Edge Certificate Pending TXT
I'm not using any DNSSEC and I'm on full DNS, but the certificate has been stuck on pending for a week or two now, I tried disbaling enbaling universal certs and purging cache with no luck of fixing it, my domain: pnl-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop
22 Replies
I also have multiple domains on CA and none had this issue
I also added 3 types of CAA records directed towards letsencrypt.org as I saw in one of the posts
what do you mean "multiple domains on CA"?
My guess is that it's too long: https://community.letsencrypt.org/t/ssl-for-a-63-character-max-number-of-characters-domain-name-s/36387/17
There's a limit of 63 characters in cert common names, you exceed that with the TLD Extension
Let's Encrypt Community Support
SSL for (a) 63 character (max. number of characters) - domain name(s)
Yep, the conclusions in this thread are correct. To summarize: The X.509 Subject field "CommonName" is limited to 64 characters per RFC 5280, pages 120 and 124: CommonName ::= PrintableString (SIZE (1..ub-common-name-length)) ... ub-common-name-length INTEGER ::= 64 SubjectAlternativeNames has no such restriction, and for DNS names is onl...
I don't see anything wrong otherwise. dnssec is fine, caa records are good, it's trying to issue, etc
On the overview of your website in the Cloudflare dashboard (the overview tab), on the right side if you scroll down, what is your Acct and Zone id?
Thanks for answering, I have multiple domains with the same length and they didn't have this issue,
Zone ID
3546a258444b8667c68c8e9715b75eae
Account ID
bbc67e5cdcf7826113b167819f9206f2
@Chaika
Thanks. Are you on free and unable to create a ticket, or on paid with a ticket created/able to create a ticket that I could forward up?
Weird. Could you share the URLs of one of those? I'm curious what the cert common name is. I think Let's Encrypt might have a workaround for this, and maybe you just got unlucky on this one and it picked Google/someone else?
I am free
irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop
Here you go, this one got a new cert with no problem
@Chaika
This is the second domain that I recently got and have this issue, there might be a new policy
There is no new policy.
The Common Name (CN) of certificates have been limited to 64 characters since RFC2459 from January 1999.
When Cloudflare (and others) attempt to request the certificate for you, the first name you have in the certificate will typically be the one used for the Common Name (CN).
irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop is 67 characters, and the wildcard *.irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop is 69 characters.
Both of them are therefore long for the Common Name (CN), as Chaika said above.
https://community.cloudflare.com/t/universal-ssl-stucks-in-pending-after-30-hours/625703 here is another example with a long domain name having the same issue.
As mentioned in that thread:
In theory, you SHOULD be able to workaround a such limitation, by using another (sub-)domain name that is less than the 64 characters as the Common Name (CN) for your certificate.
For example, it should work just fine when having a Common Name (CN) of example.com, with the following subjectAltName / Subject Alternative Name (SAN) names in the certificate:
example.com can literally be anything, as long as it is less than the 64 character limit.
However, a such workaround cannot be made with the free Universal SSL.
On the Business plan, you do have the opportunity to upload your own certificate, which would allow for such a workaround, however, it would also give you the "burden" of having to maintain the certificate on your own and regularly upload a new one to Cloudflare, such as when it gets near to it's expiration.
For the domain name mentioned, - I see a "Precertificate" from Google Trust Services (GTS). from 2024-02-02:
-> https://crt.sh/?q=irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop
-> https://crt.sh/?id=11950824871
Normally, there would also be a "Leaf certificate", if a certificate was successfully created.
The "Precertificate" from the link above simply does not have any Common Name (CN) attached to it.Thanks for the full explanation I really appreciate that, just to be clear I have an active edge cert for irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop , the one that couldn't get a cert is pnl-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop even though they are the same length, nevertheless I just have to buy a shorter domain and things would work out thank you.
Do you have any active site on
irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop?
I.e., any (sub-)domains with A/AAAA record(s)?No, I have like 10 domains with the same length and they all have active certs and none has any active site on them
Only the 2 recent domains I got from the same provider have this issue
Yeah I have subdomains and one of them has an active site on a diffrent port than 443, but I created them after getting the cert
So if I understand correctly (I'm a little noob in the things you explained) it was an exception for previous domains and something was helping me to get the cert and now it's gone, to put it simply
Can you share one domain where you have an active website (e.g. HTTP(S) traffic going through it)?
No, there is no such things as exceptions here, and never have been.
Can I send it to you in pv? they are private panels, don't want any attacker to find it
Go ahead.
Discord won't let me, please send me a message
It says Your message could not be delivered. This is usually because you don't share a server with the recipient or the recipient is only accepting direct messages from friends. You can see the full list of reasons here:
Btw the irb one has an active panel on one it's subs with proxy on, but most of the traffic is myself, if you want the sub I should send it to you in pv
My Discord is actually set to allow message requests from this Discord.
So I would start to believe it may be some new Discord restrictions, perhaps because you still have the status as a new user, here on the Cloudflare Discord. 🤔
That said, I've opened a DM with you, - can you try again?
and I can't send friend request either
Interesting, I get the same in the opposite way:
Discord being Discord, ... I guess...
(I've sent a friend request now though)