Home
Support Forums

After new build some users are getting ssl error "ERR_SSL_PROTOCOL_ERROR"

Hi,

yesterday, after a redeploy from a merging branch for my site, SOME users (not everyone and not everytime) are getting SSL error (“ERR_SSL_PROTOCOL_ERROR”) in their browsers (Safari, Chrome).

I don’t know what to do… This is a very odd and critical error that is preventing users to buy from my ecommerce!

The site is https://www.leconturbanti.it. Note that the SSL error is not happening when visit https://leconturbanti.netlify.app

hi there, it seems to be working now. I think it just needed a little time to get DNS propagated.

Hi! I’m having the same issue with https://billalive.com

My site was working fine last week, but the Let’s Encrypt certificate was renewed on March 9, and now I cannot access my site.

The error is:

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for billalive.com. The certificate is only valid for the following names: *.netlify.com, netlify.com

Netlify handles my DNS, so I don’t know what else I can do to fix this.

I’m concerned that there has been some kind of configuration change that is automatically causing this error on renewal of Let’s Encrypt certificates.

Can someone take a look? Thank you!

Hi there! We’ve created this DNS Quickstart guide for this very purpose - to get you up and running as quickly as possible.

Please take a look - we have many resources listed at the bottom, too. And, there are tons of DNS questions you can access through our search! If your problem still persists after reading through all relevant guides, please post again and we will troubleshoot with you.

Hi! Thank you for the link to all the guides, but they seem to focus on getting a new site to work.

This site has already been working fine on Netlify with its current configuration for years. I apologize, I should have explained that properly in my original post.

Here are the details on my SSL certificate, as viewed on my Domain Management screen:

Certificate
Let’s Encrypt

Domains
*.billalive.com, billalive.com

Created
Sep 14, 2018 at 5:35 PM

Updated
Mar 9 at 1:17 PM

Auto-renews before
Jun 7 (in 3 months)

That appears to show that my certificate was “updated” on Mar 9, which is also when this site stopped working.

It really seems that this renewal mistakenly set the certificate to only be valid for netlify subdomains, rather than for my domain of billalive.com. Again, before Mar 9, this site has been working fine on Netlify since 2018.

Now, if I try to visit https://billalive.com, I get this error:

The certificate is only valid for the following names: *.netlify.com, netlify.com

So it really, really looks to me like this certificate was automatically renewed incorrectly. Can you please take a look?

Also, I am definitely using Netlify’s DNS:

whois billalive.com | grep -i 'name server'
Name Server: DNS1.P06.NSONE.NET
Name Server: DNS2.P06.NSONE.NET
Name Server: DNS3.P06.NSONE.NET

Name Server: DNS4.P06.NSONE.NET

I am still receiving email at this domain, so I know that the DNS is working correctly.

Thank you! I really appreciate any help you can offer with this.

Hey there @billalive :wave:

Thanks for sharing this, we can definitely look into this further.

I just took a look at your DNS for your domain billalive.com and it looks like your CNAME isn’t set up correctly. I am not sure why that would have changed on March 9th, but let’s start by getting that configured correctly! You can follow this resource to get that sorted out.

Hi @hillary! Thanks for the quick reply, I appreciate it.

I read that linked article, but I’m not sure why I need to change the DNS records for billalive.com and www.billalive.com. Currently, those records are:

It appears that a NETLIFY record would be correct here, according to what I understand of this article explaining them: [Support Guide] What are the NETLIFY and NETLIFYv6 type DNS records? How do I delete these records?

I hesitate to delete these records and create replacement records, because there doesn’t seem to be a way to add back a NETLIFY record, if it turns out that’s the correct solution.

Also, since I am using an apex domain (billalive.com) as my main domain, it looks like that would need an A record pointing to the Netlify load balancer domain. But the NETLIFY record seems like a more robust way of ensuring a current Netlify IP address.

I’m not a DNS expert and so if you are certain that I should create an A record for the apex and a CNAME for the www. subdomain, I can do that. I just wanted to check before I deleted these NETLIFY records that I can’t replace.

Thanks!

1 Like

Hey there, @billalive :wave:

Thank you so much for all of the details here. I am sharing this with our team that owns certificates, please stand by for next steps here. I appreciate your patience :slight_smile:

Hey Bill!

Our developers looked into this for us and something really weird had gone wrong - they’d never quite seen it before. It almost certainly was not caused by you, but congrats on having “the weirdest illness the doctor had ever seen”? Kinda a dubious honor, I know!

Regardless, they got it fixed for us and don’t see any way it could happen again - can you confirm that things are also working better for you now, in a browser?

1 Like

Hey @fool! Thanks so much to you and @hillary for all your help.

Yes, my site is now working again in a browser. Excellent!

I really appreciate you all taking the time to dig and fix this for me. Netlify provides spectacular service, once again. :slight_smile:

1 Like

@billalive hooray! So glad to hear it is working again. We hope you continue to be an active member of the Forums! :netliconfetti:

Hi All,

I’m having the same issue with my website azglobalservice.it.

The www version works properly, the DNS is set: www CNAME azgs.netlify.app

For the apex doman I followed the istructions and set: @ A 75.2.60.5

When I digit azglobalservice.it in the address bar I get the same error message:

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for azglobalservice.it. The certificate is only valid for the following names: *.netlify.com, netlify.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN

What can I do?

Hi, @Andrea_Zannini. To resolve this, I just clicked the “Renew certificate” button on the site settings page for SSL (Site Name > Settings > Domain management > HTTPS).

That page showed that the SSL certificate only included the www subdomain but not the apex domain. Clicking the renew certificate button will add any missing domains for the site to the SSL certificate.

I do show the certificate is updated to include the apex and is working now. If there are any questions or concerns, please let us know.

Hi @luke!
everithyng back to normal, thank you!