Causes and Handling Methods for Certificate Review Failures
This document describes the possible causes of and solutions for certificate review failures.
Verification file configuration error
Note
It is recommended that you execute the
curl -k -v command or the wget -S command to verify whether the file URL is effective. Additionally, you need to validate the URLs for both HTTPS and HTTP protocols separately.Possible Causes:
If you use the file verification method for domain verification when submitting an SSL certificate review, this issue may cause the order review to fail. The possible causes for the failure of the SSL certificate review application in this scenario are as follows:
Some pages of the site have enabled HTTPS access, but the verification file is only deployed under the HTTP service path and not under the HTTPS service path. This leads to the corresponding file not being found when requested via the HTTPS protocol.
The site returns an error code when accessing the verification file.
CDN service has been enabled, but the CDN service node has not completed overseas synchronization.
Solution:
Deploy the verification file under the HTTP and HTTPS service paths, ensuring it can be accessed via the HTTPS protocol. Alternatively, temporarily disable the HTTPS service for all pages on the site.
Ensure that the correct validation file content can be directly accessed through the validation file URL specified by the CA center, and confirm that the final validation file is not displayed in the web browser through redirection or other means.
Note
Check whether the browser address has changed to determine whether you have been redirected.
Synchronize the verification file to the overseas CDN service node, or temporarily disable the CDN overseas acceleration service.
Note
If modification operations cannot be performed on the CDN servers, we recommend using DNS verification for domain verification instead.
DNS configuration error
Possible Causes
If you use the DNS verification method for domain verification when submitting an SSL certificate review, this issue may cause the order review to fail. Some possible reasons for the failure of the SSL certificate review application in this scenario are as follows:
The DNS record value is incorrectly configured.
When using the services of some domain name resolution service providers, the return value for queries of non-existent host records differs from the expected return value. This leads to inaccurate return values during validation by the certificate authority center.
DNS record timeout. After submitting your application, you have three natural days to complete the addition of the DNS record. Otherwise, the review will fail.
The dynamic domain name resolution service has been enabled, but the corresponding resolution record value has not been timely synchronized to the overseas authoritative DNS server.
Resolution
Configure the correct DNS host record and record value.
Ignore the errors related to domain resolution settings, configure the DNS resolution record as required, and complete the domain verification.
Resubmit your application and complete the addition of the DNS record within three natural days.
Please ensure that the dynamic resolution service is functioning properly, and that overseas resolution services can correctly parse the newly added DNS records.
Note
When modifying an existing record value, the time it takes for the DNS record value to take effect is determined by the TTL value, whereas new record values can take effect quickly. Therefore, it is recommended that you complete the verification by adding new record values. Once the domain verification is passed, you can delete the relevant DNS record information.
Empty or invalid company phone number
For OV and EV SSL certificates, if you leave the company phone number field empty or set it to an invalid phone number when submitting the certificate order for review, the review will fail.
Reason for the issue
For OV and EV type certificate products, the company's phone number is a mandatory field. If the company's phone number is left blank or does not comply with the rules, it needs to be filled out again.
Solution
Please provide a business phone number that can reach you promptly to ensure that you can be contacted during the organization information verification by the CA center.
CSR file already used in other orders
Reason for the issue
For the sake of certificate key security, when requesting a brand new order, it is not permissible to use previously utilized CSR information.
Solution
If you have previously successfully submitted an order using a CSR file, please generate a new CSR file for subsequent new orders. Ensuring that each SSL certificate has its unique key pair will enhance the security of the certificate application.
Incorrect format of the domain name bound with the certificate
Possible Cause
A valid domain name can only contain any combination of letters, numbers, and "-", and the maximum length of the domain name must not exceed 64 characters.
Solution
Please check the domain information in the CSR request file and the order, and ensure that you have used the correct domain to submit the order.
Empty or incorrect primary domain name
Possible Cause
The
Common Name field was not correctly filled out when creating the CSR file.Note
The
Common Name must be one of the domain names bound to the certificate.Solution
We suggest you use the system's feature to generate a CSR file online.
Domain name security review failure
When you apply for an SSL certificate, you may receive a review failure message.
The message content is similar to the following:
Apologies, but this domain has failed the security review by the Certificate Authority (CA) and cannot be used to apply for a Domain Validation (DV) certificate. Please consider purchasing an Organization Validation (OV) or Extended Validation (EV) certificate, or you may try applying with a different domain.
Possible Causes
Due to the anti-phishing mechanism of the CA, domain information containing sensitive words, such as 'bank', 'pay', etc., can cause a security review failure. The specific sensitive words are defined by the CA. Additionally, some uncommon root domain names may also fail the review. For instance, domain names with a .pw root domain suffix, such as
www.qq.pw, www.qcloud.pw, cannot pass the review.
The following are examples of sensitive words in domain names that may cause a failure. The specific words are defined by the CA:Private/Public IP | Host name | live (excluding the .live top-level domain name) | bank |
banc | alpha | test | example |
credit | pw (excluding the .pw top-level domain name) | apple | ebay |
trust | root | amazon | android |
visa | google | discover | financial |
wordpress | pal | hp | lv |
free | scp | - | - |
Solution
It is suggested to change the hostname part of the domain and try to resubmit the order. If the above error still occurs after multiple changes to the hostname, it is recommended to choose a paid certificate product, or to change the main domain for certificate application.
Note
Because DV SSL certificates are quickly issued through automatic authentication without manual intervention, we use stringent sensitive words filters to set the verification standard.