Resolving SSL errors for Donor Portal and Campaign Pages custom domains

Automatic SSL certification

Fundraise Up uses Cloudflare to manage SSL/TLS certificates for custom domains. Cloudflare automatically issues and renews certificates through trusted Certificate Authorities (CAs).

If your domain contains restrictive CAA records that do not allow the CA currently used by Cloudflare, certificate issuance may fail. This can result in SSL errors when accessing your custom domain.

Cloudflare may update or change the Certificate Authorities it uses over time. For the most current and authoritative list of supported CAs, always refer to Cloudflare’s official documentation: Cloudflare: Certificate authorities

Diagnosing CAA record issues

To check existing CAA records for your domain:

1. Using dig command (Unix-based systems):

   1dig -t caa yourdomain.com +short

2. On Windows: Open Command Prompt and type:

   1nslookup -type=caa yourdomain.com

3. Online tools:
   • https://showdns.net/caa-lookup
   • https://www.whatsmydns.net/dns-lookup/caa-records

If the command returns no results, your domain does not have CAA records configured.

If CAA records are present, review them and ensure they allow certificate issuance by the CAs listed in Cloudflare’s current documentation.

Understanding when CAA matters

CAA configuration only matters if your domain already has CAA records.

No CAA records means no restrictions. In that case, certificate issuance is not blocked by CAA.

Review and update CAA records only if they are present, and restrict issuance to Certificate Authorities that are not listed in Cloudflare’s list of Certificate Authorities.

Troubleshooting

If errors persist after updating or reviewing CAA records:

1. Allow up to 24 hours for DNS propagation.
2. Clear your browser cache.
3. Check for conflicting CAA records.

For persistent issues, contact Fundraise Up support for further assistance.