SSL certificate stuck on Pending SSL for more than 30 minutes

Once Cloudflare confirms your CNAME is in place, it starts a DV (domain-validated) certificate workflow. Most of the time this completes within 5-15 minutes. But if you're still seeing 'Pending SSL' after 30 minutes, something is blocking the TXT or HTTP validation challenge.

Most common culprits

CAA (Certification Authority Authorization) DNS record blocking Cloudflare's CA. Check for a CAA record on your apex domain and either remove it or add '0 issue "letsencrypt.org"' and '0 issue "digicert.com"' entries.
Cloudflare proxy orange-clouded on the CNAME, which prevents the HTTP validation challenge from reaching our servers.
Firewall or page rule on your domain blocking /.well-known/pki-validation/ paths.
Domain was just transferred between registrars and is in a 60-day transfer lock — some registrars block DNS changes during this window.

How to check for CAA records

dig CAA example.com +short
# If you see output like '0 issue "sectigo.com"' but no Cloudflare/DigiCert entries,
# add: 0 issue "letsencrypt.org"

The 24-hour threshold

If the certificate is still pending after 24 hours, VeloCMS marks the domain status as requiring intervention. The fastest recovery path is to disconnect the domain (Admin → Settings → Custom Domain → Disconnect) and re-add it. This creates a fresh Cloudflare hostname and restarts the certificate workflow from scratch.

Disconnecting and re-adding doesn't affect your blog content or subscriber data. Your blog will temporarily be accessible only via its velocms.org subdomain while the new certificate provisions.

Escalating to support

If reconnecting doesn't resolve it within another 30 minutes, contact support from the Help menu with error code D-SSL-01. Include the domain name, your account email, and when you first connected the domain. We'll inspect the Cloudflare side and can manually trigger a reissuance if needed.