#Just 1 of 12 domains stuck at "Pending Validation"

16 messages · Page 1 of 1 (latest)

dire plume
#

Hi,

I'm using "Custom Hostnames" to allow my customers to use their own domain to point to my service.

I've setup 11 custom hostnames so far, all working perfectly.

I've one custom domain however that won't seem to verify. It's been stuck at "Pending Validation" for multiple days now.

As far as I can tell, my customer has correctly setup their DNS and I'm following the same procedure as I did for the other 11 sub domains.

The domain is videos.15gifts.com and it has a CNAME which points to videos.viduhq.com.

Is there anything that I can do to help debug the issue?

elfin robin
# dire plume Hi, I'm using "Custom Hostnames" to allow my customers to use their own domain ...

15gifts has CAA records on it

;; ANSWER SECTION:
15gifts.com. 300 IN CAA 0 iodef "mailto:[email protected]"
15gifts.com. 300 IN CAA 0 issue ";"
15gifts.com. 300 IN CAA 0 issue "amazon.com"
15gifts.com. 300 IN CAA 0 issue "amazonaws.com"
15gifts.com. 300 IN CAA 0 issue "amazontrust.com"
15gifts.com. 300 IN CAA 0 issue "awstrust.com"
15gifts.com. 300 IN CAA 0 issue "digicert.com"
15gifts.com. 300 IN CAA 0 issue "letsencrypt.org"
15gifts.com. 300 IN CAA 0 issue "sectigo.com"

#

which ca did you pick? That's missing GTS and also has 2 malformed ones

dire plume
#

Thanks. If you're asking which "Certificate type" I chose when creating the domain in Cloudflare, I chose "Provided by Cloudflare"

#

If you're asking about the 15gifts.com domain, I'm not in control of that. Which ones are malformed?

#

Just reading up on CAA (I only know a little about DNS), am I right in saying that they will need to add a CAA record to allow cloudflare to issue a certificate?

elfin robin
elfin robin
# dire plume Just reading up on CAA (I only know a little about DNS), am I right in saying th...

yea they need pki.goog
I believe you could as well just create CAA records on videos.viduhq.com, one for letsencrypt.org, and one for pki.goog, and it should just follow it: https://letsencrypt.org/docs/caa/

Certificate Authority Authorization (CAA)

CAA is a type of DNS record that allows site owners to specify which Certificate Authorities (CAs) are allowed to issue certificates containing their domain names. It was first standardized in 2013, and the version we use today was standardized in 2019 by RFC 8659 and RFC 8657. By default, every public CA is allowed to issue certificates for any...

dire plume
#

Great, thanks for your help - really appreciate it

#

I'll try adding CAA records on videos.viduhq.com as you suggest

#

I added:

# 
dig caa videos.viduhq.com

; <<>> DiG 9.10.6 <<>> caa videos.viduhq.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63982
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;videos.viduhq.com.        IN    CAA

;; ANSWER SECTION:
videos.viduhq.com.    191    IN    CAA    0 issue "letsencrypt.org"
videos.viduhq.com.    191    IN    CAA    0 issue "pki.goog"

;; Query time: 16 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sat Jan 20 22:59:56 GMT 2024
;; MSG SIZE  rcvd: 107
#

If it doesn't work, should I ask them to add 0 issue "pki.goog"?

#

oh, no need - the cert has been issued

#

Thanks again for your help!

elfin robin