Cloudflare DevelopersCD
Cloudflare Developers2y ago
juanferreras

With Delegated DCV validation, do I need just the root CNAME or one per each hostname?

If I want to point site.com, www.site.com and subdomain.site.com to my CF for SaaS (cname.zone.com).
A. Would adding CNAME _acme-challenge be enough for the certs?
B. Would I need 3, _acme-challenge, _acme-challenge.www and _acme-challenge.subdomain?

If www.site.com is currently using a CNAME to somewhere else, would the sequence of steps to minimize downtime...
  1. Add the DCV _acme-challenge (or DCVs depending A or B)
  2. Add the hostname/s to the Cloudflare Dashboard
  3. Wait for Cloudflare Dashboard to say the Certificate is Active
  4. (Potentially) add any missing CAA records necessary (although, if it's currently CNAMEing somewhere else, are you even able to add CAA records or not until you change the CNAME on step 6 and it propagates)?
  5. Otherwise, www.site.com continues reaching the old service provider successfully
  6. Consider doing pre-validation on the hostname (e.g. https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/hostname-validation/pre-validation/) before DNS changes.
  7. Change the www. CNAME to cname.zone.com, and with no downtime, www.site.com will point to our zone.
Is there any alternative workflows anyone's using? DCV seems invasive but the automatic renew makes it a great option. Curious to see in practice how many times the old/current service provider can prevent it from working (outside of CAA differences)

Thanks!
Was this page helpful?