After you submit an application for an SSL certificate, you must cooperate with the certificate authority (CA) to verify the ownership of the domain name bound to the certificate. Certificate Management Service supports various methods for verifying domain name ownership. This topic provides answers to some frequently asked questions about the verification process, which can help you identify and resolve issues in advance to reduce verification failures.
DV certificates
The following verification methods are supported for domain validated (DV) certificates: manual Domain Name System (DNS) verification, file verification, and automatic DNS verification. The following section describes the causes of and solutions to common issues by verification method.
Manual DNS verification
How do I check whether a DNS record is valid?
Alibaba Cloud provides a network detection tool to help you check whether a DNS record is valid. Procedure:
In the Apply for Certificate panel, click View Record Value.
On the Network Detect Tool tab, click OK.
If the resolution result matches the DNS record value of your domain name, the DNS record takes effect.
What do I do if the No DNS record found message appears in the Certificate Management Service console?
The following section describes the common causes of and solutions to this issue:
No DNS record is added.
Solution:
Manually add a TXT record for your domain name in the system of your DNS service provider to complete the verification. For more information, see Manual DNS verification.
Latency exists when DNS record verification is performed in the Certificate Management Service console.
If you add a valid DNS record but the No DNS record found message appears, latency may exist in the verification process in the Certificate Management Service console.
Solution:
Wait a moment and do not perform operations.
The domain name bound to the certificate is different from the domain name of the DNS record.
NoteIf you use a third-party DNS service, contact the service provider to check the domain name.
Solution:
Check the consistency of the domain names.
In the Verify Information step of the Apply for Certificate panel, click Modify, re-enter the domain name to bind, and then submit the information for verification.
What do I do if the Mismatch found in the DNS record message appears in the Certificate Management Service console?
The following section describes the common causes of and solutions to this issue:
The DNS record value is incorrectly configured.
The DNS host record value and TXT record value are incorrectly configured.
Solution:
Copy the values of Host Record and Record Value in the Apply for Certificate panel to the DNS record configurations.
DNSPod or another third-party DNS service is used to resolve domain names.
DNSPod or another third-party DNS service is used to resolve domain names. In this case, the returned values for domain names that do not exist may differ from the expected values. This may further result in DNS configuration errors.
Solution:
Ignore the related error message that appears in the Certificate Management Service console, configure DNS records in DNSPod or the DNS service of another service provider, and wait for the CA to complete the verification. The verification result in the Certificate Management Service console is for reference only. If the verification result is displayed as failed in the console, the verification process of the CA remains unaffected. You must confirm with the CA for the actual verification and issuance results.
DNS records of DigiCert DV certificates were generated more than 24 hours ago.
If you use a DigiCert DV certificate, the record value generated for your domain name is valid only for 24 hours. After 24 hours, the record value is changed. If the latest TXT record value differs from the settings in your DNS service provider, the domain name ownership verification fails.
NoteThe timestamp of a GeoTrust DV certificate never expires.
Solution:
Delete the original TXT record value from the DNS service provider, log on to the Certificate Management Service console, re-apply for the certificate, obtain the latest TXT record value, go to the platform of your DNS service provider, and then add a new TXT record value in the DNS service provider.
NoteIf you modify an existing TXT record in the domain name control panel of your DNS service provider, the new record requires more than 2 hours to take effect. If you create a TXT record, the record immediately takes effect. To complete the verification, we recommend that you create a TXT record. After the verification is passed, you can delete the TXT record.
The TXT record of the domain name is not synchronized to authoritative DNS servers outside China in a timely manner.
Dynamic resolution is enabled for your domain name, but the TXT record of the domain name is not synchronized to authoritative DNS servers outside China in a timely manner.
Solution:
Make sure that dynamic resolution runs as expected and that the authoritative DNS servers can resolve the TXT record.
What do I do if the Verification timed out. Try again message appears in the Certificate Management Service console?
File verification
What do I do if the "Verification timed out. Try again" message appears in the Certificate Management Service console?
What do I do if the "File content is invalid" message appears in the Certificate Management Service console?
The following section describes the common causes of and solutions to this issue:
An old verification file exists on the DNS server.
Solution:
In the Apply for Certificate panel, click View Detected File and record the information about the detected file.
Log on to your DNS server and delete the detected file.
In most cases, the detected file is stored in the Web root directory/.well-known/pki-validation directory.
Download and re-upload the verification file to the DNS server. For more information, see File verification.
The fileauth.txt file is not reachable over an HTTPS URL.
HTTPS is enabled for specific website pages, but the fileauth.txt verification file is reachable only over an HTTP URL.
Solution 1:
Make sure that the verification file is reachable over both HTTP and HTTPS URLs.
Solution 2:
Temporarily disable HTTPS for affected pages.
The URL of the verification file is redirected.
The 301 or 302 redirect is enabled for the HTTPS Address and HTTP Address that are used to access the verification file.
Solution:
Check whether a redirect is enabled for the URLs of the verification file.
You can run the
wget -S URLcommand to check whether a redirect is enabled.You can check whether a redirect is enabled based on the address changes in the address bar of your browser.
Cancel the related settings to disable the redirect.
