If your website currently has not purchased an HTTPS certificate and the acceleration domain name does not include a wildcard domain, you can apply for a free certificate to test HTTPS access.
Note:
1. Free certificates are issued by TrustAsia and Let's Encrypt, download is not supported and does not provide SLA assurance. If you need more reliable certificate assurance, go to purchase SSL Certificates.
2. The certificate has a validity period of 90 days. The platform will automatically apply for renewal 15 days before expiration, with no need for manual updating. If you currently use NS access, after switching to CNAME-based access, the applied wildcard certificate will not be able to auto-renew upon expiry. Please reapply for the certificate if renewal fails.
Supported Verification Methods
Free certificates support three verification methods:
Automatic validation: Automatic validation can automatically perform free certificate application and deployment once the NS server takes effect or the domain name CNAME takes effect. Based on the site access method, automatic validation will use different verification methods to apply for free certificates from the CA.
If the current site uses NS access or DNSPod managed access, EdgeOne will automatically add the required verification records for certificate application in the current DNS server. Please ensure the current DNS server status is normal and takes effect. EdgeOne will initiate certificate application verification within 1 hour.
If the current site uses CNAME access, EdgeOne will automatically generate a verification file for CA certificate validation at the edge node. Please ensure to configure the CNAME for the current domain to point to EdgeOne within 1 hour and avoid using split-line/regional resolution to complete CA verification.
Note:
In CNAME access mode, when using automatic verification to apply for a free certificate, HTTPS access of the domain is temporarily unavailable before the free certificate application is completed.
DNS delegation verification: Only available in CNAME access mode. You can choose to delegate the resolution record of the subdomain required by the current CA to EdgeOne's designated domain via CNAME record. EdgeOne will maintain the DNS validation records required by the CA on that domain. This method is suitable when users wish to complete free certificate application before acceleration takes effect, or when applying for a wildcard certificate in CNAME access mode.
File validation: Only available in CNAME access mode. This verification method requires creating a specified file with the verification value at the designated path under the current domain name, and ensuring the file is accessible. After the first successful application, the domain name must still correctly point to EdgeOne via CNAME resolution to ensure free certificate auto-update. This method is mainly suitable for free certificate applications in CNAME access mode when DNS delegation verification cannot be used, allowing file validation as an alternative.
Scenario Example 1: Applying for Free Certificate Using Automatic Validation
For example: The current domain example.com is connected to EdgeOne via CNAME. Since the domain has no HTTPS certificate yet, you can use EO's free certificate to provide HTTPS encryption for users. As the domain traffic is low, it is acceptable if HTTPS access is temporarily unavailable. You can apply for a free certificate using automatic validation. Directions:
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. In the left navigation bar, click Domain Name Service > Domain Management.
3. On the domain management page, select the domain name for certificate configuration, and click Configure in the HTTPS column.
4. In the HTTPS configuration, find the edge HTTPS certificate card and click Configure.
5. Select the configuration mode as Apply for Free Certificate, choose the verification method as Automatic Validation, and click Save.
6. Return to the domain management interface, refer to modify CNAME resolution to configure a CNAME record for the current domain. Avoid using regional resolution.
7. Wait for the domain CNAME to take effect. The free certificate will be automatically deployed after the CA issues the certificate. After deployment, enter the HTTPS configuration interface again to view the current certificate status as configured.
Scenario Example 2: Applying for Free Certificate Using DNS Delegated Validation
For example: The current domain example.com is integrated with EdgeOne via CNAME, and its resolution is hosted in Tencent Cloud DNS. Since the domain currently has no HTTPS certificate, we hope to use EO's free certificate to provide users with HTTPS access encryption protection. As users must use HTTPS to access this domain, HTTPS certificate deployment must be completed in advance. Therefore, choose to apply for a free certificate via DNS delegation verification. For reference, see the directions below:
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. In the left navigation bar, click Domain Name Service > Domain Management.
