Verify DNS and retry SSL

When you add an external hostname before its DNS points at the CDN, it is created in PendingValidation with no certificate. This page covers the DNS Configuration Required flow that verifies DNS and triggers certificate issuance.

The DNS Configuration Required flow

In the property's Hostnames tab, a pending hostname shows a yellow Pending badge with a Retry (circular arrow) action labeled Retry SSL Certificate Request.

1. Click the Retry action to open the DNS Configuration Required dialog. It shows the exact CNAME record to create, with a copy button on the target:

   Type:      CNAME
   Name:      www.mycompany.com        (your hostname)
   Points to: my-site.prdrm.net        (your property's system hostname)  [copy]

2. Create that record at your DNS provider. See Configure a CNAME for apex-domain caveats and the recommended zone-file form.

3. Wait 5-10 minutes for DNS propagation.

4. Click Retry Now. The API re-verifies DNS; on success the hostname becomes Active and the ACME certificate job is enqueued. A success or error snackbar confirms the result.

tip

The dialog's copy button gives you the exact target string. Pasting it verbatim avoids typos like a missing subdomain or a trailing dot mismatch.

What "Retry Now" does

Retry Now calls the request-certificate endpoint for the hostname:

curl -X POST 'https://api.paradarum.com/api/Property/123/hostname/456/request-certificate' \
  -H 'X-API-Key: pdm_YOUR_KEY'

• For external domains, the API first re-verifies DNS (a forward lookup checking that the hostname resolves to an active PoP IP). If verification fails, it returns 400. On success it activates the hostname and enqueues the ACME job, returning 200.
• For system domains, the request is always enqueued (200) — no DNS check is needed.

info

Verification is a plain forward DNS lookup with a 5-second timeout — there is no TXT/CNAME ownership token to add. The resolver follows your CNAME automatically, so pointing at your-property.prdrm.net is sufficient. See Configure a CNAME for details.

Certificate issuance is asynchronous. The API enqueues the job and returns immediately; the edge picks up the new certificate by polling configuration. Allow a short additional wait after the hostname goes Active for the certificate to appear.

Troubleshooting

Stuck in PendingValidation

The hostname stays in PendingValidation until DNS resolves to an active PoP IP. If retry keeps failing:

• Confirm the CNAME exists and points at the system hostname (your-property.prdrm.net), not your origin server.
• Wait longer — DNS propagation can exceed the initial 5-10 minutes depending on your provider's TTL.
• Check for a conflicting record (for example an existing A record on the same name) that overrides the CNAME.
• For apex domains, remember a literal CNAME is not allowed at the root — use a subdomain or an ALIAS/ANAME record.

Error status

An Error (status 2) status means verification or certificate issuance failed. Verify DNS as above and click Retry Now again. If the retry returns 400 with a DNS message, it will indicate the resolved versus expected IPs — fix DNS so the hostname resolves to a PoP, then retry.

warning

If retry returns 400 with Cannot request Let's Encrypt certificate, the hostname already has a custom (uploaded) certificate. You cannot mix an uploaded certificate with managed Let's Encrypt issuance — delete the custom certificate first to revert to a managed certificate. See SSL/TLS certificates.

Next steps

• SSL/TLS certificates — how managed and custom certificates work.
• Configure a CNAME — the exact DNS record and apex caveats.