Alibaba Cloud CDN is activated. However, the verification file is not synchronized to CDN nodes outside China.
Solution 1:
Synchronize the verification file to the CDN nodes outside the Chinese mainland, or temporarily disable CDN acceleration for regions outside the Chinese mainland.
Solution 2:
If you cannot perform a change operation on the server on which a CDN node resides, go to the Apply for Certificate panel, click Cancel Application, and then change the value of the Domain Verification Method parameter to Manual DNS Verification.
The timestamp of the validation file expires.
Solution:
Log on to the Certificate Management Service console, download the latest verification file, and then upload the file to the specified directory of your website.
Do wildcard domain names support file verification?
Automatic DNS verification
If Alibaba Cloud DNS is activated for the Alibaba Cloud account of the certificate applicant and a DV certificate is applied for, Alibaba Cloud automatically identifies the domain name and selects the Automatic DNS Verification method.
Can I change the automatic verification method?
No, if the verification method is set to Automatic DNS Verification, you cannot change the verification method. To use another verification method, switch to another Alibaba Cloud account and repurchase the certificate. After you complete the purchase, you can perform ownership verification for the domain name. For more information, see Alibaba Cloud DNS is not activated for the Alibaba Cloud account of the certificate applicant.
OV and EV certificates
After a CA receives your certificate application, the CA sends an email for domain name verification to your email address or calls your phone number.
Can I complete domain name ownership verification if I only check emails and do not answer phone calls?
Yes, but you need to reply to the email to explain the situation.
What information is included in a verification email? Who is the recipient of the email?
CAs include domain name and order information in a verification email and send the email to the email address of the contact specified during certificate application. For more information, see Manage contacts. The email content varies based on the certificate brand.
The following sample email is for reference only.
GlobalSign
Others
Why does the console display verification as passed, but the certificate remains in the Validating Application state?
The verification result in the Certificate Management Service console is for reference only. If the console displays the verification result as passed, this does not indicate that the CA has completed verification or issued the certificate. You must confirm with the CA for the actual verification and issuance results. In most cases, a DV certificate is issued within 1 to 15 minutes, and an EV or OV certificate is issued within 5 calendar days. In special scenarios, the time required for certificate application review may increase. The following section describes the common causes of and solutions to the issue:
The domain name has a CAA record.
If the domain name owner adds a Certification Authority Authorization (CAA) record to authorize CAs to issue a certificate for the domain name, the CA for your certificate checks the CAA record when issuing the certificate. If the CA is not authorized, the CA rejects the certificate application.
NoteCAA record
CAA is a control measure to reduce invalid certificate issuance. Starting September 8, 2017, CAs mandatorily check CAA records when issuing certificates. Domain name owners can add CAA records in DNS settings.
Solution:
Log on to the Alibaba Cloud DNS console by using the owner account of the domain name. Then, delete the CAA record or add the name of the required CA to the CAA record. Then, re-apply for the certificate.
ImportantIf you use the GitHub Page service and add a CNAME record to map your domain name to a github.io domain name, the CAA policy of github.io is referenced and the issuance of the certificate is affected. In this case, you can suspend the CNAME record or add trust-provider.com, globalsign.com, and sectigo.com to the CAA record before the certificate is issued.
Domain names contain sensitive keywords.
If your domain name contains sensitive keywords, such as bank, pay, or live, manual review may be triggered, which requires a long period of time to complete.
Solution:
Wait for the manual review result. If your application is not approved, you can change the domain name and apply for a new certificate.
Why does the console show a verification failure even if the DNS record is in effect?
Latency exists when DNS record verification is performed in the Certificate Management Service console, regardless of whether the file verification or DNS verification method is used. You do not need to perform operations. Wait until the verification is complete.
What do I do if the console displays the domain name ownership verification as passed, but the certificate remains in the Validation Failed state?
The verification result in the Certificate Management Service console is for reference only. If the console displays the verification result as passed, this does not indicate that the CA has completed verification or issued the certificate. For more information, see What are the possible reasons for failures on certificate application reviews? What are the solutions?
Can I apply for an Alibaba Cloud SSL certificate for a domain name that is registered with a third-party DNS service?
Yes, you can apply for an Alibaba Cloud SSL certificate for a domain name that is registered with a third-party DNS service.
No limits are imposed on the DNS service provider when you apply for a certificate. After you submit an application for an SSL certificate, you need to only add DNS records on the platform of the DNS service provider during certificate application to cooperate with the CA to complete the domain name ownership verification.
You can transfer an external domain name to Alibaba Cloud. When you transfer a domain name to Alibaba Cloud, you must pay a one-year renewal fee. In this case, the transfer price is the one-year renewal price of the domain name. For more information about the fee, visit https://www.alibabacloud.com/en/domain/pricing?_p_lc=1&spm=a3c0i.145322.9153399020.1.29764635QTfgOK.
Can I use an SSL certificate in an internal network?
Yes, you can use an SSL certificate in an internal network. However, the CA needs to complete domain name ownership verification over the Internet. You must enable public access during the verification process. After the verification is complete, you can disable public access. No limits are imposed on the usage environment for an issued certificate.