3. On the domain management page, select the domain name for certificate configuration, and click Configure in the HTTPS column.
4. In the HTTPS configuration, find the edge HTTPS certificate card and click Configure.
5. Select the configuration mode as Apply for a free certificate, choose the verification method as DNS Delegation Verification, and click to get Verification Content.
6. View the verification content that needs to be configured. In the current DNS service provider, configure the specified DNS record and delegate the domain validation record resolution to the designated domain name of EdgeOne. For example: In the current example, the domain resolution is hosted in Tencent Cloud DNS. Refer to the steps below for configuration. If the domain resolution is with another provider, see the corresponding DNS service provider's document configuration:
6.1 Log in to Tencent Cloud DNSPod console, click the domain name to be configured under authoritative resolution to enter parsing configuration.
6.2 In record management, click Add Record to add a CNAME record. The host record and record value should be the configured record information provided in the obtained verification content.
6.3 Click Confirm, adding completed.
7. After adding the corresponding verification record, it typically takes 5-10 minutes for the changes to take effect. It is recommended to verify the effective status using tools (for example: DNS diagnosis tool or other mdig tools) to confirm the record configuration has taken effect correctly. If only local machine verification is used, it cannot represent that the DNS record has taken effect worldwide. The CA may still reject certificate issuance if the corresponding DNS record value is not detected. It is recommended to proceed to the next step only after full verification.
8. Click Verify. After verification passes, the free certificate application is completed.
9. Click Save to deploy the certificate to the current domain. After deployment, the domain name can use HTTPS to access.
Scenario Example 3: Applying for Free Certificate Using File Verification
For example: The current domain example.com uses the CNAME method to integrate with EdgeOne. The current domain name does not yet have an HTTPS certificate. To provide HTTPS access encryption protection for users, since that domain name must use HTTPS for access, you must complete HTTPS certificate deployment in advance. Therefore, choose to use the file verification method to apply for a free certificate. Directions:
1. Log in to the Tencent Cloud EdgeOne console, enter Service Overview in the left menu bar, and click the site to be configured under Website Security Acceleration.
2. In the left navigation bar, click Domain Name Service > Domain Management.
3. On the domain management page, select the domain name for certificate configuration, and click Configure in the HTTPS column.
4. In the HTTPS configuration, find the edge HTTPS certificate card and click Configure.
5. Select the configuration mode as Apply for a free certificate, choose the verification method as File Verification, and click to get Verification Content.
6. View the verification content that needs to be configured. For file verification, you must upload the required .TXT file in the specified directory of the current domain site. Take a Linux server as an example, the configuration method is as follows:
6.1 On the origin server, enter the website root directory, which is the folder storing the present website rather than the system's root directory.
6.2 Copy the shell command to create the files needed for verification on the server.
7. After adding the corresponding verification record, you can click the verification address below to confirm if the verification file is accessible. Proceed to the next step after confirming successful access and correct file content.
8. Click Verify. After verification passes, the free certificate application is completed. Then click save to deploy the certificate to the current domain. After deployment, the domain name can use HTTPS to access.
Related Reference
Common Causes of Free Certificate Application Failure
If the free certificate application fails, you can perform troubleshooting based on the failed notification according to the following reasons and solution.
Note:
In addition to the following common failure reasons, it is advisable to also check these two possible causes, which may affect the issuance of free certificates:
If your domain is configured with DNSSEC, please check and ensure the DNSSEC configuration is correct, otherwise the current domain name may fail to resolve, causing the free certificate application to fail.
Check whether the current domain has a CAA record configured. If configured, please ensure it already allows TrustAsia and Let's Encrypt to issue free certificates. For example, when the current domain only allows TrustAsia and Let's Encrypt to issue certificates, you can add the following two CAA records: 0 issue "letsencrypt.org" or 0 issue "digicert.com".
Failure Prompt
Possible Failure Reason
Solution
This site only supports obtaining wildcard certificates via DNS delegation verification. Please reselect the free certificate verification option.
