I really need help renewing my SSL certificate

Hello to everyone in the community,

Site name: votebetter.app
Issue: Renewing SSL certificate

I hope you are doing well. I created a custom website with the help of a developer last year and am paying for the domain name through NameCheap. The site was up and running until it stopped working this year.

I renewed my domain with NameCheap and am paying for that service but my site still isn’t working. It took me over 5 hours of chat support at NameCheap for someone there to tell me it was because my SSL certificate with Netify needs to be renewed, and then another couple of weeks of back and further with the Netlify Sales team to no avail.

Given everything happening with COVID-19, I haven’t been able to reach my developer. I’ve tried to read through similar previous threads but have no experience in the tech field and have no context for 95% of the jargon used in the community forum.

Can someone please explain to a layperson how I can renew my SSL certificate? I was on a free account with Netlify previously and when I inquired to the Netlify sales team about the process for renewing my certificate they directed me here.

Thank you so much for your time and consideration. I look forward to hearing from someone soon.

Kind regards,

Stephanie

Hey Stephanie! Sorry to hear you’ve had some troubles with your site, lets see what we can do. We definitely all care about voting better, that’s for sure.

Do you know what netlify site name for this custom domain, please?

Hi Perry,

Thanks so much for getting back to me! Unfortunately, not everybody cares about/ sees the importance in voting- so we’re looking to change that!

I shared in the original post that the site name is votebetter.app. Is what you’re asking something different?

Kind regards,

Stephanie

hi Stephanie, what is the netlify site name this domain is connected to? if you log in to your netlify dashboard you can find it in your settings. It looks like this:

deluded-chancellor-4f56rf.netlify.app or similar.

Hi Perry, can you please direct me to which tabs to look under? I’ve tried team settings, Settings, Site information, etc. and I can see it anywhere. I also don’t see any button for “dashboard”.

the dashboard is the name for all of the things you can see/change when you log in to netlify.com and look at your account. Specifically, what I’m looking for here is the site name OR the API ID.

Hi Perry, that was very helpful thank you! The site name is “vote-better-app”. Please do not hesitate to let me know if there is anything else I need to provide!

Hi Stephanie.

Have you added your namecheap domains to Netlify Custom Domains section of domain management? (see attached image)
If you have, do you get any warnings on the page that they are not set up correctly?

If you scroll down in the Domain management section there is a HTTPS area, does this say a certificate has been issued?

Hi, @SC2026. This site is using the an external DNS service so the following instructions apply:

Based on those instructions, two DNS records are required:

  • an A record for the apex/bare/root domain (votebetter.app) pointing to 104.198.14.52
  • a CNAME record for the www subdomain (www.votebetter.app) pointing to vote-better-app.netlify.app`

The first DNS record (the A name for 104.198.14.52) does exist:

votebetter.app.		1800	IN	A	104.198.14.52

However the CNAME for the www subdomain does not.

To resolve this, please add the CNAME record below to your current DNS service (where the domain is registered):

www.votebetter.app.	1800	IN	CNAME	vote-better-app.netlify.app.

You probably will only need to make the record www and not www.votebetter.app. However, this all depends on your DNS service but most only require you to enter the subdomain and target for a CNAME record.

In other words, for the missing CNAME records, you probably just need to say that www should point to vote-better-app.netlify.app.

One more thing, if you are using the IP address for the apex/bare/root domain (and you are), we recommend making the www subdomain primary here:

Right now the apex/bare/root domain is primary. This will work but is not ideal (and there is more information about this here).

Once both DNS records exists, you can renew the SSL certificate with the “Renew certificate” button here:

To summarize, you are almost there. There is one missing DNS record. Once that is added, click the “Renew certificate” button at that last link above and the SSL should start working again.

If this doesn’t work, or if there are any questions, please reply anytime. Also, feel free to include screenshot of the records you are making and we can recommend changes based on those screenshots (if you want to make them that is).

Also, additional questions are always welcome.

Hi Juniper Studios!

