Custom domain not verifying, stuck in Inactive (Requires DNS setup)

We're migrating an application to Cloudflare Pages and its domain is not verifying even though the CNAME setup is as expected (verified with dig and online tools) Pages domain: mixttickets-dashboard.pages.dev Account ID: 2a0caec453d32b2f6453885e08ee6118 There's no error, just never verifies. Tried removing and adding again the domain and the entire project but no luck. Also followed the pages debug page and if I try a curl to the acme challenge route it gives me:
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure
Also want to mention that we've migrated 2 other apps in the same domain with the same setup today and they worked just fine. Only this one has issues.
12 Replies
Chaika
Chaika16mo ago
What's the custom domain?
HastaLaPasta
HastaLaPastaOP16mo ago
dashboard.mixttickets.com
Chaika
Chaika16mo ago
That's not pointed at your pages.dev
;; QUESTION SECTION: ;dashboard.mixttickets.com. IN CNAME ;; ANSWER SECTION: dashboard.mixttickets.com. 14335 IN CNAME dashboard.mixttickets.get-protocol.io.
Did you add dashboard.mixttickets.com as your custom domain, or dashboard.mixttickets.get-protocol.io? That layer of indirection is also unnecessary and could be causing issues, not sure if that would work
HastaLaPasta
HastaLaPastaOP16mo ago
Yep, added both. dashboard.mixttickets.get-protocol.io verified ok, the other one did not. This is the same setup we've used for a lot of apps with not issues until now.
Chaika
Chaika16mo ago
hmm, if you go, in the Cloudflare dashboard, under Manage Account -> Audit Log, enter Domain: mixttickets-dashboard.pages.dev, Search, do you see "Pending to Blocked" or "Pending to xxxx" Action?
HastaLaPasta
HastaLaPastaOP16mo ago
Nothing like that, no. The very last entry is: Active redeploying to active
{
"certificate_id": "115529e1-6b32-47f0-a2cf-7e1de87a34e7",
"hostname": "dashboard.mixttickets.com",
"id": "182206af-38c7-496f-9eae-a1ee7398daf7",
"status": "active",
"zone_id": "c48579b1558fd0ad42723a4f05c8cdbe"
}
{
"certificate_id": "115529e1-6b32-47f0-a2cf-7e1de87a34e7",
"hostname": "dashboard.mixttickets.com",
"id": "182206af-38c7-496f-9eae-a1ee7398daf7",
"status": "active",
"zone_id": "c48579b1558fd0ad42723a4f05c8cdbe"
}
Chaika
Chaika16mo ago
ahh that's good, your custom domain is active, you're just missing the certificate. ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;mixttickets.com. IN CAA ;; ANSWER SECTION: mixttickets.com. 14400 IN CAA 0 issuewild "sectigo.com" mixttickets.com. 14400 IN CAA 0 issue "comodoca.com" mixttickets.com. 14400 IN CAA 0 issuewild "globalsign.com" mixttickets.com. 14400 IN CAA 0 issuewild "comodoca.com" mixttickets.com. 14400 IN CAA 0 issuewild "digicert.com" mixttickets.com. 14400 IN CAA 0 issue "digicert.com" mixttickets.com. 14400 IN CAA 0 issue "globalsign.com" mixttickets.com. 14400 IN CAA 0 issue "sectigo.com" mixttickets.com. 14400 IN CAA 0 issue "letsencrypt.org" mixttickets.com. 14400 IN CAA 0 issuewild "letsencrypt.org" You have CAA records created for your domain, but you're missing pki.google, which Cloudflare uses. You want all of these: https://developers.cloudflare.com/pages/platform/debugging-pages/#missing-caa-records Specifically:
example.com. 300 IN CAA 0 issue "pki.goog; cansignhttpexchanges=yes"
example.com. 300 IN CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"
example.com. 300 IN CAA 0 issue "pki.goog; cansignhttpexchanges=yes"
example.com. 300 IN CAA 0 issuewild "pki.goog; cansignhttpexchanges=yes"
HastaLaPasta
HastaLaPastaOP16mo ago
Ah ok, will try to get those added too. But any idea why other subdomains worked ok on the same domain? Like app.mixttickets.com
Chaika
Chaika16mo ago
That's using Let's Encrypt, just luck/it picked a usable one
HastaLaPasta
HastaLaPastaOP16mo ago
Huh, good to know then. Thanks for the help!
Chaika
Chaika16mo ago
Pages just picks between either Let's Encrypt or Google as far as I know, I believe it's tied to the specific project which one it uses, but it could also just be random. Eitherway, I would add those CAA records, wait 5-10 mins for DNS Propogation, and then you could delete & readd the domain
HastaLaPasta
HastaLaPastaOP16mo ago
Will do, thanks again!
Want results from more Discord servers?
Add your server