Troubleshooting Domain Control Validation (DCV)

Change Approval Method Settings

For almost all products you can change the domain validation method type using the “Change Approval Settings/Method” button at the bottom of your order details page. 

You can also use this button to force a system ping if you have the record/file posted, but it seems to be taking a long time to approve (an hour or more without validation usually means there is an issue with the record).

Click the Change Approval Method button on the Order Details page to access your approval method options. You can then use the Save button, or switch the method to another option, save, and switch it back to the original method requested to ping the record again. If validation still doesn’t work, review the troubleshooting options below. 

Email Validation 

Email-based domain validation can often be the fastest and easiest method. However, due to the nature of the email, being sent from a “no-reply” address by an automated system, the DCV email is often blocked or improperly sorted.

If you do not see the DCV email right away, please check the junk folder and spam filters. If you still can’t find it, we advise to whitelist the CA’s validation teams IP addresses and main email addresses on your mail server or firewall. Once these addresses are whitelisted, you can use the Resend DCV Email button on your Order Details Page to send the email again. 

IPs	Emails
Sectigo 91.212.12.133 91.199.212.132 91.199.212.133 91.199.212.151 91.199.212.176	@sectigo.com  support@sectigo.com noreply@sectigo.com  ov_validation@sectigo.com  @trust-provider.com no_reply_support@trust-provider.com  noreply@trust-provider.com  noreply_support@trust-provider.com  notifications@no-reply.sectigo.com  noreply@notifications.sectigo.com
DigiCert  216.168.247.9 34.213.233.92 64.58.225.115 142.0.167.190 142.0.167.189 142.0.167.188 allow connections by user agent DigiCert DCV Bot/1.1 216.168.240.0/20	DCV Email are sent from  no-reply@digitalcertvalidation.com admin@digicert.com updates@digicert.com Support: ssltechsupport@digicert.com support@digicert.com
Whitelisting may also be required for HTTP and DNS/CNAME validation to be sure the vendor system can properly reach your server.

HTTP Validation

The Authentication File should always be posted with these folders/directories:

• domain.com/.well-known/pki-validation/filename.txt
  Note: you may need to enable “show hidden files/folders” to be sure the folder is not already created, since you can’t have 2 folders with the same name.
• For Windows servers the first folder must be named “.well-known.” as you may encounter an error naming the folder without the trailing dot at the end of the name.

For example, a cPanel file posting would look like this:

Traffic Redirect Issues

HTTP re-directs to HTTPS:

Please be sure you have the right option selected on your order. While Comodo can approve domains on HTTP or HTTPS, you need to select the option that corresponds to where you have the record on your server so the CA’s system will check the right location.

Root domain redirects to www: 

In most cases, if the root domain has a properly functioning traffic forward set to www the record will most likely get approved as is. However, there are some cases (using CDN, too many redirects, server time-out, etc) where the redirect will need to be removed to facilitate domain approval. If you can, it’s always best to post it and have it visible on the root domain (domain.com) to avoid any potential conflicts or delays. 

Main domain redirects to alternate domain:

Make sure that the domain you are trying to validate does not redirect to any other domain or the validation will fail.

DigiCert File Authentication Knowledgebase

Comodo Domain Control Validation Knowledgebase

CNAME Validation (Comodo Only)

A standard CNAME record has 2 main components: The Host Name, which starts with an underscore and ends with your domain, and the record content which is the unique value that ends in “comodoca.com” (sometimes referred to as the “Point To”). The CNAME instructions should look similar to the table below (please note that the values are unique for each order request):

Alias / Host Name

_B12BC9153289B550557DCDEF130179D9.arcalienelms.com

Point to/Record Content

DFE8EEBA5D67059235741EA4553C575D.2EB03838D9477DE765AF23235E4E32DC.rC5I5TasV55F5vAJ559D.comodoca.com

 

When it is posted correctly and tested with a public tool (such as MXToolbox, shown in the screenshot below) it should show both values like this:

However, in some cases the domain host automatically adds your domain to any record that you add, even if you include the domain name when you create the record. In this case, when you follow the instructions and copy/paste the full Host Name record, it actually has your domain on it twice, like this:

To resolve the issue you can simply update the record and remove your domain from the Host Name. Then when your host adds the domain by default it shows properly. 

As an example, for the GoDaddy DNS zone, it would look like this:

So you would remove the domain:

After fixing the duplicate domain record, check your CNAME again and if everything is correctly configured, your domain should be validated.