What are the common reasons for certificate issuance failure?
1. The current domain has a CAA record.
The domain name holder has set a CAA record to authorize a specific CA to issue an SSL certificate. The CA, in compliance with the domain's CAA record, will refuse to issue an SSL certificate for the domain if it finds that it has not been authorized.
Solution
The domain name holder should go to the domain name resolution platform to delete the CAA record or add the certificate CA organization name to the CAA record. After the operation is completed, reapply for the certificate.
Note:
Using the GitHub Page service to CNAME the domain to the github.io domain will synchronously reference the CAA policy of github.io, thereby affecting the issuance of the certificate. For this special situation, you can pause the CNAME record before issuing the certificate, or add trust-provider.com, globalsign.com, and sectigo.com to the CAA record.
Note:
What is a CAA record?
CAA (Certification Authority Authorization) is a control measure to reduce the misissuance of SSL certificates. Since September 8, 2017, CA organizations have strictly enforced mandatory CAA checks when issuing SSL certificates. Domain administrators can set CAA records in domain name resolution.
2. In file validation mode, the domain's website does not support access from outside the mainland.
The website bound to the certificate restricts access from overseas IP addresses. As the CA of international certificates are generally overseas organizations, they are unable to conduct file scanning reviews, leading to certificate issuance failure.
Solution
Ensure that the website port number is set to 80 or 443, and all regions can match the validation value. If your server restricts access from outside, you need to add the CA organization's IP to the access whitelist. After the certificate is issued or the domain name information is approved, the files and directories can be cleared.
Note:
Common IP of CA organization:
91.199.212.132、91.199.212.133、91.199.212.148、91.199.212.151、91.199.212.176、54.189.196.217
3. The certificate application involves high risk and has undergone manual review.
The certificate you applied for did not pass the risk control system check of the certificate issuing authority. Possible reasons include the bound domain name is suspected of involving industry brands, industry trademarks, prohibited words, and other risk control sensitive words. Therefore, the certificate has entered the manual review stage (not reviewed by Tencent Cloud).
Solution
Please patiently wait for the results of the manual review, if it does not pass, you can change the domain name and reapply. If you cannot change the domain name, you can choose to purchase Organization Validation (OV) or Extended Validation (EV) certificates. OV/EV certificates will undergo enterprise information review, and the certificate can be issued normally after passing the review.
Why does the order status remain unchanged despite receiving a notification from the CA institution?
During the review of your information and the issuance of your certificate, the CA may send an email to keep you updated on the progress of your certificate application. If you notice that the order status in the Tencent Cloud SSL Certificate Service Console remains unchanged, it could be due to a delay in the CA's update to Tencent Cloud. It is recommended that you patiently wait for a while to see the change in the order status.