though it had been working all along with that option enabled
It doesn’t always interfere. That’s why many users manage to register a custom domain with the option enabled. At some point later on, Cloudflare does not clean up the TXT records properly and the issue appears. We have observed that now multiple times with different domains. It only affects the apex.
I tried reregistration. It’s stuck in PendingAcmeApproval as well.
You need to give it a few days in between a failed registration and resubmitting. When this issue exists, custom domains service faces a rate-limit opposed by Let’s Encrypt due to the repeated failure to obtain a certificate.
few days. So, is there like a way to automatically redirect users from the custom domain to the raw canister URL when the custom domain is unavailable, such as the case when there’s that Error 400 Unknown Domain ?
I’m experiencing the same issue with my apex domain mimento.ai.
The domain was working fine before — then suddenly stopped issuing a valid certificate.
www.mimento.ai continues to work without any problems.
For the apex domain, the status now loops between PendingAcmeApproval and Failed: order is unable to reach 'Ready' status.
All CAA, TXT, and _acme-challenge CNAME records are correct and DNS resolves properly.
I also deleted the previous registration request and created a new one, but the problem persists.
As a temporary workaround, I enabled Cloudflare proxy for the apex CNAME record and set up a redirect from mimento.ai → www.mimento.ai.
This avoids the certificate error, but it’s not a real fix.
Is there a known issue on the DFINITY side regarding ACME for apex domains, or any way to manually reset the challenge?
Which DNS provider are you using? If it is Cloudflare, are you sure you have disabled Universal SSL?
You can do that as follows: Go to your domain in the cloudflare panel, then go to “SSL/TLS” → “Edge Certificates”, scroll all the way down and “Disable Universal SSL”.
Hey,
Yes, we’re using Cloudflare and we’ve already disabled Universal SSL, but the certificate request is still stuck in PendingAcmeApproval.
As a temporary workaround, we added a www subdomain — and that one went through successfully. The boundary node generated the certificate for the www domain without any issues, so for now we’re redirecting non-www → www as a short-term solution.
However, the non-www certificate request remains stuck in PendingAcmeApproval, and it seems like something is blocking or looping during the regeneration process.
few days. So, is there like a way to automatically redirect users from the custom domain to the raw canister URL when the custom domain is unavailable, such as the case when there’s that