Update troubleshoot-custom-domains.mdx (#441)

* Update troubleshoot-custom-domains.mdx

Author: BcnCarlos

main/docs/troubleshoot/integration-extensibility-issues/troubleshoot-custom-domains.mdx

@@ -8,9 +8,99 @@ title: Troubleshoot Custom Domains
 'twitter:description': Learn how to troubleshoot issues with custom domains.
 'twitter:title': Troubleshoot Custom Domains
 ---
-See the following video on common issues with <Tooltip tip="Custom Domain: Third-party domain with a specialized, or vanity, name." cta="View Glossary" href="/docs/glossary?term=custom+domains">custom domains</Tooltip> and refer to the sections below for troubleshooting steps for specific scenarios.
 
-<iframe width="100%" height="316" src="https://www.youtube.com/embed/f6fkOkS1RFA" title="Custom Domain Issues" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen></iframe>
+## Auth0-managed custom domains
+
+When you configure [custom domains with Auth0-managed certificates](/docs/customize/custom-domains/auth0-managed-certificates), there are two custom domain attributes that you can review to query their provision status:
+
+* `verification`
+* `certificate`
+
+You can review the custom domain provision status using [Auth0 CLI](https://auth0.github.io/auth0-cli/) or the Management API.
+
+### Auth0 CLI
+Use the following command to list the existing domains and their status:
+
+```bash
+auth0 domains list
+```
+
+To learn more, read [Auth0 CLI](https://auth0.github.io/auth0-cli/auth0_domains_list.html) documentation. 
+
+### Auth0 Management API
+
+Send a `GET` request to the `/api/v2/custom-domains` endpoint:
+
+```bash
+curl -L -g 'https://{tenantDomain}/api/v2/custom-domains' \
+-H 'Accept: application/json'
+```
+
+The response includes a list of your custom domains, including their `status`, `verification.status` and if verified, their `certificate.status`. 
+
+```json files
+{
+  "custom_domain_id": "cd_9JPAp8JxtP0jvmbc",
+  "domain": "yellow.acmetest.org",
+  "primary": true,
+  "status": "ready",
+  "type": "auth0_managed_certs",
+  "verification": {
+    "methods": [...],
+    "status": "verified",
+    "last_verified_at": "2025-06-10T12:49:05Z"
+  },
+  "tls_policy": "recommended",
+  "certificate": {
+    "certificate_authority": "letsencrypt",
+    "status": "provisioned",
+    "renews_before": "2025-09-08T11:52:12Z"
+  }
+}
+```
+
+### Verification process
+
+When you first configure an Auth0-managed custom domain, Auth0 attempts to verify the provided custom domain DNS record. The initial custom domain `status` is set to `pending_verification` and its `verification.status` is set to `pending`. 
+
+### Certification process
+
+Once the DNS record is successfully verified, the custom domain `verification.status` is set to `verified` and its `certificate.status` is set to `provisioning`.
+
+When the certificate is successfully created and deployed, the `certificate.status` is set to `provisioned` and the `certificate.renews_before` attribute indicates the date by which Auth0 will automatically renew the certificate.
+
+### Troubleshoot
+
+If the verification process fails, the custom domain `status` is set to `failed`. You can review the `verification.error_msg` attribute to determine how to proceed.
+
+The `verification.error_msg` attribute can be set to `DNS verification record issue`, `Domain conflicts with network configuration` or `CAA record issue`.
+
+* `DNS verification record issue`: Auth0 could not verify your `CNAME` or `TXT` record. This can happen if the record does not exist, is incorrect, or has not propagated yet. Auth0 will attempt to verify the DNS record for up to seven days before failing. 
+
+<Callout icon="file-lines" color="#0EA5E9" iconType="regular">
+This DNS record must remain in place permanently. Auth0 needs it to automatically renew the certificate in the future.
+</Callout>
+
+* `Domain conflicts with network configuration`: This typically means that you are using Cloudflare as the DNS provider and Zone Hold is enabled. The Zone Hold prevents Auth0 from verifying your custom hostname. 
+
+    To address this error message:
+      1. Remove the Zone Hold from your DNS zone in Cloudflare.
+      2. Select **Verify** in the **Auth0 Dashboard > Branding > Custom Domains** to restart the process.
+      3. Once verification is successful, you can re-enable Cloudflare Zone Hold.
+
+* `CAA record issue`: Auth0 cannot get the certificate for your custom domain. 
+This typically is due to your domain's DNS Certification Authority Authorization (CAA) records restricting which Certificate Authorities can issue certificates for your domain.
+
+    To address this error message:
+    The easiest solution is to remove your CAA records for the exact custom domain you are trying to verify. This will let Auth0 order and provision the certificate without restrictions.
+
+    You can determine your current CAA records using the `dig` command. 
+
+    ```bash
+      dig {your-custom-domain.com} +short CAA
+    ```
+
+    Replace `your-custom-domain.com` with your actual custom domain.
 
