Have you added a new custom hostname for your pull zone and trying to enable the free Let's Encrypt results in an error? This article provides a few helpful tips on what could be going wrong.
The DNS configuration was not yet updated and the wrong record was cached
Probably the most often problem we see is users setting a CNAME record, then immediately requesting the certificate. Usually, the DNS configuration needs at least a few seconds or minutes to propagate globally. If you're too fast, it can happen that our servers will get an old DNS cache record and will continue pointing to it until the TTL expires. To avoid this, we suggest waiting at least a few minutes after updating the DNS records before requesting the certificate.
You did not correctly set the CNAME record
Another common problem we see is users setting a CNAME record at the wrong place or to the wrong hostname. We suggest using the "DNS Record Lookup" tool available for free at https://toolbox.googleapps.com/apps/dig/ Enter your hostname and the tool will return the current DNS records set for it. This way, you can make sure that the correct CNAME record is returned with the exact hostname of your pull zone. If you're seeing something else, or perhaps nothing at all, please make sure to double check your DNS settings, verify that you've set the record at the correct provider and that you've correctly entered the name of your zone.
Your domain was temporarily limited by Let's Encrypt due to too many failed attempts
If you unsuccessfully request the free Let's Encrypt certificate too many times in a short amount of time it can happen than Let's Encrypt will limit your domain from getting any new certificates for up to a week. If this happens, there is not much you can do but wait. To prevent this from happening, we suggest some patience when updating the DNS configuration and requesting a certificate. If you still can't get it to work, please open a support ticket instead and we will try to help out and make sure your domain does not get limited. Unfortunately in these cases, if you need SSL straight away then you would need to bring a certificate in from an external CA.