Custom domain SSL/TLS certificate error: Acme::Client::Error::Malformed: JWS header parameter 'url' incorrect

Hi Folks,

A DNS/networking/SSL/etc. amateur here. We’ve been using Netlify to serve our site documentation (Netlify subdomain: docs-zoltardata.netlify.app , Primary domain: docs.zoltardata.com ) happily for years, but recently we started getting browser security (certificate) errors (Firefox: SSL_ERROR_BAD_CERT_DOMAIN , Chrome: NET::ERR_CERT_COMMON_NAME_INVALID). I’m pretty sure nothing has changed on our end, and we could really use some help. Details follow (happy to provide any additional info).

Our Netlify dashboard’s Domain management > HTTPS > SSL/TLS certificate section shows this error:

Acme::Client::Error::Malformed: JWS header parameter ‘url’ incorrect. Expected “https://acme-v02.api.letsencrypt.org/acme/authz-v3/305166271636” got “https://acme-v02.api.letsencrypt.org/directory”
We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

Certificate details:

Certificate: Let’s Encrypt
Domains: docs.zoltardata.com
Created: Oct 29, 2019 at 11:53 AM
Updated: Oct 3, 2023 at 2:20 AM
Expired: Jan 1 (16 days ago)

I tried “Renew certificate”, which showed:

Renew certificate with Let’s Encrypt
We’ll contact Let’s Encrypt to renew your certificate, then automatically install it on our CDN.

But that didn’t fix it.

We are using dnsimple for our custom domain name. It says “No SSL certificates for zoltardata.com”, and shows the following records (we use it for the docs/netlify and www/heroku subdomains):

Type	Name			Content
====	====			=======
ALIAS	zoltardata.com		zoltardata.com.herokudns.com
CNAME	docs.zoltardata.com	docs-zoltardata.netlify.com
CNAME	www.zoltardata.com	www.zoltardata.com.herokudns.com
NS		zoltardata.com		ns4.dnsimple.com
NS		zoltardata.com		ns1.dnsimple.com
NS		zoltardata.com		ns2.dnsimple.com
NS		zoltardata.com		ns3.dnsimple.com
SOA		zoltardata.com		ns1.dnsimple.com admin.dnsimple.com 1551978786 86400 7200 604800 300
TXT		zoltardata.com		ALIAS for zoltardata.com.herokudns.com

I noticed that docs-zoltardata.netlify.app IS encrypted (DigiCert Inc), but docs.zoltardata.com is NOT encrypted, if that’s useful.

Thanks in advance!

(I tried to edit the post, but got a 422 error, so I’m adding as a reply.)

Dig info:
$ dig docs.zoltardata.com +nostats +nocomments +nocmd

; <<>> DiG 9.10.6 <<>> docs.zoltardata.com +nostats +nocomments +nocmd
;; global options: +cmd
;docs.zoltardata.com.		IN	A
docs.zoltardata.com.	3600	IN	CNAME	docs-zoltardata.netlify.com.
docs-zoltardata.netlify.com. 20	IN	A	54.161.234.33
docs-zoltardata.netlify.com. 20	IN	A	18.213.222.111
SPH-P7JWKCJ97K:flusight-eval cornell$

Hi @matthewcornell,

Thanks for reaching out and welcome to the Support Forums!

I’m showing that your CNAME Record for docs.zoltardata.com is pointing to docs-zoltardata.netlify.com instead of docs-zoltardata.netlify.app (the difference is at the end for .com instead of .app). Could you try changing the CNAME Record to docs-zoltardata.netlify.app and see if that resolves the issue?

After changing the record and it propagates, click on the Renew certificate button on this page:

Let us know if you have any questions.

Thanks, that worked! Do you have any ideas what changed that might have caused this?

This was a system issue 2 days ago which was resolved.