You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/dns/zone-setups/subdomain-setup/setup/index.mdx
+17-2Lines changed: 17 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -68,9 +68,24 @@ Although the how-to guides in this documentation are focused on both parent doma
68
68
69
69
## SSL/TLS certificates
70
70
71
-
If the parent domain's SSL/TLS certificate explicitly lists the delegated subdomain and is created after the subdomain's SSL/TLS own certificate, the parent domain's certificate will take precedence over the subdomain's certificate.
71
+
:::note[Certificate Precedence]
72
+
If the **parent zone's** SSL/TLS certificate explicitly lists the delegated subdomain (e.g., `docs.example.com` on the `example.com` certificate) and is provisioned *after* the subdomain's own certificate, the **parent zone's certificate will take precedence**. This means visitors to the delegated subdomain might incorrectly see the parent domain's certificate.
72
73
73
-
For instance, if `example.com`[creates an advanced certificate](/ssl/edge-certificates/advanced-certificate-manager/manage-certificates/) that directly lists `docs.example.com`, visitors to `docs.example.com` might see the SSL/TLS certificate for `example.com`.
74
+
To ensure the child zone's certificate is always used, **do not include the delegated subdomain hostname** in any certificate covering the parent zone.
75
+
:::
76
+
77
+
### Troubleshooting Certificate Validation
78
+
79
+
This section addresses common issues where Edge Certificate provisioning appears to be stuck or failing. In the context of Subdomain Setup, these failures are often **expected behaviors** due to conflicts in domain hierarchy and delegation.
80
+
81
+
***Conflict 1: Active Child Zone Certificate Blocks Parent Zone Validation**
82
+
If a certificate is already **active on the child zone** for a specific hostname (e.g., `subdomainA.example.com`), any certificate pack containing that exact hostname in the **parent zone** (e.g., for `example.com`) will **fail validation**.
83
+
***Why it happens:** This is the **expected behavior** to ensure the child zone's certificate takes precedence. The active certificate in the child zone prevents the parent zone from completing Domain Control Validation (DCV) for that specific hostname.
84
+
85
+
***Conflict 2: Parent Zone Wildcard DNS Record Blocks Child Zone Validation**
86
+
If a **wildcard DNS record** exists in the **parent zone** (e.g., `*.test.example.com`) that covers a hostname in the **child zone** (e.g., `subdomainA.test.example.com`), the Domain Control Validation (DCV) process for a certificate in the child zone will **fail**.
87
+
***Why it happens:** The wildcard record in the parent zone intercepts the DCV query, causing it to resolve against the parent zone's configuration instead of the child zone's, thus blocking validation.
88
+
***Resolution:** To successfully provision the certificate in the child zone, you must **pause or remove the conflicting wildcard DNS record** in the parent zone temporarily.
0 commit comments