Domain not validating through automatic HTTP validation

One of my domains under Cloudflare for SaaS is pending renewal, and it's showing pending HTTP validation

https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/http/#http-automatic

I'm relying on this method. The domain works correctly, but it's just failing to renew the certificate and it continually says pending HTTP validation.

When I get the status of the domain via the API, this is what the response looks like:

"ssl": {
"id": "example-id",
"type": "dv",
"method": "http",
"status": "pending_validation",
"http_url": "http://example.com/.well-known/acme-challenge/....",
"http_body": ".....",
"validation_records": [
{
"status": "processing",
"http_url": "http://example.com/.well-known/acme-challenge/....",
"http_body": "....."
}
],

The http_url works and responds with the value in http_body, but the certificate is still failing to renew.

I saw that there was downtime with Cloudflare for SaaS recently: https://www.cloudflarestatus.com/incidents/k8fchbj6gcs4

But that appears to be resolved now, but this is still failing.

Is this something on my end? What can I do about this?

SuperHelpflare•9/15/25, 6:05 AM

Feedback

Feedback has been submitted! Thank you :)

JeffOP•9/15/25, 7:51 AM

I removed & readded the domain, and this is what I see

Under expiry it just shows "Cloudflare", and if I mouse over it it says Managed by Cloudflare

Can I just ignore that it's pending validation then? I don't want issues with renewal in the future...

JJeff I removed & readded the domain, and this is what I see Under expiry it just sho...

Laudian•9/15/25, 7:56 AM

What is the actual domain?

LLaudian What is the actual domain?

JeffOP•9/15/25, 8:00 AM

Sorry, I can't provide that for security reasons which is why I redacted it from everything.

I know that makes it harder to help, but I can provide any other non-identifying information that would help.

The domain in question also uses Cloudflare if that matters.

Also, as part of manual HTTP validation (in case the automatic validation did not work), I have it set up to return the correct value for example.com./well-known/pki-validation/....

So one of the methods should have worked

I have a support ticket with more details on this as well, but I thought posting it here might get a faster response if other folks had the same issue

JeffOP•9/15/25, 8:01 AM

Also after deleting and re-adding it, going to the domain works

So it actually reissued a certificate successfully. Not sure why it would fail validation if it was able to issue a certificate?

JeffOP•9/15/25, 8:07 AM

These are the CAA records for the domain as well:

; <<>> DiG 9.18.30-0ubuntu0.24.04.2-Ubuntu <<>> CAA example.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30307
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;example.com. IN CAA

;; AUTHORITY SECTION:
example.com. 300 IN SOA sharon.ns.cloudflare.com. dns.cloudflare.com. 2382683261 10000 2400 604800 1800

;; Query time: 74 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Mon Sep 15 04:03:42 AST 2025
;; MSG SIZE rcvd: 107

JJeff Also after deleting and re-adding it, going to the domain works So it actually ...

Laudian•9/15/25, 8:08 AM

Is the certificate you see now actually for the specific custom hostname, or is it the wildcard cert that the domain would use anyway as it is on Cloudflare already?

JeffOP•9/15/25, 8:12 AM

I see this:

Common Name (CN) example.com
Organization (O) <Not Part Of Certificate>
Organizational Unit (OU) <Not Part Of Certificate>

The domain I added is for a subdomain as part of example.com, e.g. sub.example.com

Laudian•9/15/25, 8:13 AM

No Subject Alternative Name in the cert?

LLaudian No Subject Alternative Name in the cert?

JeffOP•9/15/25, 8:15 AM

openssl s_client -connect sub.example.com:443 -servername sub.example.com </dev/null 2>/dev/null | openssl x509 -noout -text | grep -A1 "Subject Alternative Name"

This returns:

X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com

Laudian•9/15/25, 8:17 AM

So it's the wildcard certificate, not the custom hostname certificate that's being used.

LLaudian So it's the wildcard certificate, not the custom hostname certificate that's bei...

JeffOP•9/15/25, 8:18 AM

That makes sense, thanks for clarifying

If I ignore the pending validation error will that cause an issue?

Will the domain be automatically removed if it never validates?

JJeff That makes sense, thanks for clarifying If I ignore the pending validation erro...

Laudian•9/15/25, 8:20 AM

Maybe? It relies on the parent domain being active on Cloudflare. If the parent is ever removed, the custom hostname would also stop working. I'm also not sure whether the parent accounts certificate is supposed to be used for a custom hostname.

Does the parent domain have any CAA records?

LLaudian Maybe? It relies on the parent domain being active on Cloudflare. If the parent ...

JeffOP•9/15/25, 8:20 AM

Nope, dig CAA example.comdig CAA example.com returns nothing

JeffOP•9/15/25, 8:22 AM

https://www.entrust.com/resources/tools/caa-lookup

Same as this...no CAA records

Just in case I was using the wrong dig command

Laudian•9/15/25, 8:24 AM

Let me quickly add a custom hostname myself and see if that works. Which CA did you choose?

JeffOP•9/15/25, 8:26 AM

Not using Enterprise so I don't think I can select a specific one

It shows:

Minimum TLS version
TLS 1.0 (default)
Certificate validation method
HTTP Validation
SSL certificate authority
Google Trust Services
Certificate type
Provided by Cloudflare
Origin server
Default origin server
Origin SNI value
Host header

So I think it defaults to google

JJeff Not using Enterprise so I don't think I can select a specific one It shows: Mi...

Laudian•9/15/25, 8:36 AM

Hmm, I can only get the certificate issued if I proxy the DNS record in the parent zone. On DNS-Only, it doesn't work.

JeffOP•9/15/25, 8:37 AM

That's odd. I feel like that wasn't the case before. This customer hasn't made any changes on their end as far as I know

Laudian•9/15/25, 8:37 AM

I don't believe that's how it should be either. I'll ask around

JeffOP•9/15/25, 8:38 AM

Sounds good, appreciate you looking into this

JJeff Sounds good, appreciate you looking into this

Laudian•9/15/25, 8:46 AM

Oh, it actually worked, I was just too impatient.