This page shows you how to resolve certificate issuance issues that might occur when you issue and attach SSL (TLS) certificates, or provision certificates with DNS authorizations.
Troubleshoot certificate issuance
The most common cause of failed issuance (or renewal) is due to invalid or missing DNS records, which prevent Certificate Manager from validating domain ownership.
- Check that the DNS record can be reached via public DNS. The value of
the
_acme-challenge
CNAME record (the underscore is required) for your domain should return the value provided in thednsResourceRecord.data
from when you created the authorization. You can use Google Public DNS to quickly check that the record is resolvable and valid. - Ensure that the domains you are requesting certificates for either
match, or are subdomains of, the authorizations you are associating with
the certificate request. For example, an authorization for
media.example.com
allows you to issue certificates formedia.example.com
,uk.media.example.com
andstaging.media.example.com
, but notwww.example.com
. - Existing CAA records on your
domain might prevent Certificate Manager from issuing certificates for
your domain. You should ensure that there is a CAA record for
pki.goog
to allow Google to issue certificates for your authorized domains. If the issue is due to a CAA record restriction, thefailure_reason
field in the API response contains a value ofCAA
. - You can only attach certificates with scope
EDGE_CACHE
to an Edge Cache Service. If you did not explicitly specify a scope ofEDGE_CACHE
when creating the certificate, you must re-issue the certificate using an existing DNS authorization.
When creating a certificate with multiple domain names, any invalid domain authorization prevents the certificate from being issued or renewed. This ensures that all of your requested domains are included in the issued certificate. Make sure that the DNS record, domain name, and CAA record configuration are valid for each of the domains associated with a certificate.
Failure reasons
The following table describes the failure reasons that might be returned when attempting to issue a certificate, their causes, and suggested fixes:
Type | Error | Troubleshooting Steps |
---|---|---|
DNS Authorization | CONFIG | We were unable to validate the certificate via DNS. In most cases, this means the DNS record is missing, invalid (incorrectly copied), or you are trying to issue a certificate for a subdomain that is not a child of the authorized domain. |
DNS Authorization | CAA | Certificate issuance is prohibited by the current set of [CAA records](/media-cdn/docs/ssl-cerificates#caa-records-roots) associated with the domain or the CAA record might have only just been updated. |
DNS Authorization | RATE_LIMITED | (Uncommon) You might be issuing certificates at a rate faster than accepted by the CA or domain (for example, tens per minute or more). |
Certificate | AUTHORIZATION_ISSUE | The individual domain failed authorization. Check the value of managed.authorizationAttemptInfo.failureReason for the domain to understand why authorization might have failed. |
What's next
- Read Configure SSL certificates.
- Understand client connectivity and protocol support.
- Review how SSL (TLS) connections are made to your origins.