failure). Please ensure your DNS records are reachable from all geographic perspectives and try again.

Resolution: Ensure your DNS records (including CAA records) are consistently resolvable from all geographic locations. You can investigate resolution errors using the ping.pe tool ↗. For example, for a Google Trust Services certificate, check: <hostname>:CAA:8.8.8.8.

Read more from certificate authority documentation: SSL.com ↗, Let's Encrypt ↗, and Google Trust Services ↗.

DNS lookup errors

The error the Certificate Authority had trouble performing a DNS lookup indicates that the CA could not resolve your domain's DNS records. Common causes include SERVFAIL responses, NXDOMAIN, or DNSSEC validation failures.

Resolution: Verify that your DNS records are correctly configured and resolvable. Use tools like DNSViz ↗ to check for DNSSEC issues, and ensure your authoritative nameservers are responding correctly.

Rejected identifier

The error The certificate authority will not issue for this domain. Please check your input or try another authority means the CA has policies that prevent issuing certificates for your specific domain.

Resolution: Verify that your domain name is correctly spelled and does not violate the CA's issuance policies. If the domain is valid, try selecting a different CA.

Internal errors

When you see Internal error with Certificate Authority. Please check later, the certificate authority encountered a temporary issue during validation.

Resolution: Wait a few minutes and retry. If the issue persists, try selecting a different CA. Cloudflare will automatically retry validation according to the validation backoff schedule.