Custom domain SSL/TLS certificate error: Acme::Client::Error::Malformed: JWS header parameter 'url' incorrect

Hi Folks,

A DNS/networking/SSL/etc. amateur here. We’ve been using Netlify to serve our site documentation (Netlify subdomain: , Primary domain: ) happily for years, but recently we started getting browser security (certificate) errors (Firefox: SSL_ERROR_BAD_CERT_DOMAIN , Chrome: NET::ERR_CERT_COMMON_NAME_INVALID). I’m pretty sure nothing has changed on our end, and we could really use some help. Details follow (happy to provide any additional info).

Our Netlify dashboard’s Domain management > HTTPS > SSL/TLS certificate section shows this error:

Acme::Client::Error::Malformed: JWS header parameter ‘url’ incorrect. Expected “” got “
We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

Certificate details:

Certificate: Let’s Encrypt
Created: Oct 29, 2019 at 11:53 AM
Updated: Oct 3, 2023 at 2:20 AM
Expired: Jan 1 (16 days ago)

I tried “Renew certificate”, which showed:

Renew certificate with Let’s Encrypt
We’ll contact Let’s Encrypt to renew your certificate, then automatically install it on our CDN.

But that didn’t fix it.

We are using dnsimple for our custom domain name. It says “No SSL certificates for”, and shows the following records (we use it for the docs/netlify and www/heroku subdomains):

Type	Name			Content
====	====			=======
SOA 1551978786 86400 7200 604800 300

I noticed that IS encrypted (DigiCert Inc), but is NOT encrypted, if that’s useful.

Thanks in advance!

(I tried to edit the post, but got a 422 error, so I’m adding as a reply.)

Dig info:
$ dig +nostats +nocomments +nocmd

; <<>> DiG 9.10.6 <<>> +nostats +nocomments +nocmd
;; global options: +cmd
;		IN	A	3600	IN	CNAME 20	IN	A 20	IN	A
SPH-P7JWKCJ97K:flusight-eval cornell$

Hi @matthewcornell,

Thanks for reaching out and welcome to the Support Forums!

I’m showing that your CNAME Record for is pointing to instead of (the difference is at the end for .com instead of .app). Could you try changing the CNAME Record to and see if that resolves the issue?

After changing the record and it propagates, click on the Renew certificate button on this page:

Let us know if you have any questions.

Thanks, that worked! Do you have any ideas what changed that might have caused this?

This was a system issue 2 days ago which was resolved.