All Products
Search
Document Center

Certificate Management Service:What do I do if my certificate remains in the Validating Application state after the certificate application is submitted for a long period of time?

Last Updated:Mar 06, 2024

After you submit a certificate application, the certificate authority (CA) verifies the ownership of your domain name and the information in your certificate application. After the certificate application is approved, the CA issues the certificate. The time that is required to issue a certificate varies based on the certificate type. This topic describes the required issuance durations for different types of certificates and how to troubleshoot the issue that a certificate is not issued after a long period of time.

Certificate issuance durations

Certificate type

Issuance duration

Domain validated (DV) certificate

After you submit a certificate application for a DV certificate, the CA completes review and issuance within 1 to 2 business days if the specified information is correct.

Note

If a DV certificate is not issued after a long period of time, check whether the Domain Name System (DNS) record is valid.

Organization validated (OV) or extended validation (EV) certificate

After you submit a certificate application, the CA completes review and issuance within 3 to 7 business days if the specified information is correct and you cooperate with the CA staff during the verification process.

Important

After you submit a certificate application for an OV or EV certificate, the CA staff calls the mobile phone number that you specify or sends a verification email to the email address that you specify in the certificate application within 1 business day. The time varies based on the location of the CA. Statutory holidays are excluded. We recommend that you answer the phone call or confirm the email from the CA at the earliest opportunity. If you do not receive a phone call or email, contact your account manager.

Note

If your domain name contains sensitive keywords, such as bank, pay, or live, manual verification may be triggered. The manual verification process may require a long period of time. Wait until the certificate is issued.

View the verification result of domain name ownership

A CA issues a certificate only after the verification of domain name ownership is successful. If the verification fails, you must modify the DNS record of the domain name in a timely manner and submit a certificate application again to pass the domain name verification.

DNS verification (automatic DNS verification or manual DNS verification)

  • Method 1: View the verification result of domain name ownership in the Certificate Management Service console.

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, click SSL Certificates.
    3. In the certificate list, find the required certificate and click Verify in the Actions column.

      The following table describes the verification failures that may occur.

      Failure

      Solution

      No DNS record is found.

      What do I do if no record value is found?

      A mismatch is found in the DNS record.

      What do I do if Host Record does not match Record Value in a record?

      DNS verification times out.

      What do I do if the automatic DNS verification process or manual DNS verification process times out?

  • Method 2: Run a command on your server to view the verification result of domain name ownership.

    1. Log on to your server.

    2. Run the dig <DNS record type> command to view the verification result or run the dig <DNS record type> @8.8.8.8 command to use Google Public DNS to query the DNS record. Example:

      dig txt demo.aliyundoc.com @8.8.8.8

      If the value of the TXT record is returned in the command output and the value is the same as the value of the Record Value parameter that is configured in the Verify Information step of the Apply for Certificate panel in the Certificate Management Service console, the configuration of your DNS record is valid and in effect. If the values are different, you must change the value of the TXT record in the system of your DNS provider to the value of the Record Value parameter.

      If the value of the TXT record is not returned in the command output, the configuration of your DNS record may be invalid or fail to take effect. If the configuration of your DNS record is invalid, change the value of the TXT record in the system of your DNS provider to the value of the Record Value parameter. If the configuration fails to take effect after a long period of time, contact your DNS provider.

      Note

      You can run the yum -y install bind-utils command to install dig on Linux.

File verification

Log on to the Certificate Management Service console. In the certificate list, find the required certificate and click Verify in the Actions column. In the Apply for Certificate panel, click Verify to view the verification result.

The following table describes the verification failures that may occur.

Failure

Solution

File verification times out.

What do I do if the file verification process times out?

No file is found.

What do I do is no file is found?

File content is invalid.

What do I do if the file content is invalid?

Other

The verification result may also be affected by verification URL addresses.

  • Check whether a 301 redirect or a 302 redirect is enabled for a verification URL address. If a redirect is enabled, you must cancel the related settings to disable the redirect.

    Note

    You can run the wget -S URL address command to check whether a redirect is enabled for a verification URL address.

  • If your domain name is a second-level domain such as aliyundoc.com, make sure that the third-level domains of the second-level domain can be accessed. The third-level domains must start with www. For example, if your second-level domain is aliyundoc.com, make sure that both http://<aliyundoc.com>/.well-known/pki-validation/fileauth.txt and http://<www.aliyundoc.com>/.well-known/pki-validation/fileauth.txt can be accessed. Otherwise, the domain name verification fails.

  • If your domain name is a third-level domain that starts with www., such as www.example.com, make sure that the second-level domain of the third-level domain can be accessed. For example, if your third-level domain is www.example.com, make sure that both http://<www.example.com>/.well-known/pki-validation/fileauth.txt and http://<example.com>/.well-known/pki-validation/fileauth.txt can be accessed. Otherwise, the domain name verification fails.