FAQs
Troubleshooting SSL Validation Issues: CNAME Record Validation
Overview
This article helps you complete Domain Control Validation (DCV) when Sectigo cannot verify your CNAME record. You will identify common CNAME and Domain Name System (DNS) issues, apply the correct fix for each one, and confirm the record is publicly resolvable so the certificate can be issued. It covers the Common issues you may see, the fixes for each, and alternative validation methods if CNAME continues to fail.
Common issues
Most CNAME DCV failures fall into one of three patterns. Use the table to match the symptom you see to its cause and fix, then jump to the matching subsection below for detail.
|
Symptom |
Cause |
Fix |
|
Sectigo reports the CNAME record as missing or incorrect |
Host or target value in the Canonical Name (CNAME) record does not match what Sectigo provided |
Recreate the record with the exact host and target Sectigo issued; see Verify the CNAME record |
|
DNS appears propagated but validation still fails |
Trailing dot is missing from the target value so DNS appends your domain suffix |
Add the trailing dot to the target (for example, abc123.sectigo.com.); see Confirm the trailing dot |
|
Issuance is delayed beyond the expected window |
DNS propagation or resolver caching has not completed globally |
Wait up to 24-48 hours and recheck with a public resolver; see Check DNS propagation |
Verify the CNAME record
Open your DNS provider's console and confirm both the host and the target value match what Sectigo issued exactly, character for character, including any required trailing dot.
-
Example host: _abc123.example.com
-
Example target: abc123.sectigo.com.
Use a public lookup tool such as dig, nslookup, DNSChecker, or WhatIsMyDNS to confirm the record is visible from outside your network.
Check DNS propagation
DNS changes can take up to 24-48 hours to propagate globally. Query several public resolvers; if the record is still not visible after 48 hours, ask your DNS provider to flush their cache or check for a conflicting record.
Confirm the trailing dot
A missing trailing dot causes DNS to append your own domain to the target, producing an invalid value that Sectigo cannot validate.
-
Correct: abc123.sectigo.com.
-
Incorrect: abc123.sectigo.com
Validate the unique value
If Sectigo issued a unique token for your CNAME record, confirm the exact token is present in the target value of the record you published.
Alternative validation methods
If CNAME validation continues to fail after the fixes above, switch the certificate request to Email-based DCV from your Sectigo order. Email DCV does not depend on DNS changes and usually completes within minutes.
Similar questions
-
Why is my Sectigo CNAME DCV record not validating?
-
How do I fix a missing trailing dot in a CNAME record?
-
How long does CNAME DCV propagation take?
-
Can I switch from CNAME to email validation mid-order?
Related articles
Need assistance?
Contact our team for help with your purchase or issuing your certificate.
Live chat
Click the button below or click "Chat with an Expert" to start chatting with us now!