Since free wildcard certificates only support applying via DNS validation, if a site switches from NS access mode to CNAME-based access, it requires the use of DNS delegation verification. Failure to configure DNS delegation records can cause certificate application failure.
Reapply for a free certificate, choose to use DNS delegation verification, and complete the corresponding DNS delegation record configuration.
DNS delegation verification failed. Please Verify the delegation record is present; if already configured, allow DNS propagation to complete and retry.
The DNS delegation verification record is not configured or has been deleted, causing the certificate application to fail.
Reapply for a free certificate, choose to use DNS delegation verification, and complete the corresponding DNS delegation record configuration.
The DNS record is not in effect. It takes some time after DNS record configuration, typically 5-10 minutes, and no more than 48 hr.
Wait for the DNS record to take effect, then verify.
Waiting for the CA to issue the certificate. Please try again later.
Submitted for CA verification, waiting for the CA to issue a certificate.
Wait for a period of time and try again.
CA validation complete failed or timed out. Please reapply for the certificate.
The certificate application failed this time because the CA rejected and closed the current order due to being unable to validate the verification value during submission.
Reapply for the certificate.
The automatic validation fails, please check the domain CNAME configuration.
Since the CA's Verification Servers are mainly distributed outside the Chinese mainland, if the current domain is configured with line-based or regional resolution, the verification organization will be unable to access the designated verification file, leading to verification failure.
Solution 1: Point all domain resolution to EO, especially in North America.
Option 2: Apply for free certificate via DNS delegated validation.
The CNAME was not configured correctly as per the instructions.
The CNAME is correctly configured. After configuring the DNS resolution record, it typically takes 5-10 minutes to take effect. You have to wait until it is fully effective before the verification can pass.
Confirm the configuration is correct, then wait for the DNS configuration to take effect.
The current domain has a security policy that only allows access requests originating from specified regions, causing the CA to be unable to access the designated verification value and resulting in application failure.
Solution 1: Check current domain name security policy and disable the interception policy for CA verification requests.
Option 2: Apply for free certificate via DNS delegated validation.
DNS server is not correctly pointing to EdgeOne.
It mainly appears in NS access mode. Since the current domain's NS server does not point to EdgeOne, DNS records cannot take effect normally, hence certificate validation failure.
Modify the NS server to point to EdgeOne.
DNS server is not correctly pointing to DNSPod.
It mainly appears in DNSPod hosting access mode. Since the current domain's NS server does not point to DNSPod, DNS records cannot take effect normally, hence certificate validation failure.
Modify the NS server to point to DNSPod.
DNS verification record failed. Please try again later.
Possibly due to the current DNS record not in effect. After switching NS server, it typically takes 0-48 hr for the NS server to take full effect before the corresponding DNS record can take effect.
Wait patiently for the NS server to take full effect, then reopen the settings to apply for free certificate.
File verification failed.
When using the file verification method, the specified file address cannot be accessed or the file content is incorrect.
When using file verification, ensure the designated verification file is accessible.
Failed to create TXT verification record.
In the NS/DNSPod hosting access mode, when applying for a free certificate, EdgeOne will automatically create the required TXT Record in DNSPod for certificate authentication. The creation may fail due to reasons such as record conflict or TXT Record length exceeding the limit.
1.Check if there are records conflicting with the current TXT verification record to be created, and delete conflicting records;
2.Check the number of existing TXT records under the current host record to be created. In DNSPod, the total length of TXT Records must not exceed 4096 bytes. You can delete extra TXT Records and try again after.
3.If it is DNSPod hosting access mode, check whether preset role TEO_QCSLinkedRoleInDnspodAccessEO currently exists. EO will auto-create the required TXT Record through this role.
Application failed, please try again.
Other unknown errors.
Reapply for a free certificate. If you are still unable to apply, contact us to further confirm the reason.
