Introduction

An SSL certificate can stay stuck in pending validation even when the request was created correctly. The bottleneck is usually challenge visibility. The certificate authority must see the exact DNS or HTTP proof it expects, on the exact hostname it is validating, without interference from a proxy, redirect, or stale DNS answer. The fix is to trace the validation path the CA uses instead of retrying issuance blindly.

Symptoms

  • A certificate request stays in pending validation far longer than expected
  • DNS or HTTP validation appears configured, but the CA does not complete issuance
  • One hostname validates while another remains pending
  • Validation worked before, but renewals now stall
  • The issue started after DNS, CDN, redirect, or hosting changes

Common Causes

  • The CA cannot see the expected DNS TXT record or HTTP challenge file
  • A proxy, CDN, or redirect changes the validation path before it reaches the origin
  • The requested hostnames do not match the domains actually configured for validation
  • Old DNS answers, AAAA records, or split routing send the CA to the wrong place
  • CAA policy, mail validation settings, or account ownership changed during renewal

Step-by-Step Fix

  1. Confirm which validation method the certificate authority is using for the pending certificate request.
  2. Check the exact hostname list on the certificate order so you validate the same domains the CA is checking.
  3. Verify the DNS TXT record or HTTP challenge response from the public internet, not just from your server or control panel.
  4. Review whether a CDN, reverse proxy, or force-HTTPS rule changes the validation request before it reaches the expected destination.
  5. Inspect authoritative DNS answers for the hostname, including A, AAAA, CNAME, and TXT records that may affect validation path or routing.
  6. Check for CAA restrictions or renewal-automation changes if the same certificate provider suddenly stopped issuing.
  7. Remove stale or conflicting validation artifacts only after you know which one the CA should be seeing now.
  8. Retry validation after the public challenge path is correct and stable on every relevant hostname.
  9. Keep certificate ownership, challenge method, and DNS dependencies documented so renewals do not stall during future infrastructure changes.