SSL stuck on Pending in BusinessCatalyst

lukewakefield · August 3, 2017, 10:33am

Please fill out the fields below so we can help you better.

My domain is: sdworx.co.uk

I ran this command: Adobe BC handle this, we just click ‘Add’

It produced this output: ‘Pending’ Status but for 2+ days. Other domains go to ‘Active’ within 1 hour.

My web server is (include version): Adobe Business Catalyst

The operating system my web server runs on is (include version): Dot Net

My hosting provider, if applicable, is: Adobe Business Catalyst

I can login to a root shell on my machine (yes or no, or I don’t know): N/A

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Adobe Business Catalyst

We’ve done various tests with other domains and all go to ‘Active’ very quickly. This one has failed but just says pending. Please can it be put through manually or reset or something? Would it be because the domain already has an SSL certificate elsewhere? The client is asking if you use a CAA (Certification Authority Authorization) verification check before issuing a new certificate?

Thanks. This is really urgent, the site was meant to be live on Monday.

sahsanu · August 3, 2017, 12:58pm

Hello @lukewakefield,

Yes, Let's Encrypt checks if the domain is using CAA records and in this case, the domain has only one CA accepted (globalsign.com) for sdworx.co.uk:

$ dig sdworx.co.uk caa +short
0 issue "globalsign.com"

but you have a different CAA record for www.sdworx.co.uk

$ dig www.sdworx.co.uk caa +short
0 issue "letsencrypt.org"

So if you need to issue a certificate for sdworx.co.uk you need to create another "issue" for letsencrypt.org.

Good luck,
sahsanu

lukewakefield · August 3, 2017, 3:17pm

Thanks Sahsanu, really appreciate your help.

lukewakefield · August 9, 2017, 10:38am

Hi again Sahsuna,

The www is now working but the root still wont move from pending despite having exactly the same CAA record:
http://cloud.siteglide.com/lvv9 - root
http://cloud.siteglide.com/lwJ1 - WWW
Both are exactly the same.

Is there something else we need to do?

Thanks.

Luke.

sahsanu · August 9, 2017, 10:46am

Hi @lukewakefield,

For me, sdworx.co.uk doesn’t have a vaild CAA issue record:

0 issue "globalsign.com\010letsencrypt.org"

if you want both then your CAA records should appear like this:

0 issue "globalsign.com"
0 issue "letsencrypt.org"

Cheers,
sahsanu

lukewakefield · August 9, 2017, 10:52am

Thanks for the quick support again Sahsanu.

Just before I go back to the client I’d like to confirm that from your end the WWW appears differently when you do the check because the checker I used shows them both the same. I don’t want to tell the client they’re different if they’re not. If they’re the same any idea why one works and one doesn’t?

Thanks.

sahsanu · August 9, 2017, 10:54am

$ dig sdworx.co.uk caa +short
0 issue "globalsign.com\010letsencrypt.org"

$ dig www.sdworx.co.uk caa +short
0 issue "letsencrypt.org"

Cheers,
sahsanu

system · September 8, 2017, 10:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.