Troubleshooting Domain Control Validation
Taking into account the steps involved in DCV, some situations may interfere with certificate issuance and renewal.
Blocked validation URL
If you have issues while HTTP DCV is in place, review the following settings:
Anything affecting
/.well-known/*: Review WAF custom rules, IP Access Rules, and other configuration rules to make sure no Cloudflare settings are targeting your zone’s path for/.well-known/*and that your rules do not enable interactive challenge on the validation URL.Cloudflare Account Settings and Page Rules: Review your account settings, Configuration Rules, and Page Rules to ensure you have not enabled I’m Under Attack Mode on the validation URL.
DNS settings and records
Check your settings at your authoritative DNS provider to make sure that:
- DNSSEC is configured correctly.
- Your CAA records allow Cloudflare’s partner certificate authorities (CAs) to issue certificates on your behalf.
- The HTTP verification process is done preferably over IPv6, so if any
AAAArecord exists and does not point to the same dual-stack location as theArecord, the validation will fail.
Rate limiting
As mentioned in Certificate authorities, specific CAs may have their own limitations. If you use Let’s Encrypt and receive the error below, it means you hit the duplicate certificate limit imposed by Let’s Encrypt.
The authority has rate limited these domains. Please wait for the rate limit to expire or try another authority.
A certificate is considered a duplicate of an earlier certificate if it contains the exact same set of hostnames.
In this case, you can either wait for the rate limit window to end or choose a different certificate authority.