CD
Cloudflare Developers9mo ago
HastaLaPasta

Custom domain not verifying, stuck in Inactive (Requires DNS setup)

We're migrating an application to Cloudflare Pages and its domain is not verifying even though the CNAME setup is as expected (verified with dig and online tools) Pages domain: mixttickets-dashboard.pages.dev Account ID: 2a0caec453d32b2f6453885e08ee6118 There's no error, just never verifies. Tried removing and adding again the domain and the entire project but no luck. Also followed the pages debug page and if I try a curl to the acme challenge route it gives me: 
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure
curl: (35) error:0A000410:SSL routines::sslv3 alert handshake failure
Also want to mention that we've migrated 2 other apps in the same domain with the same setup today and they worked just fine. Only this one has issues.
12 Replies
Chaika
Chaika9mo ago
What's the custom domain?
HastaLaPasta
HastaLaPasta9mo ago
dashboard.mixttickets.com
Chaika
Chaika9mo ago
That's not pointed at your pages.dev
;; QUESTION SECTION: ;dashboard.mixttickets.com. IN CNAME ;; ANSWER SECTION: dashboard.mixttickets.com. 14335 IN CNAME dashboard.mixttickets.get-protocol.io.
Did you add dashboard.mixttickets.com as your custom domain, or dashboard.mixttickets.get-protocol.io? That layer of indirection is also unnecessary and could be causing issues, not sure if that would work
HastaLaPasta
HastaLaPasta9mo ago
Yep, added both. dashboard.mixttickets.get-protocol.io verified ok, the other one did not. This is the same setup we've used for a lot of apps with not issues until now.
Chaika
Chaika9mo ago
hmm, if you go, in the Cloudflare dashboard, under Manage Account -> Audit Log, enter Domain: mixttickets-dashboard.pages.dev, Search, do you see "Pending to Blocked" or "Pending to xxxx" Action?
HastaLaPasta
HastaLaPasta9mo ago
Nothing like that, no. The very last entry is: Active redeploying to active 
{
  "certificate_id": "115529e1-6b32-47f0-a2cf-7e1de87a34e7",
  "hostname": "dashboard.mixttickets.com",
  "id": "182206af-38c7-496f-9eae-a1ee7398daf7",
  "status": "active",
  "zone_id": "c48579b1558fd0ad42723a4f05c8cdbe"
}
{
  "certificate_id": "115529e1-6b32-47f0-a2cf-7e1de87a34e7",
  "hostname": "dashboard.mixttickets.com",
  "id": "182206af-38c7-496f-9eae-a1ee7398daf7",
  "status": "active",
  "zone_id": "c48579b1558fd0ad42723a4f05c8cdbe"
}
Chaika
Chaika9mo ago
ahh that's good, your custom domain is active, you're just missing the certificate. ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;mixttickets.com. IN CAA ;; ANSWER SECTION: mixttickets.com. 14400 IN CAA 0 issuewild "sectigo.com" mixttickets.com. 14400 IN CAA 0 issue "comodoca.com" mixttickets.com. 14400 IN CAA 0 issuewild "globalsign.com" mixttickets.com. 14400 IN CAA 0 issuewild "comodoca.com" mixttickets.com. 14400 IN CAA 0 issuewild "digicert.com" mixttickets.com. 14400 IN CAA 0 issue "digicert.com" mixttickets.com. 14400 IN CAA 0 issue "globalsign.com" mixttickets.com. 14400 IN CAA 0 issue "sectigo.com" mixttickets.com. 14400 IN CAA 0 issue "letsencrypt.org" mixttickets.com. 14400 IN CAA 0 issuewild "letsencrypt.org" You have CAA records created for your domain, but you're missing pki.google, which Cloudflare uses. You want all of these: https://developers.cloudflare.com/pages/platform/debugging-pages/#missing-caa-records Specifically: 
example.com.            300     IN      CAA     0 issue "pki.goog; cansignhttpexchanges=yes"
example.com.            300     IN      CAA     0 issuewild "pki.goog; cansignhttpexchanges=yes"
example.com.            300     IN      CAA     0 issue "pki.goog; cansignhttpexchanges=yes"
example.com.            300     IN      CAA     0 issuewild "pki.goog; cansignhttpexchanges=yes"
HastaLaPasta
HastaLaPasta9mo ago
Ah ok, will try to get those added too. But any idea why other subdomains worked ok on the same domain? Like app.mixttickets.com
Chaika
Chaika9mo ago
That's using Let's Encrypt, just luck/it picked a usable one
HastaLaPasta
HastaLaPasta9mo ago
Huh, good to know then. Thanks for the help!
Chaika
Chaika9mo ago
Pages just picks between either Let's Encrypt or Google as far as I know, I believe it's tied to the specific project which one it uses, but it could also just be random. Eitherway, I would add those CAA records, wait 5-10 mins for DNS Propogation, and then you could delete & readd the domain
HastaLaPasta
HastaLaPasta9mo ago
Will do, thanks again!
Want results from more Discord servers?
Add your server
More Posts
Guidance/ reference for building my cloudflare worker.Hi all, this is my first time building a cloud flare worker. I am trying to build a middleware API oCloudflare and Digitial Oceanhas anybody ever used Cloudflar and Dig Ocean? looking to setup something like this and wanted to knCache not fragmented by protocol?Hey all, we have a strange case where we route traffic through a worker to our origin, and the backeUnwanted Web Analytics EmailHello, I'm getting Web Analytics emails for a domain that I don't own, which is in a team that I'm nreturn 522 using fetch in a worker to request api of another workerWhen a worker requests the api under the domain name bound by another worker, 522 is returned. "The Still can't get breakpoint debugging working in wrangler 3.9.1Seems like a lot of work went in getting breakpoint debugging working in the last couple of releasesD1 and KV bindings not showing up in production?I'm using SvelteKit with `@sveltejs/adapter-cloudflare`, and I have all of my bindings listed in `wrWorker refusing to recognize KV namespace even after bindingI'm trying to increment a key in my namespace from my worker and I keep getting red squiggly lines ubuilding/bundling modules with node built-insI'm trying to use an npm module that relies on a node build-in (fs/promises) that is not available iCustom domains always errors with Inactive (Error)I have custom domains setup and have 10x verified the DNS is correct. But no matter what the domain