You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx
+11-1Lines changed: 11 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -45,13 +45,14 @@ When using [Redirect Rules](/rules/url-forwarding/single-redirects/) the `/.well
45
45
46
46
The errors below refer to situations that have to be addressed at the authoritative DNS provider:
47
47
48
-
-`the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for nsheiapp.codeacloud.com: dnssec: bogus`
48
+
-`the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for <hostname>: dnssec: bogus`
49
49
-`Certificate authority encountered a SERVFAIL during DNS lookup, please check your DNS reachability.`
50
50
51
51
Consider the following when troubleshooting:
52
52
53
53
-[DNSSEC](https://www.cloudflare.com/learning/dns/dns-security/) must be configured correctly. You can use [DNSViz](https://dnsviz.net/) to understand and troubleshoot the deployment of DNSSEC.
54
54
- Your [CAA records](/ssl/edge-certificates/caa-records/) should allow Cloudflare's partner [certificate authorities (CAs)](/ssl/reference/certificate-authorities/) to issue certificates on your behalf.
55
+
- Your [CAA records](/ssl/edge-certificates/caa-records/) must be resolvable from all locations.
55
56
- The HTTP verification process is done preferably over **IPv6**, so if any AAAA record exists and does not point to the same dual-stack location as the A record, the validation will fail.
56
57
- If an [NS record](/dns/manage-dns-records/reference/dns-record-types/#ns) is present for the hostname or its parent, DNS resolution will be managed externally by the DNS provider defined in the NS target. In this case, you must either add the DCV TXT record at the external DNS provider, or remove the NS record at Cloudflare.
57
58
@@ -61,6 +62,15 @@ Consider the following when troubleshooting:
61
62
62
63
<Renderfile="error-rate-limiting"product="ssl" />
63
64
65
+
### Multiple perspective CAA check error
66
+
67
+
The error `Certificate authority encountered a multiple perspective CAA check error, please ensure your DNS is configured to allow CAA queries` means that the CA was not able to resolve the CAA records related to your domain from specific geographic locations.
68
+
69
+
You can investigate for resolution error using the [ping.pe tool](https://dig.ping.pe/).
70
+
For example, for a [Google Trust Services](/ssl/reference/certificate-authorities/#google-trust-services) certificate encountering this issue, you can check for: `<hostname>:CAA:8.8.8.8`.
71
+
72
+
Read more from Certificate Authorities specific documentation: [SSL.com](https://www.ssl.com/blogs/multi-perspective-issuance-corroboration-mpic-arrives/), [Let's Encrypt](https://letsencrypt.org/2020/02/19/multi-perspective-validation), and [Google Trust Services](https://pki.goog/faq/#faq-mpic).
73
+
64
74
### Internal errors
65
75
66
76
When the certificate authority finds an issue during the CA check portion of the [DCV flow](/ssl/edge-certificates/changing-dcv-method/dcv-flow/), you may see a `Internal error with Certificate Authority` message. In this case, either wait or try a different certificate authority.
0 commit comments