diff --git a/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx b/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx index 9030db321f81b64..6bd6fd1398db56a 100644 --- a/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx +++ b/src/content/docs/ssl/edge-certificates/changing-dcv-method/troubleshooting.mdx @@ -45,13 +45,14 @@ When using [Redirect Rules](/rules/url-forwarding/single-redirects/) the `/.well The errors below refer to situations that have to be addressed at the authoritative DNS provider: -- `the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for nsheiapp.codeacloud.com: dnssec: bogus` +- `the Certificate Authority had trouble performing a DNS lookup: dns problem: looking up caa for : dnssec: bogus` - `Certificate authority encountered a SERVFAIL during DNS lookup, please check your DNS reachability.` Consider the following when troubleshooting: - [DNSSEC](https://www.cloudflare.com/learning/dns/dns-security/) must be configured correctly. You can use [DNSViz](https://dnsviz.net/) to understand and troubleshoot the deployment of DNSSEC. - Your [CAA records](/ssl/edge-certificates/caa-records/) should allow Cloudflare's partner [certificate authorities (CAs)](/ssl/reference/certificate-authorities/) to issue certificates on your behalf. +- Your [CAA records](/ssl/edge-certificates/caa-records/) must be resolvable from all locations. - The HTTP verification process is done preferably over **IPv6**, so if any AAAA record exists and does not point to the same dual-stack location as the A record, the validation will fail. - If an [NS record](/dns/manage-dns-records/reference/dns-record-types/#ns) is present for the hostname or its parent, DNS resolution will be managed externally by the DNS provider defined in the NS target. In this case, you must either add the DCV TXT record at the external DNS provider, or remove the NS record at Cloudflare. @@ -61,6 +62,15 @@ Consider the following when troubleshooting: +### Multiple perspective CAA check error + +The error `Certificate authority encountered a multiple perspective CAA check error, please ensure your DNS is configured to allow CAA queries` means that the CA was not able to resolve the CAA records related to your domain from specific geographic locations. + +You can investigate for resolution error using the [ping.pe tool](https://dig.ping.pe/). +For example, for a [Google Trust Services](/ssl/reference/certificate-authorities/#google-trust-services) certificate encountering this issue, you can check for: `:CAA:8.8.8.8`. + +Read more from Certificate Authorities specific documentation: [SSL.com](https://www.ssl.com/blogs/multi-perspective-issuance-corroboration-mpic-arrives/), [Let's Encrypt](https://letsencrypt.org/2020/02/19/multi-perspective-validation), and [Google Trust Services](https://pki.goog/faq/#faq-mpic). + ### Internal errors When the certificate authority finds an issue during the CA check portion of the [DCV flow](/ssl/edge-certificates/changing-dcv-method/dcv-flow/), you may see a `Internal error with Certificate Authority` message. In this case, either wait or try a different certificate authority.