Updated on 2024-12-13 GMT+08:00

Manual DNS Verification

According to the CA requirements, if you applied for an SSL certificate, you must prove that the domain name to be associated with the certificate belongs to you.

For manual DNS verification, you add a record to the record set configured for the domain name for verification. If the CA verifies that the added record can be resolved, the verification is successful.

If you select manual DNS verification when applying for a certificate, perform the operations described in this section.

Constraints

Manual DNS verification can be performed only on your domain name management platform by following the instructions provided by the domain name service provider.

Prerequisites

You have completed real-name authentication.

Step 1: Confirm the Verification Procedure

When you use DNS to verify your domain ownership, the DNS records can be resolved only on the platform managing your domain name. Perform the verification steps based on the domain name management platform.

Domain Name Management Platform

Verification Procedure

The domain name management platform is Huawei Cloud.

Complete all subsequent steps.

Platforms other than our platform

Are you sure you want to migrate the domain name from another service provider to Huawei Cloud DNS?
  • If your answer is "Yes", perform the following steps:
    1. Migrate the domain name from another DNS service provider to HUAWEI CLOUD DNS.
    2. Complete all subsequent steps.
  • If your answer is "No", perform the verification on the corresponding platform. For example, if your domain is hosted on Alibaba Cloud, perform the verification on Alibaba Cloud.

Step 2: Obtaining Verification Information

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. The service console is displayed.
  3. In the navigation pane on the left, choose SSL Certificate Manager. In the row containing the desired certificate, click Verify Domain Name in the Operation column. The Verify Domain Name page is displayed.
  4. On the Verify Domain Name page, view the content for Host Record, Record Type, and Record Value. Figure 1 shows an example.

    If Host Record, Record Type, and Record Value are not displayed, log in to the mailbox to view. The mailbox is the one you provide during certificate application.
    Figure 1 Viewing a host record

Step 3: Performing Verification Using Huawei Cloud DNS

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Networking > Domain Name Service. In the navigation pane on the left, choose Public Zones to go to the Public Zones page.
  3. In the public zone list, click the domain name you want to add a record set for. In the upper right corner of the page, click Add Record Set.

    • Different types of record sets should be added for DNS verification of different domain name types.
      • For a single-domain certificate, if the domain name does not contain www, add a record set for the domain name. If the domain name contains www, add a record set for the corresponding higher level domain name. For example, if your certificate is used for domain name www.example.com, add a record set for example.com.
      • For a multi-domain certificate, add record sets for all domain names associated with the certificate.
      • For a wildcard-domain certificate, add a record set for the higher level domain name corresponding to the wildcard domain.

        For example, if your certificate is used for domain name *.example.com, add a record set for example.com.

    • If there is a DNS record of the corresponding type in the domain name list, click Modify in the Operation column. Modify the record in the displayed Modify Record Set dialog box.
    Figure 2 Adding a record set
    Table 1 Parameters for adding a record set

    Parameter

    Description

    Name

    Host record returned by the domain name service provider on the domain name verification page of the certificate.

    Type

    Record type returned by the domain name service provider on the domain name verification page.

    Alias

    Select No.

    Line

    Select Default.

    TTL (s)

    Set this parameter to 5 min. A larger TTL value indicates less frequency of DNS record synchronization and update.

    Value

    Record value returned by the domain name service provider on the domain name verification page of the certificate.

    NOTE:

    Record values must be quoted with quotation marks and then pasted in the text box.

    Keep other settings unchanged.

  4. Click OK.

    If the status of the record set is Normal, the record set is added successfully.

    The record set can be deleted only after the certificate is issued.

Step 4: Checking Whether Domain Ownership Verification Takes Effect

  1. On the Windows menu, click Start and enter cmd to start the command dialog box.
  2. Check whether the DNS configuration takes effect by running the corresponding command listed in Table 2.

    Table 2 Verification commands

    Record Type

    Verification commands

    TXT

    nslookup -q=TXT xxx

    CNAME

    nslookup -q=CNAME xxx

    xxx indicates the Host Record value returned by the domain name service provider.

    • If the record value in the command output (value of text) is the same as that returned by the domain name service provider, the configuration of domain name ownership verification has taken effect. Figure 3 shows an example.
      Figure 3 Effective configuration of domain name ownership verification
    • If the command output does not contain any records and Non-existent domain is displayed, the configuration does not take effect.
      Figure 4 Non-effective domain name verification configuration

  3. If the configuration of DNS verification does not take effect, rectify the fault based on the following possible causes until the verification takes effect:

    Table 3 Possible causes

    Possible Cause

    Procedure

    A wrong domain name management platform was selected.

    DNS verification can be performed only on the platform where your domain name is hosted. Check whether the platform you select is the right one.

    The old record set is not deleted.

    The record added can be deleted once the current certificate is issued.

    If the record added for the previous certificate is not deleted, the record added for the current certificate will not take effect. Check whether the record added last time is deleted.

    The record configuration is incorrect.

    Check settings of Host Record, Type or Value.

    Figure 5 Adding a record

    It requires a long period of time for the configuration to take effect.

    Check whether the effective time (TTL) is too long. It is recommended that you set the TTL to 5 minutes. This value varies depending on the DNS service provider. In Huawei Cloud DNS, the default value is 5 minutes, so the configuration takes effect in 5 minutes by default.

    If the configured effective time does not arrive, verify after the time is right.

    Figure 6 Setting TTL

Step 5: Review the DNS Verification Result

  • OV and EV certificates

    After you complete the verification, it still takes 2 to 3 working days for the CA to validate your DNS verification. The CA will not issue the certificate until they validate your DNS verification.

    If the verification fails or other problems occur, contact the CA using the information provided in the CA's validation email.

  • DV certificates
    You can manually verify the result on the domain name verification page.
    1. Log in to the management console.
    2. In the navigation pane on the left, choose SSL Certificate Manager. In the row containing the desired certificate, click Verify Domain Name in the Operation column. The Verify Domain Name page is displayed.
    3. Click Verify to verify the DNS resolution configuration.
      • If the system displays "Verification succeeded. Your certificate is on the way.", the certificate will be issued within 1 minute. Refresh the page to view the certificate status then.
      • If the verification fails, fix issues by referring to Why Did the DNS Verification for a DV Certificate Fail? Then, perform the verification again 3 to 5 minutes later.

Why Did the DNS Verification for a DV Certificate Fail?

Failure Message

Solution

Too many verification requests. Try again later.

You may submit too many verification requests in a short time. Wait for 3 to 5 minutes and then perform the verification.

DNS records do not match.

The DNS record value is incorrect. Obtain the correct record value by referring to Step 2: Obtaining Verification Information and reconfigure the DNS record value.

DNS verification failed. Try again later.

Check whether the following problems exist:

  • Problem 1: The DNS record does not take effect.

    Solution: The configured DNS record does not take effect immediately, which depends on the TTL time set on your DNS server. So, wait for 3 to 5 minutes and then perform the verification again.

  • Problem 2: DNS records are correctly configured, but the verification still fails.

    Solution: The CA verification server is located outside China. There might be network errors sometimes. Try again about 1 to 2 hours later.

  • Problem 3: The domain name has not been licensed or passed the real-name authentication.

    Solution: Have the domain name licensed and complete real-name authentication first. Then, verify the domain name ownership again.

  • Problem 4: The domain name has a CAA record set.

    Solution: Delete all CAA records from the domain name resolution record sets.

  • Problem 5: The CA verification server does not find the DNS resolution record.

    Solution: The CA verification server is located outside China. So, you need to allow servers outside China to access the domain name temporarily.