Troubleshooting SSL for SaaS
Validation exceptions
High-risk domains
Occasionally, a domain will be flagged as “high risk” by Cloudflare’s CA partners. Typically this is done only for domains with an Alexa ranking of 1-1,000 and domains that have been flagged for phishing or malware by Google’s Safe Browsing service.
If a domain is flagged by the CA, you need to contact Support before validation can finish. The API call will return indicating the failure, along with a link to where the ticket can be filed.
Certificate Authority Authorization (CAA) records
CAA is a new DNS resource record type defined in RFC 6844 that allows a domain owner to indicate which CAs are allowed to issue certificates for them. If your customer has CAA records set on their domain, they will either need to add the following (or remove CAA entirely):
example.com. IN CAA 0 issue "digicert.com"
example.com. IN CAA 0 issue "letsencrypt.org"
While it’s possible for CAA records to be set on the subdomain they wish to use with your service, it is unlikely. You would also have to remove this CAA record.
Rate limits
By default, you may issue up to 15 certificates per minute. Only successful submissions (POSTs that return 200) are counted towards your limit. If you exceed your limit, you will be prevented from issuing new certificates for 30 seconds.
If you require a higher rate limit, contact your Customer Success Manager.
Time outs
If a certificate issuance times out, the error message will indicate where the timeout occurred:
- Timed Out (Initializing)
- Timed Out (Validation)
- Timed Out (Issuance)
- Timed Out (Deployment)
- Timed Out (Deletion)
To fix this error, send a PATCH request through the API or click the refresh toggle for the specific custom hostname in the dashboard.
Immediate validation checks
You can send a
PATCH request to request an immediate validation check on any certificate. The PATCH data only needs include the same ssl
object as the original request.
Purge cache
To remove specific files from Cloudflare’s cache, purge the cache while specifying one or more hosts.
Resolution error 1016 (Origin DNS error) when accessing the custom hostname
Cloudflare returns a 1016 error when the custom hostname cannot be routed or proxied.
There are two main causes of error 1016:
- Custom Hostname ownership verification is not complete. To check verification status, run an API call to
search for a certificate by hostname
and check the verification error field:
"verification_errors": ["custom hostname does not CNAME to this zone."]
. - Fallback Origin is not correctly set . Confirm that you have created a DNS record for the fallback origin and also set the fallback origin.
Custom hostname in Moved status
To move a custom hostname back to an Active status, send a PATCH request to restart the hostname verification. A Custom Hostname in a Moved status is deleted after 7 days.