CD
Cloudflare Developers5mo ago
gavinjoyce

Just 1 of 12 domains stuck at "Pending Validation"

Hi, I'm using "Custom Hostnames" to allow my customers to use their own domain to point to my service. I've setup 11 custom hostnames so far, all working perfectly. I've one custom domain however that won't seem to verify. It's been stuck at "Pending Validation" for multiple days now. As far as I can tell, my customer has correctly setup their DNS and I'm following the same procedure as I did for the other 11 sub domains. The domain is videos.15gifts.com and it has a CNAME which points to videos.viduhq.com. Is there anything that I can do to help debug the issue?
7 Replies
Chaika
Chaika5mo ago
15gifts has CAA records on it
;; ANSWER SECTION: 15gifts.com. 300 IN CAA 0 iodef "mailto:sys@15gifts.com" 15gifts.com. 300 IN CAA 0 issue ";" 15gifts.com. 300 IN CAA 0 issue "amazon.com" 15gifts.com. 300 IN CAA 0 issue "amazonaws.com" 15gifts.com. 300 IN CAA 0 issue "amazontrust.com" 15gifts.com. 300 IN CAA 0 issue "awstrust.com" 15gifts.com. 300 IN CAA 0 issue "digicert.com" 15gifts.com. 300 IN CAA 0 issue "letsencrypt.org" 15gifts.com. 300 IN CAA 0 issue "sectigo.com"
which ca did you pick? That's missing GTS and also has 2 malformed ones
gavinjoyce
gavinjoyce5mo ago
Thanks. If you're asking which "Certificate type" I chose when creating the domain in Cloudflare, I chose "Provided by Cloudflare" If you're asking about the 15gifts.com domain, I'm not in control of that. Which ones are malformed? Just reading up on CAA (I only know a little about DNS), am I right in saying that they will need to add a CAA record to allow cloudflare to issue a certificate?
Chaika
Chaika5mo ago
ah sorry it looks like only Enterprise CF for SaaS can pick an exact authority
Chaika
Chaika5mo ago
yea they need pki.goog I believe you could as well just create CAA records on videos.viduhq.com, one for letsencrypt.org, and one for pki.goog, and it should just follow it: https://letsencrypt.org/docs/caa/
Certificate Authority Authorization (CAA)
CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. It was first standardized in 2013, and the version we use today was standardized in 2019 by RFC 8659 and RFC 8657. By default, every public CA is allowed to issue certificates for any...
gavinjoyce
gavinjoyce5mo ago
Great, thanks for your help - really appreciate it I'll try adding CAA records on videos.viduhq.com as you suggest I added: 
dig caa videos.viduhq.com

; <<>> DiG 9.10.6 <<>> caa videos.viduhq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63982
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;videos.viduhq.com.        IN    CAA

;; ANSWER SECTION:
videos.viduhq.com.    191    IN    CAA    0 issue "letsencrypt.org"
videos.viduhq.com.    191    IN    CAA    0 issue "pki.goog"

;; Query time: 16 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sat Jan 20 22:59:56 GMT 2024
;; MSG SIZE  rcvd: 107
dig caa videos.viduhq.com

; <<>> DiG 9.10.6 <<>> caa videos.viduhq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63982
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;videos.viduhq.com.        IN    CAA

;; ANSWER SECTION:
videos.viduhq.com.    191    IN    CAA    0 issue "letsencrypt.org"
videos.viduhq.com.    191    IN    CAA    0 issue "pki.goog"

;; Query time: 16 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sat Jan 20 22:59:56 GMT 2024
;; MSG SIZE  rcvd: 107
If it doesn't work, should I ask them to add 0 issue "pki.goog"? oh, no need - the cert has been issued Thanks again for your help!
Chaika
Chaika5mo ago
CAA records work recursively so when it tries to issue a cert for videos.15gifts.com, it checks videos.15gifts.com for CAA records and then 15gifts.com, so it shouldn't matter what they have on their root
gavinjoyce
gavinjoyce5mo ago
I hope putting your dog on the Las vegas sphere is suitable payment
No description
Want results from more Discord servers?
Add your server
More Posts
how to calculate workers with standard pricing modelanyone got a clue? i got the request just multiply by 0.3 but cpu time?? where's the formula to thato add Turnstile I have to bring my domain to cloudflare ?to add Turnstile I have to bring my domain to cloudflare or change my domains nameservers to cloudfBackBlaze B2 Domain AccessHi there, I am trying to accessing my BackBlaze B2 Storage Bucket file through my custom domain. iDNS IssueHi there I am quite new to Cloudflare. I have a Godaddy domain that I used to host using Netlify. I About DNS records...I was wondering how does cloudflare can get your domains every sub domain and ip address associated Need help with a mobile helpHi, I am developing a mobile app for a puzzle quiz and need two things for it - an xml file and a daAutomatic Platform Optimization for WordPressHey everyone! Just wondering if purchasing APO is per-site or account-wide? Discussing with a clientAfter streaming, enabling mp4 download gives 500 error and then it retries with errorHi there, we stream and then call api to make mp4 video available but we noticed, we get 500 errors how can i query D1 in cloudflare without deploy?im quering D1 database with Functions but it seems query in local.. how can i query on remote withouwhat is stream service actual pricing?Where can I find the actual stream service pricing? I cannot find it anywhere except for a basic bun