 ## Custom domain is still pending verification
 
@@ -33,44 +123,26 @@ Auth0 recommends turning off CNAME flattening unless it's strictly necessary, ac
 
 </Callout>
 
-CNAME flattening affects the Auth0 verification and certificate renewal processes due to the way it handles DNS records. Enabling CNAME flattening in Cloudfare after setting up a custom domain does **not** prevent certificate renewal.
+CNAME flattening affects the Auth0 verification and certificate renewal processes due to the way it handles DNS records. Enabling CNAME flattening in Cloudflare after setting up a custom domain does **not** prevent certificate renewal.
 
-If you need to enable CNAME flattening for all subdomains managed by Cloudfare and also configure a specific subdomain to be an Auth0 custom domain, consider delegating the subdomain for Auth0 to another DNS provider. To learn more, read [Delegating Subdomains Outside of Cloudflare](https://support.cloudflare.com/hc/en-us/articles/360021357131-Delegating-Subdomains-Outside-of-Cloudflare) in the Cloudflare documentation. This will enable you to use CNAME flattening for all subdomains except the one used for Auth0.
+If you need to enable CNAME flattening for all subdomains managed by Cloudflare and also configure a specific subdomain to be an Auth0 custom domain, consider delegating the subdomain for Auth0 to another DNS provider. To learn more, read [Delegating Subdomains Outside of Cloudflare](https://support.cloudflare.com/hc/en-us/articles/360021357131-Delegating-Subdomains-Outside-of-Cloudflare) in the Cloudflare documentation. This will enable you to use CNAME flattening for all subdomains except the one used for Auth0.
 
 ## "You should not be hitting this endpoint"
 
 If you see this error when configuring a custom domain, you must perform additional configurations, which varies depending on your setup. To learn more, see [Configure Features to Use Custom Domains](/docs/customize/custom-domains/configure-features-to-use-custom-domains).
 
 ## "Service not found"
 
-If your application issues an `/authorize` request with `audience=https://login.northwind.com/userinfo`, the server will return a `Service not found: https://login.northwind.com/userinfo` error. This is because even if you set a custom domain the API identifier for the `/userinfo` endpoint remains `https://{yourOriginalAuth0Domain}/userinfo`.
+If your application issues an `/authorize` request with `audience=https://login.acmetest.org/userinfo`, the server will return a `Service not found: https://login.acmetest.org/userinfo` error. This is because even if you set a custom domain the API identifier for the `/userinfo` endpoint remains `https://{yourOriginalAuth0Domain}/userinfo`.
 
 Similarly, using your custom domain in calls to the [Auth0 Management API](https://auth0.com/docs/api/management/v2) will error for the same reason.
 
 To fix this your app should instead use `audience=https://{yourOriginalAuth0Domain}/userinfo`. You can also remove this `audience=[...]/userinfo` parameter altogether if your application is flagged as **OIDC-Conformant** in the **OAuth2** tab of the application's **Advanced Settings**.
 
-## Errors related to Internet Explorer
-
-If you are using Internet Explorer, you may see any of the following error messages:
-
-* "No verifier returned from client"
-* "Origin header required"
-* "Failed cross origin authentication"
-
-When both the Auth0 domain and the app domain are in the same trusted or local intranet zone, Internet Explorer does not treat the request as a cross-domain request and therefore does not send the cross-origins header.
-
-If you see any of these errors and you are using Embedded Login, you can move one of the sites out of the trusted or local intranet zone. To do this:
-
-1. Go to **Internet Options > Security**.
-2. Select the **Local Intranet Zone** tab and go to Sites > Advanced. Add your domain.
-3. Return to the **Security** tab, and make sure the proper zone has been selected.
-4. Click **Custom Level** and look for **Access data sources across domains** under the **Miscellaneous** section. Check the radio button next to **Enable**.
-
-Alternatively, you can remove reliance on cross-origin authentication by implementing [Auth0 Universal Login](/docs/authenticate/login/auth0-universal-login).
 
 ## Learn more
 
 * [Configure Features to Use Custom Domains](/docs/customize/custom-domains/configure-features-to-use-custom-domains)
 * [Configure Custom Domains with Auth0-Managed Certificates](/docs/customize/custom-domains/auth0-managed-certificates)
 * [Configure Custom Domains with Self-Managed Certificates](/docs/customize/custom-domains/self-managed-certificates)
-* [TLS (SSL) Versions and Ciphers](/docs/customize/custom-domains/self-managed-certificates/tls-ssl)
+* [TLS (SSL) Versions and Ciphers](/docs/customize/custom-domains/self-managed-certificates/tls-ssl)