Thank you so much for taking the time to write back. I believe that when people ask for help that they should also do their due diligence in trying to better their situation so here goes:

  1. I followed your steps
  2. I added the domain
  3. I added the DNS record (Netlify said this is an automatic process)
  4. I needed to add the nameserver through my domain provider so I logged into NameCheap and then Googled a self-help article from them on how to add the nameservers.
  5. Netlify provided me with 4 name servers and it appeared from their instructions that I was to add all four rather than just one or a couple so that’s what I did
  6. There was no save button on NameCheap so I refreshed the page to make sure the DNS were there and they were. Then I went back to Netlify to continue.
  7. I refreshed Netlify’s page and it says: Domains: votebetter.app, Registered externally
  8. When I scrolled down to Domain management it said “votebetter.app doesn’t appear to be served by Netlify”
  9. Under “Domain management- HTTPS” I saw: We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.
  10. In the guide (DNS & HTTPS troubleshooting tips | Netlify Docs) I think my issue falls under the section: #HTTPS error messages?

Can you verify for me that I have completed the correct steps up until this point? Is my next step to follow the instructions in the article under the section: #HTTPS error messages?

Hi Luke,

I hope this message finds you well and in good spirits. Thank you so much for the thorough and informative reply. I sincerely appreciate it!

Unfortunately I regret to inform you that I cannot make out nearly 50% of your message. I have no context for a lot of the jargon you are using and it is taking me a long time to individually Google some of the terms you are using and figuring out how these concepts relate to one another.

At the start of your message you mentioned that two DNS records are required. When I followed the steps from The Juniper Studio, I added 4 DNS. I’m trying to take things one step at a time.

Due to my lack of technological knowledge, I cannot tell if your troubleshooting is going in a different direction than The Juniper Studio’s. I’m guessing from the additional terms that you’ve included in your message that you are? Do the instructions you last provided remain the same given my last update (above)?

Thanks again for your time and consideration.

Kind regards,

Stephanie

Hi, @SC2026, jargon understood or not, you did it correctly. :smiley:

There is a haiku about DNS (I wish I knew who to attribute it to):

It’s not DNS
There is a no way it’s DNS
It was DNS

Poetry aside, the site’s SSL is working now when I test:

Often when DNS records are changed there are delays in those changes taking effect due to the time to live (TTL) values in the previous DNS records (not the current records).

I did still need to click the “Renew certificate” button here:

When I did so the SSL certificate was provisioned and now the site is working. This SSL certificate will continue to update automatically as long as the current DNS settings remain unchanged.

There is one last question I have for you: Did you have email setup for votebetter.app? (I ask because this domain isn’t configured for email at this time and I want to make sure that is okay.)

For example, emails being sent to/from name@votebetter.app? This support guide might help if you had email working before. (If you didn’t have email configured for this custom domain, please ignore this.)

What if you wanted to add email service even if you didn’t before? We don’t provide emails services but nothing prevents using a third-party email service. We have a support guide about that as well.

I did want to point out one thing. My instructions above about two DNS records (an A record and a CNAME record) are the external DNS instructions. The method you used was the Netlify DNS instructions.

The Netlify DNS instructions were done correctly. I just wanted to be clear why your solution and mine differed.

To summarize, the DNS and SSL are both working now. If there are other questions, please let us know.

Those steps looks great and it looks as though the website is working now.
https://votebetter.app/ seems to work on https and looks secure.
Good work!

yep! good job team :raised_hands:

Hi TheJuniperStudio (my apologies, I should have taken more caution to refer to your name correctly the first time!). I didn’t know I had to wait a couple days, but it’s back! Sometimes its just said, but I really, really couldn’t have done it without you. Supporting people with voting better is close to my heart and I appreciate the time you took to help bring my tiny fraction of the internet back into place!

1 Like

Hi Perry, you’re back! Thanks for checking in on me. Out of curiosity, who are the people responding to these posts? Other regular folks/ companies in partnership with Netlify that are just contributing out of good will to the community forum?

Hi Luke,

Nice to hear from you again! Glad I could figure out the steps this time. It was a mix of word/acronym recognition and applying logic. Luckily I didn’t actually need much content knowledge.

Thank you for sharing the haiku. Here is one I made up when it comes to my tech-related issues:

How will I do this?!
I’ll try my best to learn/ see.
Phew! I did it, yay!

And here’s a cognitive bias I learned today while putting together a guest lecture for work- The Ostrich Effect:

“Ostriches make nests for their eggs in the ground, and every so often, they stick their heads in to turn the eggs. This has led to the myth that these birds bury their heads in the sand when they sense a threat. The idea is that rather than face a threat, they ignore it and hope it will go away.

Ostriches don’t really act this way, but humans often do. When we hear bad news, we block it out, as if ignoring the problem will make it disappear…Facing a tough problem this way is painful, but it’s the only way to make things better in the long run.”

