#SSL for saas - Certificate validation _acme-challenge TXT value keeps changing - custom hostname

What is the domain name?
custom domain:_cny2024_tm_com_my
cf zone: tmcny2024_com
note: replaced dot with underscore for domains cause community did not allow posting more than 4 “links”

Have you searched for an answer?
yes: found this article that led to adding CAA record with value: pki_goog

However, problem still persists, and new value for TXT _acme-challenge_cny2024_tm_com_my is refreshed with a different value.

Please share your search results url:
community_cloudflare_com/t/after-setting-custom-hostnames-and-the-client-sets-the-certificate-validation-txt-value-in-dns-the-certificate-validation-txt-value-is-changed/502021/15

When you tested your domain, what were the results?
CAA record for tm_com_my includes pki_goog
TXT record for _cf-custom-hostname_cny2024_tm_com_my is correct and accepted
TXT record for _acme-challenge_cny2024_tm_com_my is per previous value (the value provided by SSL for SAAS has changed up to 4 times now.

Describe the issue you are having:
certificate validation _acme-challenge TXT record value keeps changing.

What error message or number are you receiving?
“Pending validation”

What steps have you taken to resolve the issue?

added TXT _cf-custom-hostname_cny2024_tm_com_my successfully
added TXT _acme-challenge_cny2024_tm_com_my successfully
added CAA value pki_goog to tm_com_my successfully
Was the site working with SSL prior to adding it to Cloudflare?
N/A

What are the steps to reproduce the error:

created custom hostname first in the custom hostname dashboard
added TXT validation records
added CAA record
Have you tried from another browser and/or incognito mode?
N/A

Please attach a screenshot of the error:
https://global.discourse-cdn.com/cloudflare/original/3X/7/0/70871a2d2a7e90d967377ead5351dc4dceb60692.jpeg

Also... i've just noticed, that this is the Cloudflare Developer discord... unsure how I ended up here, was digging through the CF support path and it led me to try joining the community discord here when i was looking up this specific problem 😄

It looks like it issued today if I'm looking at the right one.

You can use DCV Delegation btw so you don't need to manually create the TXT Records, its under Custom Hostnames

You weren't clicking "Refresh", right? It would change the value everytime

Yeah, it was issued after we setup Delegated DCV.

We did click on "Refresh", however unsure if that was the cause, because we were also considering that as one of the problems.

However we were very very sure, that we observed the amce-challenge value change EVEN when we didn't click on refresh during one of our multiple challenge name record updates.

Well, all is good now, since switching over to Delegated DCV.

As a further clarification, we didn't see the need for using Delegated DCV for future certification updates, due to the fact that we only required this custom hostname proxy for the next 1.5 months of the campaign period. and the project would be completed.

Refresh restarts the entire challenge process, plus you were missing pki.goog caa record for a bit right? Could have been you just exceeded the rate limiting/checking until eventually it expired and via delegated dcv it just succeeded

Well for the future, def worth checking CAA records first.
https://letsencrypt.org/docs/caa/
Either have none configured, or for CF for SaaS you need let's encrypt and gts/google. Keep in mind too it'll recursively check all the way down. It'll check cny2024, then tm, then com, then my. Some weird TLDs actually do configure them which is annoying.

Delegated DCV is worth doing if you can as well, let it do its thing and retry

yeah could have... but lack of feedback/error or something more verbose about the validation process within CF dashboard left us a bit confused.

yeah we realised that early on after the 1st round of failed validation, so it was added in, however still didn't resolve the repeated failed validation issue.

Yea there's SSL for Saas Custom Hostnames Alert under SSL/TLS Product in the Notifications tab which will spam the heck out of you but inform you of every step along the way, way overkill though

would be nice to have the dashboard just better tell you / do some prevalidation of itself, maybe one day