Skip to content

Troubleshooting

High-risk domains

Occasionally, a domain will be flagged as “high risk” by Cloudflare’s CA partners. Typically this is done only for domains with an Alexa ranking of 1-1,000 and domains that have been flagged for phishing or malware by Google’s Safe Browsing service.

If a domain is flagged by the CA, you need to contact Support before validation can finish. The API call will return indicating the failure, along with a link to where the ticket can be filed.


Certificate Authority Authorization (CAA) records

CAA is a DNS resource record type defined in RFC 6844 that allows a domain owner to indicate which CAs are allowed to issue certificates for them.

For SaaS providers

If your customer has CAA records set on their domain, they will either need to add the following or remove CAA entirely:

example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issue "letsencrypt.org"
example.com. IN CAA 0 issue "pki.goog"

While it is possible for CAA records to be set on the subdomain your customer wishes to use with your service, it will usually be set on the domain apex. If they have CAA records on the subdomain, those will also have to be removed.

For SaaS customers

In some cases, the validation may be prevented because your hostname points to a CNAME target where CAA records are defined.

In this case you would need to either select a Certificate Authority whose CAA records are present at the target, or review the configuration with the service provider that owns the target.


Time outs

If a certificate issuance times out, the error message will indicate where the timeout occurred:

  • Timed Out (Initializing)
  • Timed Out (Validation)
  • Timed Out (Issuance)
  • Timed Out (Deployment)
  • Timed Out (Deletion)

To fix this error, send a PATCH request through the API or select Refresh for the specific custom hostname in the dashboard. Please make sure that the --data field is not empty in your request. If these return an error, delete and recreate the custom hostname.


Immediate validation checks

You can send a PATCH request to request an immediate validation check on any certificate. The PATCH data only needs include the same ssl object as the original request.