tencent cloud

All product documents
SSL Certificates
DocumentationSSL CertificatesFAQsSSL Certificate Taking EffectWhat Should I Do If the Issue of a Free SSL Certificate Takes Too Long or Failed?
What Should I Do If the Issue of a Free SSL Certificate Takes Too Long or Failed?
Download PDF
Last updated: 2024-03-06 18:03:04
What Should I Do If the Issue of a Free SSL Certificate Takes Too Long or Failed?
Last updated: 2024-03-06 18:03:04
Download PDF
This document describes how to troubleshoot a failure to issue the free SSL certificate due to domain ownership verification timeout when you apply for the certificate from Tencent Cloud.
Note:
It generally takes up to 30 minutes to issue a free SSL certificate, after which you can troubleshoot the timeout as instructed in this document.

Checking the CAA Record

CAA records need to be checked for both file validation and DNS validation. If there are no CAA records or they contain 0 issuewild "sectigo.com" and 0 issue "sectigo.com", the check can be passed.

dig command

dig domain name CAA
Everything is normal if the returned value is empty or contains 0 issuewild "sectigo.com" and 0 issue "sectigo.com", as shown below:



DNS diagnosis tool

Go to the DNS diagnosis tool, enter the primary domain, select CAA, and click Check. Everything is normal if the returned value is empty or contains 0 issuewild "sectigo.com" and 0 issue "sectigo.com".
Note:
If the check fails or only certain regions can be checked, check the DNS settings of the domain.

Solution

If the returned result is not empty and does not contain 0 issuewild "sectigo.com" and 0 issue "sectigo.com", add the following records to the DNS settings:
Host
Record Type
Split Zone
Record Value
@
CAA
Default
0 issuewild "sectigo.com"
@
CAA
Default
0 issue "sectigo.com"

Checking the DNS Record

After checking the CAA record, check whether the validation record has been added. For self-built NS servers or those with DNS query limits outside the Chinese mainland, check whether the DNS query outside the Chinese mainland is normal with the DNS diagnosis tool or DNSCHCKER. In general, all monitored points can return values and their returned values are the same.
1. Determine the domain to be checked. The domain to be checked should be in the format of host.domain; for example, if the certificate's host is _26A56EBADCE479E******5D304C0D8.blog and the domain is dnspod.cn, the domain to be checked should be _26A56EBADCE479E******5D304C0D8.blog.dnspod.cn.
2. Go to the DNS diagnosis tool, enter the target domain, select CNAME, and click Check. Everything is normal if the returned value is the record value prompted in the console.

Checking Whether the Validation IP Is Blocked by the Server

If you wait a long time for the certificate to be issued by the CA after passing the file validation, it's possible that the server or data center has blocked the CA's validation IPs (64.78.193.238 and 216.168.247.9). In that case, add them to the allowlist.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No

Feedback

Contact Us

Contact our sales team or business advisors to help your business.

Contact Us
Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

Submit a Ticket
7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon