How to troubleshoot SSL certificate renewals for Cloudflare-enabled domains

This article provides instructions on how to troubleshoot problems that may occur when you try to renew an SSL certificate on a Cloudflare-enabled domain.Table of Contents

• Problem
• Resolution

Problem

When you try to renew an SSL certificate on a Cloudflare-enabled domain, the renewal fails. Specifically, when you go to the SSL/TLS page in the SECURITY section of the cPanel home screen, you see the following message:

DNS DCV: No local authority: “example.com”; HTTP DCV: “cPanel (powered by Sectigo)” forbids DCV HTTP redirections.

Similarly, if you have a Reseller hosting account, when you go to the Manage AutoSSL page of the SSL/TLS section of WebHost Manager (WHM), you see the following message:

WARN Local HTTP DCV error (example.com): “cPanel (powered by Sectigo)” forbids DCV HTTP redirections.

Resolution

To resolve this problem, you must disable forced HTTPS connections in the Cloudflare settings for the domain. If SSL renewals still fail, there are a few other Cloudflare settings you can check.

You do not need to disable Cloudflare entirely for SSL certificate renewals. Cloudflare only needs to be temporarily disabled when an SSL certificate is installed for the first time.

To fix SSL certificate renewals for a Cloudflare-enabled domain, follow these steps:

1. Log in to the Cloudflare account associated with the domain.
2. On the Home tab, click the domain:
3. Click the SSL/TLS icon, and then click the Edge Certificates tab:
   
4. Click the slider to disable the Always Use HTTPS option:
   You should leave this option disabled permanently. If you want to enforce HTTPS usage on your site, you can use .htaccess redirects as described in this article. Alternatively, if you are using WordPress, you can enforce HTTPS usage as described in this article.
5. SSL certificate renewals should now complete successfully. However, if they still fail, check the following settings in Cloudflare:
   • Automatic HTTPS Rewrites: This option is located on the Edge Certificates tab of the SSL/TLS section in Cloudflare. If it is enabled, disable it temporarily for SSL renewals.
   • SSL/TLS encryption mode: This option is located on the Overview tab of the SSL/TLS section in Cloudflare. If Full (strict) mode is enabled, set it instead to Full mode temporarily for SSL renewals.