Documentation

An SSL certificate for a domain has failed to generate or renew

Check For Redirects

This is especially important if you're using a proxy CDN like CloudFlare.

The SSL certificate provisioning process ensures that each and every domain that you have linked to your project is able to respond with a predefined string when requested.

The string for each domain and subdomain is different. This means that if you have a redirect set up in a proxy CDN, redirecting traffic from www.test.com to test.com, an incorrect verification string will be returned because the wrong domain is being queried!

To prevent this from happening you can add a redirect exception for any URL paths beginning with .well-known.

In CloudFlare this might look like:

Because CloudFlare will only match against one PageRule, the match against .well-known will always take precedence over the redirect to the non-www domain, effectively creating a redirect exception.

(The rule to set the 'Cache Level' to 'Standard' is just to get the PageRule to save, it can be set to anything inconsequential.)

Check for AAAA Records

If your DNS records contain any AAAA records for the domain being validated, remove them. Servd does not currently support IPv6 addressing for its inbound traffic.