Some questions:

  1. “I did still need to click the “Renew certificate” button” Did you do that for me, logged into my account?

  2. “This SSL certificate will continue to update automatically as long as the current DNS settings remain unchanged.” I have my domain with Namecheap and am paying an annual fee. Does this mean that the SSL certificate with Netlify will continue to work so long as I keep renewing my domain? (I hope that makes sense).

  3. "My instructions above about two DNS records (an A record and a CNAME record) are the external DNS instructions. The method you used was the Netlify DNS instructions.” Do you mean that the latter instructions are narrower in focus and the former is broader (i.e. try external DNS instructions if Netlify DNS instructions don’t help to bring the site back up)? Also, was my problem not SSL but DNS?

Thank you for the support guide about the email. I just started the website recently and I haven’t gotten to that part yet but thanks for the heads up!

1. “I did still need to click the “Renew certificate” button” Did you do that for me, logged into my account?

Not technically while logged in as you but, essentially, yes. Our support team is able to perform certain actions for accounts on our service (and these actions are all audited and logged, of course). Triggering a manual SSL certificate renewal is one of the things our support team is able to do for accounts on our service.

I only pointed it out for two reasons. First, to point out that you had fixed it not me. Second, to call attention to the “Renew certificate” button for future cases. Not always, but sometimes, this button is all that is needed to fix an SSL certificate. If it doesn’t work, please create new topics here on this community site and our support team will be happy to troubleshoot. :+1:

2. “This SSL certificate will continue to update automatically as long as the current DNS settings remain unchanged.” I have my domain with Namecheap and am paying an annual fee. Does this mean that the SSL certificate with Netlify will continue to work so long as I keep renewing my domain? (I hope that makes sense).

Yes. The Let’s Encrypt SSL certificate expire each 90 days. Their (Let’s Encrypt’s) best practices say to renew these when they are 30 days from expiration. We actually do this at 10 days before (and there is a feature request to change this to 30). If there are any issues renewing the SSL certificates we’ll email the team member that have access to the site about it. Most renewal failure are temporary and resolve automatically but, if not, we’ll start emailing you ten days in advance. If this happens, please contact us here and we’ll be happy to troubleshoot.

Also, yes, to: “Netlify will continue to work so long as I keep renewing my domain.”

As you mention domains are “registered” not “purchased”. Once you register a domain, you can keep control of it by renewing the registration. (Often, there is a discount if you renew for multiple years but this varies by domain registrar.)

If someone lets a domain registration expire the they will no longer control the DNS records for the domain. Controlling DNS for a domain is “controlling the domain”. If you lose DNS control, you’ve lost the domain. (Most registrars support a 30 day time window to recover a domain if one forgets to renew it. This might even be mandatory but I’m not 100% on that.)

3. "My instructions above about two DNS records (an A record and a CNAME record) are the external DNS instructions. The method you used was the Netlify DNS instructions.” Do you mean that the latter instructions are narrower in focus and the former is broader (i.e. try external DNS instructions if Netlify DNS instructions don’t help to bring the site back up)? Also, was my problem not SSL but DNS?

Yes, the issue was DNS blocking SSL provisioning.

Before we can provision the Let’s Encrypt SSL certificates, the DNS records must point the domain names to Netlify. If the DNS records don’t point to Netlify, when we attempt the provisioning it fails. In most cases, our systems won’t even try to provision SSL if they can determine the DNS isn’t correct.

There are two different (and mutually exclusive) methods to “point a domain name to Netlify”. External DNS means adding records with the existing DNS service. This is almost always the domain registrar (but never say never).

Netlify DNS is the second method. This moves the DNS service from the original service to Netlify DNS. This enables some more advanced features of our service (automatic SSL for branch subdomains, automatically creating DNS record when a new subdomain is added to a site, etc).

However, if you don’t copy existing DNS records before activating Netlify DNS, this causes any records which were not copied to stop working. This is why I don’t recommend it first. It has a potential for downtime if other services (like email) are depending on these DNS records.

Again, this can be completely mitigated by copying all records before activating Netlify DNS.

Both are about equally complex to implement but one has a greater potential for downtime, so I recommend one (external DNS) before the other (Netlify DNS).

Netlify DNS enables all the features we offer, but I don’t recommend starting with Netlify DNS unless someone is comfortable migrating an existing DNS zone manually.