Apply for Free Certificate
EdgeOne offers free certificates with automatic application, renewal, and deployment, suitable for users with no certificate available who want to implement HTTPS access.
Note:
1. Free Certificates are issued by TrustAsia and Let's Encrypt with institution issuance. Download is not supported and SLA assurance is not provided. If needed, go to SSL Certificates for more reliable certificate guarantee.
2. The validity period of the certificate is 90 days. The platform will automatically apply for renewal 15 days before expiration with no need for manual update.
Supported Verification Methods
Free Certificates support three verification methods:
Automatic verification: Automatic verification can automatically perform free certificate application and deployment after the CNAME takes effect. EdgeOne will automatically generate the verification file for CA certificate validation at the edge node. Please ensure to configure CNAME to point to EdgeOne for the current domain name within 1 hour and avoid regional resolution to complete CA verification.
Note:
When using automatic validation to apply for a free certificate, HTTPS access of the domain will be temporarily unavailable until the free certificate application is completed.
DNS Delegation Validation: You can choose to delegate the resolution record of the subdomain required by the current CA to EdgeOne's designated domain name via a CNAME record. EdgeOne will maintain the DNS validation record required by the CA on that domain. This method is suitable for users who wish to complete the free certificate application before acceleration takes effect or apply for a wildcard certificate.
File Validation: This verification method requires creating a specified file with the verification value in the designated path under the current domain and ensuring the file is accessible. After the first successful application, the domain must still correctly point to EdgeOne via CNAME resolution to ensure the free certificate can auto-update. This method is mainly suitable for applying for a free certificate when DNS delegation validation cannot be used.
Automatic Validation
The current domain does not have an HTTPS certificate yet. You can use EO's free certificate to provide HTTPS access encryption protection for users. Since the domain traffic is low, it is acceptable if HTTPS access is temporarily unavailable for a short time. You can apply for a free certificate via automatic validation.
Refer to the operation steps:
1. Log in to the Pages console and select the target project.
2. In the left sidebar, click Domain Name Management.
3. On the domain management page, select the domain name for certificate configuration, then click Configure in the HTTPS column.
4. In the HTTPS configuration, find the edge HTTPS certificate card and click Configure.
5. Select the configuration mode as Apply for Free Certificate, choose the verification method as Automatic Validation, and click Save.
6. Return to the domain management interface, refer to how to configure CNAME records for DNS to configure CNAME records for the current domain. Avoid using regional resolution.
7. Wait for the domain CNAME to take effect. The free certificate will be automatically deployed after the CA issues the certificate. After deployment, enter the HTTPS configuration interface again to view the current certificate status as configured.
DNS Delegation Verification
The current domain name does not yet have an HTTPS certificate. To provide HTTPS access encryption protection for users via EO's free certificate, since users must use HTTPS to access that domain name, HTTPS certificate deployment must be completed in advance. Therefore, choose to apply for a free certificate via DNS delegation verification.
Refer to the operation steps:
1. Log in to the Pages console and select the target project.
2. In the left sidebar, click Domain Name Management.
3. On the domain management page, select the domain name for certificate configuration, then click Configure in the HTTPS column.
4. In the HTTPS configuration, find the edge HTTPS certificate card and click Configure.
5. Select the configuration mode as Apply for Free Certificate, choose the verification method as DNS Delegation Verification, and click Obtain Verification Content.
6. View the verification content that needs to be configured. In the current DNS service provider, configure the specified DNS records to delegate the domain validation records to EdgeOne's designated domain name. For example: in this example, the domain's resolution is hosted in Tencent Cloud DNS. Refer to the following steps for configuration. If the domain resolution is with other providers, see the corresponding DNS service provider's operation document configuration:
6.1 Log in to the Tencent Cloud DNS console, click the domain name to be configured in authoritative resolution, and enter the parsing configuration.
6.2 In record management, click Add Record to add a CNAME record. The host record and record value are the record information requiring configuration, obtained from the verification content.
6.3 Click Confirm, adding completed.
7. After adding the corresponding verification record, it typically takes 10-30 minutes for the verification record to take effect. It is recommended to verify the effective status using tools (for example: DNS diagnosis tool or other mdig tools) to confirm the current record configuration has taken effect correctly. If only the local machine is used for verification, it cannot represent that the DNS record has taken effect worldwide. The CA may still reject certificate issuance if the corresponding DNS record value is not detected. It is advisable to proceed to the next step only after full verification takes effect.
8. Click Verify. After verification passes, the free certificate application is completed.
9. Click Save to deploy the certificate to the current domain. After deployment, the domain name can use HTTPS to access.
File Verification
The current domain does not yet have an HTTPS certificate. To provide users with HTTPS access encryption protection using EO's free certificate, and since users must use HTTPS to access that domain name, HTTPS certificate deployment must be completed in advance. Therefore, choose to use the file verification method to apply for a free certificate.
Refer to the operation steps:
1. Log in to the Pages console and select the target project.
2. In the left sidebar, click Domain Name Management.
3. On the domain management page, select the domain name for certificate configuration, then click Configure in the HTTPS column.
4. In the HTTPS configuration, find the edge HTTPS certificate card and click Configure.
5. Select the configuration mode as Apply for Free Certificate, choose the verification method as File Verification, and click Get Verification Content.
