How to troubleshoot SSL certificate renewals for Cloudflare-enabled domains

This article provides instructions on how to troubleshoot problems that may occur when you try to renew an SSL certificate on a Cloudflare-enabled domain.

Table of Contents

Problem

When you try to renew an SSL certificate on a Cloudflare-enabled domain, the renewal fails. Specifically, when you go to the SSL/TLS page in the SECURITY section of the cPanel home screen, you see the following message:

DNS DCV: No local authority: “example.com”; HTTP DCV: “cPanel (powered by Sectigo)” forbids DCV HTTP redirections.

Similarly, if you have a reseller hosting account, when you go to the Manage AutoSSL page of the SSL/TLS section of WebHost Manager (WHM), you see the following message:

WARN Local HTTP DCV error (example.com): “cPanel (powered by Sectigo)” forbids DCV HTTP redirections.

Resolution

To resolve this problem, you must disable forced HTTPS connections in the Cloudflare settings for the domain. If SSL renewals still fail, there are a few other Cloudflare settings you can check.

You do not need to disable Cloudflare entirely for SSL certificate renewals. Cloudflare only needs to be temporarily disabled when an SSL certificate is installed for the first time.

To fix SSL certificate renewals for a Cloudflare-enabled domain, follow these steps:

  1. Log in to the Cloudflare account associated with the domain.
  2. On the Home tab, click the domain:

    Cloudflare - Home tab - Select domain

  3. Click the SSL/TLS icon, and then click the Edge Certificates tab:

    Cloudflare - SSL/TLS icon - Edge Certificates tab

  4. Click the slider to disable the Always Use HTTPS option:

    Cloudflare - SSL/TLS - Edge Certificates - Always Use HTTPS slider

    You should leave this option disabled permanently. If you want to enforce HTTPS usage on your site, you can use .htaccess redirects as described in this article. Alternatively, if you are using WordPress, you can enforce HTTPS usage as described in this article.
  5. SSL certificate renewals should now complete successfully. However, if they still fail, check the following settings in Cloudflare:

    • Automatic HTTPS Rewrites: This option is located on the Edge Certificates tab of the SSL/TLS section in Cloudflare. If it is enabled, disable it temporarily for SSL renewals.
    • SSL/TLS encryption mode: This option is located on the Overview tab of the SSL/TLS section in Cloudflare. If Full (strict) mode is enabled, set it instead to Full mode temporarily for SSL renewals.

Did you find this article helpful? Then you'll love our support. Experience the A2 Hosting difference today and get a pre-secured, pre-optimized website. Check out our web hosting plans today.

We use cookies to personalize the website for you and to analyze the use of our website. You consent to this by clicking on "I consent" or by continuing your use of this website. Further information about cookies can be found in our Privacy Policy.