Adv. Cert validation in partial cname setup
Hello Everyone!
Recently I set up partial cname setup, txt record verified, but cname not yet created under authoritative dns.
Now I ordered a advance edge certificate, and it's generated two acme challenge txt records, and I created both on authoritative dns server (infoblox in this case)
Now I could see the txt records are keep on updating, what I expected is txt records should be remain same for 30 days.
The weird thing here is, when ever I update the txt records, immediately Cloudflare edge certificate acme txt record values changing.
Now I want to know do I need to complete the partial cname setup at first place to get this records validated ?
I contacted support, the engineer also told the same as above I asked.
But after checking the CAA record of my zone I came to know only LE allowed, so I deleted and re ordered LE cert from cloudflare after some time it got validated.
Again I checked with cf guy, he told, sorry I misspoken, this will applicable on universal cert only, adv cert can get validated before completion cname setup also.
Note : still I didn't completed the cname setup by creating a cname in infoblox.
Now can anybody from the cloudflare expert team, explain this, how actually it worked ?
:NotLikeThis:
2 Replies
Support AI
I'm happy to help clarify the situation.
According to the documentation,
_acme-challenge records are automatically created to allow Cloudflare edge certificates to be provisioned. These records are required by certificate authorities (CAs) to verify domain ownership before issuing the SSL/TLS certificate. (Source: https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/acme-challenge-txt-record/)
In your case, you ordered an advanced edge certificate, which generated two ACME challenge TXT records. You created these records on your authoritative DNS server (Infoblox), but the records kept updating, and you expected them to remain the same for 30 days.
The documentation doesn't explicitly state that the TXT records will remain the same for 30 days. However, it does mention that the _acme-challenge records are tied to the certificates and cannot be deleted from the DNS tab of your Cloudflare dashboard. (Source: https://developers.cloudflare.com/dns/manage-dns-records/troubleshooting/acme-challenge-txt-record/)
Regarding the CAA record, it's true that only Let's Encrypt (LE) was allowed, and you deleted and re-ordered the LE cert from Cloudflare, which got validated. However, this is not directly related to the advanced edge certificate.
The Cloudflare engineer's statement that the issue is only applicable to universal certificates, and advanced certificates can get validated before completing the CNAME setup, is not entirely accurate. The documentation doesn't explicitly state this, and it's possible that the engineer misspoke.
In your case, it's likely that the advanced edge certificate was validated because the TXT records were created on your authoritative DNS server, and the CAA record allowed Let's Encrypt to issue the certificate.
To summarize, the _acme-challenge records are automatically created for edge certificate provisioning, and they are tied to the certificates. The TXT records may update, and it's not explicitly stated that they will remain the same for 30 days. The CAA record and the Cloudflare engineer's statement are not directly related to the advanced edge certificate validation.
If you have any further questions or concerns, please feel free to ask.Sources
Feedback
Feedback has been submitted! Thank you :)
This is an AI generated response, it may not be 100% accurate. Please validate the output. You can ask followups by replying to this message or mentioning me.
Now let me know?
Once I ordered advance certificate, cf will generate or show txt records and value right ? What is the expiry validity for those records?
And, is it possible to validate advance certificate even before completing cname partial setup ?