DCV validation Issues with my domains
I'm receiving 2 DCV emails saying that I have not setup up the _acme-challenge TXT information in my domains then a third email saying the SSL has been renewed.
This is happening to all of my domains that I have with Cloudflare.
Using the recommended Universal SSL.
All domains are using primary and secondary Cloudflare DNS servers but not using Cloudflare Registrar services using a third party for that.
This all happens within a minute I get all 3 emails from the system.
a) is this normal?
b) is there something I have not done properly?
If you need additional info, let me know and I can explain further.
I look for any input regarding this problem.
18 Replies
What I have done, in the meantime, was disable the DCV email notifications until I get feedback on what, if anything that I have configured is causing the DCV problems.
Looking forward to any feedback anyone has regarding this.
Can you share the domain?
Sure, here or DM?
Whatever you like.
ok there is 7 domains related to my account currently and all of them are having the issue.
And which notification exactly is it that you had enabled?
The notification is Universal SSL Alert
I get 3 emails within 1 minute from Cloudflare, 2 DCV complaints and a 3rd saying the SSL has been renewed.
guaranteed every domain name
Can you share what exactly the DCV email says? Also, you haven't sent a domain to me yet ;-9
Domain list:
crosstracksdist.ca
crosstracksdist.com
crosstracksdist.org
latteau.ca
latteau.com
latteau.net
latteau.org
DCV email example, one sec
Hello,
Example email for latteau.net:
The Domain Control Validation (DCV) has failed for the certificate with the ID c22e3fe9-6780-4462-828b-91b3a9704eee belonging to Zone ID 27a0853c260c2298a537d176ff6cc410. The DCV method is currently set to txt.
Since the DCV method is set to TXT, please be sure to update your zone's nameservers at the registrar to the nameservers assigned to your zone in the Cloudflare Dashboard, or manually add a DNS TXT record to your authoritative DNS provider. For more help with changing nameservers, refer to https://developers.cloudflare.com/dns/zone-setups/full-setup/setup/.
Create a DNS record _acme-challenge.latteau.net TXT pxd6WtR7AXsQV3UTMP2bNG1ZhK0KMjkj3GWo1bA24To
Create a DNS record _acme-challenge.latteau.net TXT xpCL_PdwrhSP8MmtCeIkS4O0X4vyCA97_PKIbrHKu1w
You should also ensure that traffic to this hostname resolves to Cloudflare's edge and that no Cloudflare firewall rules or page rules modify requests to the HTTP .txt file's URL. For more help, visit https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/troubleshooting/.
If you want to change the current DCV method, follow the steps listed here: https://developers.cloudflare.com/ssl/edge-certificates/changing-dcv-method/
For any additional questions, visit our Support portal.
Thanks,
The Cloudflare Team
FYI, I have setup the _acme-challenge domains many emails ago but the TXT random string keeps changing and Cloudflare is not seeing the references in each domain name.
Cloudflare Docs
Change your nameservers (Full setup) · Cloudflare DNS docs
If you want to use Cloudflare as your primary DNS provider and manage your DNS records on Cloudflare, your domain should be using a full setup.
Cloudflare Docs
Troubleshooting Domain Control Validation · Cloudflare SSL/TLS docs
Taking into account the steps involved in DCV, some situations may interfere with certificate issuance and renewal.
Cloudflare Docs
Domain control validation (DCV) · Cloudflare SSL/TLS docs
Learn when and how to perform Domain Control Validation when using Cloudflare SSL/TLS.
Also, using Full Setup, if I did not mention this already.
The amount of emails "seemed" to have gotten worse when they cutover from Lets Encrypt. No idea if thats related or not.
Any thoughts?
That seems like a bug. I'll ask around if anyone else receives these kinds of notifications, though I'd guess most don't use them.
Understood, I thank you ahead of time if you find anything out. Being a sysadmin for decades now, I would never put my mail servers through this extra "spam" for no reason especially if "something" internally "fixes" the problem within a minute.
I've just activated the notification for myself. I should see within a few days whether I experience the same bug.
This doesn't seem time critical, so a few days should be ok.
Of course, it will happen during your next SSL auto renewals. If it is truly something I did or didn't do, just let me know and I have no problem modifying it.
if the question is just "do dcv alerts spam the heck out of you", they indeed do and have done for years
it's just a quirk of the system afaik, sometimes being too slow to propagate the record being created, or conflicting with other attempts, etc. They always succeed in the end, as long as there's nothing fundementally wrong with your zone (invalid dnssec, etc)
hmm yea there's been a bunch of forum reports of this over the years https://community.cloudflare.com/t/received-50-dcv-failed-email/518567, https://community.cloudflare.com/t/domain-control-validation-dcv-has-failed-for-certificates/292930/2, I thought there was a better reason why the system is like that, but perhaps it wasn't explained. I suppose Let's Encrypt and such do the same thing and do retry for dns propogation and such, this case is just the system emails you about every single event.
If you want helpful emails, you can enable Certificate Transparency Monitoring under SSL/TLS → Edge Certificates and you will get emailed for any new certs on your domains.
@Chaika Thanks for the update, I have added the Certificate Transparency Monitoring instead. My purpose was to know if and when Cloudflare was updating the SSL certificates but I will have to think about if I want to put up with the noise or is anyone from Cloudflare going to fix this. Considering you said been like this for years, not holding my breath as obviously it was not them going away from Lets Encrypt as I thought.