Domain not validating through automatic HTTP validation
One of my domains under Cloudflare for SaaS is pending renewal, and it's showing pending HTTP validation
https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/http/#http-automatic
I'm relying on this method. The domain works correctly, but it's just failing to renew the certificate and it continually says pending HTTP validation.
When I get the status of the domain via the API, this is what the response looks like:
"ssl": {
"id": "example-id",
"type": "dv",
"method": "http",
"status": "pending_validation",
"http_url": "http://example.com/.well-known/acme-challenge/....",
"http_body": ".....",
"validation_records": [
{
"status": "processing",
"http_url": "http://example.com/.well-known/acme-challenge/....",
"http_body": "....."
}
],
The http_url works and responds with the value in http_body, but the certificate is still failing to renew.
I saw that there was downtime with Cloudflare for SaaS recently: https://www.cloudflarestatus.com/incidents/k8fchbj6gcs4
But that appears to be resolved now, but this is still failing.
Is this something on my end? What can I do about this?
20 Replies
Feedback
Feedback has been submitted! Thank you :)
I removed & readded the domain, and this is what I see
Under expiry it just shows "Cloudflare", and if I mouse over it it says Managed by Cloudflare
Can I just ignore that it's pending validation then? I don't want issues with renewal in the future...
What is the actual domain?
Sorry, I can't provide that for security reasons which is why I redacted it from everything.
I know that makes it harder to help, but I can provide any other non-identifying information that would help.
The domain in question also uses Cloudflare if that matters.
Also, as part of manual HTTP validation (in case the automatic validation did not work), I have it set up to return the correct value for example.com./well-known/pki-validation/....
So one of the methods should have worked
I have a support ticket with more details on this as well, but I thought posting it here might get a faster response if other folks had the same issue
Also after deleting and re-adding it, going to the domain works
So it actually reissued a certificate successfully. Not sure why it would fail validation if it was able to issue a certificate?
These are the CAA records for the domain as well:
; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> CAA example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30307
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;example.com. IN CAA
;; AUTHORITY SECTION:
example.com. 300 IN SOA sharon.ns.cloudflare.com. dns.cloudflare.com. 2382683261 10000 2400 604800 1800
;; Query time: 74 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Sep 15 04:03:42 AST 2025
;; MSG SIZE rcvd: 107
Is the certificate you see now actually for the specific custom hostname, or is it the wildcard cert that the domain would use anyway as it is on Cloudflare already?
I see this:
Common Name (CN) example.com
Organization (O) <Not Part Of Certificate>
Organizational Unit (OU) <Not Part Of Certificate>
The domain I added is for a subdomain as part of example.com, e.g. sub.example.com
No Subject Alternative Name in the cert?
openssl s_client -connect sub.example.com:443 -servername sub.example.com </dev/null 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"
This returns:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com
So it's the wildcard certificate, not the custom hostname certificate that's being used.
That makes sense, thanks for clarifying
If I ignore the pending validation error will that cause an issue?
Will the domain be automatically removed if it never validates?
Maybe? It relies on the parent domain being active on Cloudflare. If the parent is ever removed, the custom hostname would also stop working. I'm also not sure whether the parent accounts certificate is supposed to be used for a custom hostname.
Does the parent domain have any CAA records?
Nope,
dig CAA example.com returns nothing
https://www.entrust.com/resources/tools/caa-lookup
Same as this...no CAA records
Just in case I was using the wrong dig commandLet me quickly add a custom hostname myself and see if that works. Which CA did you choose?
Not using Enterprise so I don't think I can select a specific one
It shows:
Minimum TLS version
TLS 1.0 (default)
Certificate validation method
HTTP Validation
SSL certificate authority
Google Trust Services
Certificate type
Provided by Cloudflare
Origin server
Default origin server
Origin SNI value
Host header
So I think it defaults to google
Hmm, I can only get the certificate issued if I proxy the DNS record in the parent zone. On DNS-Only, it doesn't work.
That's odd. I feel like that wasn't the case before. This customer hasn't made any changes on their end as far as I know
I don't believe that's how it should be either. I'll ask around
Sounds good, appreciate you looking into this
Oh, it actually worked, I was just too impatient.
Hmm...well that's strange then
Not sure why it's not working for this particular domain