[Solution] Cloudflare edge certificate (Google CA) stuck at Pending Validation (TXT)

By /

When hosting US.KG on Cloudflare recently, you might encounter issues with Google CA. Due to possible restrictions on the US.KG zone by Google CA (It might be that the recent surge in registrations triggered the restriction, but anyways, we don’t know), newly registered domains might not be able to get a Google CA (Google Certificate from Google Trust Service GST). Affected users will see a Pending Validation (TXT) status (as shown in the image below):

To resolve this issue, you need to use the Cloudflare API to switch the edge certificate issuer. For detailed documentation, please refer to: Cloudflare API Documentation.

You can also refer to this simple guide to help you switch to Let’s Encrypt as the edge certificate issuer:


1. Get the domain Zone ID and API Keys:

Zone ID:

API Token:

After entering the password, note down the Zone ID and API Keys.

2. Use Curl to request the API.

On Windows CMD:
a. Open Windows Terminal (or Command Prompt)
b: Enter:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<Domain Zone ID>/ssl/universal/settings" ^
     -H "X-Auth-Email: <Cloudflare EMail>" ^
     -H "X-Auth-Key: <API Key>" ^
     -H "Content-Type: application/json" ^
     --data "{\"enabled\":true,\"certificate_authority\":\"lets_encrypt\"}"

On Linux (or Unix-like):
a. Open Terminal or SSH
b. Enter:

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/<Domain Zone ID>/ssl/universal/settings" \
     -H "X-Auth-Email: <Cloudflare EMail>" \
     -H "X-Auth-Key: <API Key>" \
     -H "Content-Type: application/json" \
     --data '{"enabled":true,"certificate_authority":"lets_encrypt"}'

Replace <Domain Zone ID>, <Cloudflare Email>, and <API Key> with the values you noted down.

3. Python Script:

import requests

def update_ssl_settings(domain_zone_id, email, api_key):
    url = f"https://api.cloudflare.com/client/v4/zones/{domain_zone_id}/ssl/universal/settings"
    
    headers = {
        "X-Auth-Email": email,
        "X-Auth-Key": api_key,
        "Content-Type": "application/json"
    }
    
    data = {
        "enabled": True,
        "certificate_authority": "lets_encrypt"
    }
    
    response = requests.patch(url, headers=headers, json=data)
    
    return response.json()

domain_zone_id = "<Domain Zone ID>"
email = "<Cloudflare EMail>"
api_key = "<API Key>"

response = update_ssl_settings(domain_zone_id, email, api_key)
print(response)

return result:

{"result":{"enabled":true,"certificate_authority":"lets_encrypt"},"success":true,"errors":[],"messages":[]}

Once finished, wait 10 minutes or longer for the SSL edge certificate to be issued.

This issue is caused by Cloudflare and Google CA. We are actively reporting and addressing this problem to ensure the proper issuance of Google CA certificates.

Leave a Comment

Your email address will not be published. Required fields are marked *

Considering donating to US.KG today! We are a 501(c)(3) non-profit charitable organization, and your donation will be used 100% for non-profit purposes to sustain operations and improve our services!

Donate now
X
Scroll to Top