Just 1 of 12 domains stuck at "Pending Validation"
Hi,
I'm using "Custom Hostnames" to allow my customers to use their own domain to point to my service.
I've setup 11 custom hostnames so far, all working perfectly.
I've one custom domain however that won't seem to verify. It's been stuck at "Pending Validation" for multiple days now.
As far as I can tell, my customer has correctly setup their DNS and I'm following the same procedure as I did for the other 11 sub domains.
The domain is
videos.15gifts.com and it has a CNAME which points to videos.viduhq.com.
Is there anything that I can do to help debug the issue?7 Replies
15gifts has CAA records on it
;; ANSWER SECTION: 15gifts.com. 300 IN CAA 0 iodef "mailto:[email protected]" 15gifts.com. 300 IN CAA 0 issue ";" 15gifts.com. 300 IN CAA 0 issue "amazon.com" 15gifts.com. 300 IN CAA 0 issue "amazonaws.com" 15gifts.com. 300 IN CAA 0 issue "amazontrust.com" 15gifts.com. 300 IN CAA 0 issue "awstrust.com" 15gifts.com. 300 IN CAA 0 issue "digicert.com" 15gifts.com. 300 IN CAA 0 issue "letsencrypt.org" 15gifts.com. 300 IN CAA 0 issue "sectigo.com"which ca did you pick? That's missing GTS and also has 2 malformed ones
Thanks. If you're asking which "Certificate type" I chose when creating the domain in Cloudflare, I chose "Provided by Cloudflare"
If you're asking about the 15gifts.com domain, I'm not in control of that. Which ones are malformed?
Just reading up on CAA (I only know a little about DNS), am I right in saying that they will need to add a CAA record to allow cloudflare to issue a certificate?
ah sorry it looks like only Enterprise CF for SaaS can pick an exact authority
yea they need
pki.goog
I believe you could as well just create CAA records on videos.viduhq.com, one for letsencrypt.org, and one for pki.goog, and it should just follow it: https://letsencrypt.org/docs/caa/Certificate Authority Authorization (CAA)
CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. It was first standardized in 2013, and the version we use today was standardized in 2019 by RFC 8659 and RFC 8657. By default, every public CA is allowed to issue certificates for any...
Great, thanks for your help - really appreciate it
I'll try adding CAA records on
videos.viduhq.com as you suggest
I added:
If it doesn't work, should I ask them to add 0 issue "pki.goog"?
oh, no need - the cert has been issued
Thanks again for your help!CAA records work recursively so when it tries to issue a cert for
videos.15gifts.com, it checks videos.15gifts.com for CAA records and then 15gifts.com, so it shouldn't matter what they have on their rootI hope putting your dog on the Las vegas sphere is suitable payment