6. View the required verification content. For file verification, you need to upload the required .TXT file in the specified directories of the current domain site. Taking a Linux server as an example, the configuration method is as follows:
6.1 In the origin server, enter the website root directory, which is the folder for the current website's storage rather than the system's root directory.
6.2 Copy the shell command and create the required verification file in the server.
7. After adding the corresponding verification record, you can click the verification address below to confirm if the verification file is accessible. If accessible and the file content is correct, proceed to the next step.
8. Click Verify. After verification passes, the free certificate application is completed. Then click save to deploy the certificate to the current domain. After deployment, the domain name can use HTTPS to access.
Common Causes of Free Certificate Application Failure
If the free certificate application fails, you can troubleshoot based on the failure notification according to the following causes and solutions:
Note:
In addition to the following common failure reasons, it is advisable to also check these two possible causes, which may affect the issuance of free certificates:
If your domain is configured with DNSSEC, please check and ensure the DNSSEC configuration is correct. Otherwise, the free certificate application may fail due to incorrect resolution of the current domain.
Check whether the current domain has CAA records configured. If CAA records are configured, ensure they allow free certificate issuance by TrustAsia and Let's Encrypt. For example, if the current domain only allows certificate issuance by TrustAsia and Let's Encrypt, you can add the following two CAA records: 0 issue "digicert.com" or 0 issue "letsencrypt.org".
Failure Prompt | Possible Failure Reason | Solution |
The current site only supports applying for a wildcard certificate via DNS delegated verification. Please reselect the free certificate verification method. | Since free certificates for wildcard domains only support applying via DNS validation, if a site switches from NS access mode to CNAME-based access, it requires the use of DNS delegated verification to apply. Without configuring DNS delegation records, it can cause certificate application failure. | Reapply for a free certificate, choose to use DNS delegation verification, and complete the corresponding DNS delegation record configuration. |
Verification failed for DNS delegation records. Please ensure the DNS delegation records are added. If already added, wait for them to take effect and retry. | The DNS delegation verification record is not configured or has been deleted, causing the certificate application to fail. | Reapply for a free certificate, choose to use DNS delegation verification, and complete the corresponding DNS delegation record configuration. |
| The DNS record is not in effect. It takes some time for the DNS record configuration to take effect, typically 5-10 minutes, and no more than 48 hr. | Wait for the DNS record to take effect, then just verify. |
Wait for the CA to issue the certificate, please retry later. | Submitted for CA verification, waiting for the CA to issue a certificate. | Wait for a period of time and try again. |
CA verification failed completely or exceeded the time limit. Please reapply for the certificate. | The CA rejected and closed the current certificate application order since it was unable to verify the authentication value, causing this application to fail. | Reapply for the certificate. |
Automatic validation failed. Please ensure the domain CNAME is configured and avoid using line-based resolution. If adding is completed, retry after the CNAME takes effect. | Since the CA's Verification Servers are primarily located outside the Chinese mainland, if the current domain is configured with line-based or regional resolution, it will cause the verification organization to be unable to access the designated verification file, leading to verification failure. | Solution 1: Point all domain name resolution in ALL regions to EO, especially North America. Option 2: Apply for a free certificate via DNS delegation verification. |
| CNAME is not configured correctly as per the instructions. | |
| The CNAME is correctly configured. After configuring the DNS resolution record, it typically takes 5-10 minutes to take effect. You have to wait until it is completely effective before verification passes. | Confirm the configuration is correct, then just wait for the DNS configuration to take effect. |
| The current domain has a security policy that only allows access requests originating from specified regions, causing the CA to be unable to access the designated authentication value and resulting in application failure. | Option 1: Check current domain name security policy and disable the blocklist policy for CA verification requests. Option 2: Apply for a free certificate via DNS delegation verification. |
The DNS server does not point to EdgeOne correctly. | It mainly occurs in access mode when the current domain's NS server does not point to EdgeOne correctly, which can cause the DNS record to take effect improperly, so certificate validation failure occurs. | Modify the NS server to point to EdgeOne. |
The DNS server does not point to DNSPod correctly. | It mainly occurs in DNSPod hosting access mode when the current domain's NS server does not point to DNSPod correctly, which can cause the DNS record to take effect improperly, so certificate validation failure occurs. | Modify the NS server to point to DNSPod. |
DNS verification failed. Please retry later. | Possibly due to the current DNS record not in effect. After switching the NS server, it typically needs 0-48 hr to take full effect before the corresponding DNS record can come into effect. | Wait patiently for the NS server to take full effect, then reopen the settings to apply for a free certificate. |
File verification failed. | When using the file verification method, the designated file address cannot be accessed or the file content is incorrect. | When using file verification, ensure the designated verification file is accessible. |
Failed to create TXT verification record. | In the NS/DNSPod hosting access mode, when applying for a free certificate, EdgeOne will automatically create the required TXT record in DNSPod for certificate verification. Creation may fail due to record conflict or TXT record length exceeding the limit. | 1.Check if there is a record conflicting with the current TXT verification record to be created, and delete conflicting records; 2.Check the number of existing TXT records under the current host record to be created. The total length of TXT records in DNSPod cannot exceed 4096 bytes. You can delete extra TXT records and try again. 3.If it is the DNSPod hosting access mode, check whether the preset role TEO_QCSLinkedRoleInDnspodAccessEO currently exists. EO will auto-create the required TXT records for verification via this role. |
Application failed. Retry. | Other unknown errors. | Reapply for a free certificate. If still unable to apply, contact us to further confirm the reason. |
