#Edge Certificate Pending TXT

I'm not using any DNSSEC and I'm on full DNS, but the certificate has been stuck on pending for a week or two now, I tried disbaling enbaling universal certs and purging cache with no luck of fixing it, my domain: pnl-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop

I also have multiple domains on CA and none had this issue

I also added 3 types of CAA records directed towards letsencrypt.org as I saw in one of the posts

what do you mean "multiple domains on CA"?

My guess is that it's too long: https://community.letsencrypt.org/t/ssl-for-a-63-character-max-number-of-characters-domain-name-s/36387/17
There's a limit of 63 characters in cert common names, you exceed that with the TLD Extension

I don't see anything wrong otherwise. dnssec is fine, caa records are good, it's trying to issue, etc

On the overview of your website in the Cloudflare dashboard (the overview tab), on the right side if you scroll down, what is your Acct and Zone id?

Thanks for answering, I have multiple domains with the same length and they didn't have this issue,

Zone ID
3546a258444b8667c68c8e9715b75eae

Account ID
bbc67e5cdcf7826113b167819f9206f2

@lilac copper

Thanks. Are you on free and unable to create a ticket, or on paid with a ticket created/able to create a ticket that I could forward up?

Weird. Could you share the URLs of one of those? I'm curious what the cert common name is. I think Let's Encrypt might have a workaround for this, and maybe you just got unlucky on this one and it picked Google/someone else?

I am free

irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop

Here you go, this one got a new cert with no problem

@lilac copper

This is the second domain that I recently got and have this issue, there might be a new policy

There is no new policy.

The Common Name (CN) of certificates have been limited to 64 characters since RFC2459 from January 1999.

When Cloudflare (and others) attempt to request the certificate for you, the first name you have in the certificate will typically be the one used for the Common Name (CN).

irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop is 67 characters, and the wildcard *.irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop is 69 characters.

Both of them are therefore long for the Common Name (CN), as Chaika said above.

https://community.cloudflare.com/t/universal-ssl-stucks-in-pending-after-30-hours/625703 here is another example with a long domain name having the same issue.

As mentioned in that thread:

In theory, you SHOULD be able to workaround a such limitation, by using another (sub-)domain name that is less than the 64 characters as the Common Name (CN) for your certificate.

For example, it should work just fine when having a Common Name (CN) of example.com, with the following subjectAltName / Subject Alternative Name (SAN) names in the certificate:

example.com
irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop
*.irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop

example.com can literally be anything, as long as it is less than the 64 character limit.

However, a such workaround cannot be made with the free Universal SSL.

On the Business plan, you do have the opportunity to upload your own certificate, which would allow for such a workaround, however, it would also give you the "burden" of having to maintain the certificate on your own and regularly upload a new one to Cloudflare, such as when it gets near to it's expiration.

For the domain name mentioned, - I see a "Precertificate" from Google Trust Services (GTS). from 2024-02-02:

-> https://crt.sh/?q=irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop
-> https://crt.sh/?id=11950824871

Normally, there would also be a "Leaf certificate", if a certificate was successfully created.

The "Precertificate" from the link above simply does not have any Common Name (CN) attached to it.

Thanks for the full explanation I really appreciate that, just to be clear I have an active edge cert for irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop , the one that couldn't get a cert is pnl-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop even though they are the same length, nevertheless I just have to buy a shorter domain and things would work out thank you.

Do you have any active site on irb-o00----------6z-6---z--7t6--hr-5l6y-aw5qr----zc--9kk---6o0.shop?

I.e., any (sub-)domains with A/AAAA record(s)?

No, I have like 10 domains with the same length and they all have active certs and none has any active site on them

Only the 2 recent domains I got from the same provider have this issue

Yeah I have subdomains and one of them has an active site on a diffrent port than 443, but I created them after getting the cert

So if I understand correctly (I'm a little noob in the things you explained) it was an exception for previous domains and something was helping me to get the cert and now it's gone, to put it simply

Can you share one domain where you have an active website (e.g. HTTP(S) traffic going through it)?

No, there is no such things as exceptions here, and never have been.

Can I send it to you in pv? they are private panels, don't want any attacker to find it

Go ahead.

Discord won't let me, please send me a message

It says Your message could not be delivered. This is usually because you don't share a server with the recipient or the recipient is only accepting direct messages from friends. You can see the full list of reasons here:

Btw the irb one has an active panel on one it's subs with proxy on, but most of the traffic is myself, if you want the sub I should send it to you in pv

My Discord is actually set to allow message requests from this Discord.

So I would start to believe it may be some new Discord restrictions, perhaps because you still have the status as a new user, here on the Cloudflare Discord. 🤔

That said, I've opened a DM with you, - can you try again?

and I can't send friend request either

Interesting, I get the same in the opposite way:

Discord being Discord, ... I guess...