SSL Troubleshooting

Diagnose and fix SSL certificate issues including pending status, validation errors, and renewal problems

SitemapHost provisions free SSL certificates automatically via Cloudflare for SaaS. This page covers common SSL issues and how to resolve them.

How SSL Works in SitemapHost

When you verify a domain, the following happens:

  1. SitemapHost calls the Cloudflare Custom Hostnames API
  2. Cloudflare issues an SSL certificate using HTTP validation
  3. Cloudflare verifies it can reach the hostname via the CNAME
  4. The certificate is provisioned and HTTPS becomes active
  5. Certificates auto-renew before expiration

This process typically completes within 1-5 minutes. If it takes longer, one of the issues below may apply.

SSL Status: Pending

Symptom: Domain shows sslStatus: "pending" and HTTPS is not working.

Cause: DNS not yet verified

SSL provisioning does not begin until DNS verification succeeds. Check your domain status:

curl https://dash.sitemaphost.app/api/domains \
  -H "X-API-Key: sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

If status is "pending_verification", your DNS is not configured correctly. See DNS Troubleshooting.

Cause: Waiting for Cloudflare

After DNS verification, SSL provisioning takes 1-5 minutes. If it has been less than 10 minutes, simply wait and check again.

Cause: DNS propagation still in progress

Even after verification succeeds, Cloudflare needs to reach your hostname to complete HTTP validation. If DNS propagation is still ongoing in some regions, provisioning may be delayed. Wait up to 1 hour and retry.

SSL Status: Failed

Symptom: Domain shows sslStatus: "failed".

Cause: Cloudflare proxy enabled

If you use Cloudflare for your own DNS, the proxy (orange cloud) must be disabled for the CNAME record:

  1. Log into your Cloudflare dashboard
  2. Go to DNS > Records
  3. Find your CNAME record pointing to cname.sitemaphost.app
  4. Click the orange cloud icon to toggle it to grey (DNS only)
  5. Save the record
  6. Re-verify your domain in SitemapHost

Why? When the Cloudflare proxy is enabled, it intercepts traffic and serves its own SSL certificate. This prevents SitemapHost's Cloudflare instance from performing HTTP validation to issue the certificate.

Cause: Conflicting DNS records

If you have both an A record and a CNAME record for the same subdomain, the A record takes priority and the CNAME is ignored. Remove any A or AAAA records for the subdomain:

# Check what records exist
dig sitemap.yoursite.com ANY

You should see only a CNAME record pointing to cname.sitemaphost.app.

Cause: CAA records blocking issuance

Certificate Authority Authorization (CAA) records control which CAs can issue certificates for your domain. Cloudflare uses multiple CAs (including DigiCert, Let's Encrypt, and Google Trust Services).

Check for CAA records:

dig yoursite.com CAA

If CAA records exist, add entries allowing Cloudflare's CAs:

yoursite.com. CAA 0 issue "digicert.com"
yoursite.com. CAA 0 issue "letsencrypt.org"
yoursite.com. CAA 0 issue "pki.goog"

Or remove the CAA records entirely to allow any CA.

Cause: Domain on Cloudflare blocklist

In rare cases, a domain may be on a Cloudflare blocklist (e.g., previously flagged for abuse). Contact support@sitemaphost.app if you suspect this.

SSL Status: Provisioning (stuck)

Symptom: Domain has been in sslStatus: "provisioning" for more than 30 minutes.

Step 1: Re-verify the domain

Trigger a new verification and SSL provisioning attempt:

curl -X POST https://dash.sitemaphost.app/api/domains/domain_abc123/verify \
  -H "X-API-Key: sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Step 2: Check DNS is correct

Confirm the CNAME resolves correctly:

dig sitemap.yoursite.com CNAME +short
# Expected: cname.sitemaphost.app.

Step 3: Check for Cloudflare proxy

If you use Cloudflare DNS, ensure the proxy is off (grey cloud). With the proxy on, the dig command above will return Cloudflare IP addresses instead of the CNAME target.

Step 4: Contact support

If the issue persists after 1 hour, contact support@sitemaphost.app with your domain name and domain ID.

Certificate Renewal

SSL certificates issued by Cloudflare are automatically renewed before expiration. You do not need to take any action.

If a renewal fails (e.g., DNS was changed), SitemapHost will attempt to re-provision the certificate. You will see the SSL status change to "provisioning" temporarily.

Ensuring successful renewals

To avoid renewal issues:

  • Keep the CNAME record -- Do not remove the CNAME pointing to cname.sitemaphost.app
  • Keep Cloudflare proxy off -- If you use Cloudflare DNS, maintain the grey cloud setting
  • Do not add conflicting records -- A/AAAA records on the same subdomain will break renewal

Mixed Content Warnings

Symptom: Browser shows mixed content warnings on the sitemap page.

This is unlikely for XML sitemaps but can occur if image URLs in your sitemap use http:// instead of https://. Ensure all URLs in your sitemap use HTTPS:

{
  "loc": "https://yoursite.com/page",
  "images": [
    {
      "loc": "https://cdn.yoursite.com/image.jpg"
    }
  ]
}

HTTPS Redirect

SitemapHost automatically redirects HTTP requests to HTTPS. If you access http://sitemap.yoursite.com/sitemap.xml, it will redirect to https://sitemap.yoursite.com/sitemap.xml.

If the redirect is not working, this typically means SSL is not yet active. Check the domain's SSL status.

Testing SSL

You can verify your SSL certificate using these tools:

Using curl

curl -vI https://sitemap.yoursite.com/sitemap.xml 2>&1 | grep -E "SSL|certificate|issuer"

Using openssl

echo | openssl s_client -connect sitemap.yoursite.com:443 -servername sitemap.yoursite.com 2>/dev/null | openssl x509 -noout -subject -dates

Using online tools

TLS Version Support

SitemapHost supports TLS 1.2 and TLS 1.3. Older protocols (TLS 1.0, TLS 1.1) are not supported and will be rejected. All modern browsers and search engine crawlers support TLS 1.2+.

Next Steps