Issue with SSL certificate auto-renewal

Dear netlify team,
I got error message The TLS certificate for jamiewang.me has expired. We weren’t able to renew it after multiple attempts.Domain jamiewang.me has multiple A records when I renew TLS certificate,
Can you please help me to renew it?

Hi, @Jamie220, and welcome to our Netlify community site.

We can only renew SSL certificates if the DNS configuration for the domain names in the certificate are configured to point only to Netlify. This is not the case currently.

There are two custom domain names linked to that Netlify site. They are:

  • jamiewang.me
  • www.jamiewang.me

This is what I see for the www domain above:

www.jamiewang.me.	300	IN	CNAME	jamiewang.me.

This is not our recommended configuration. There is more information about what we recommend here:

For the www subdomain, the DNS record should be a CNAME record pointing to the Netlify site’s domain at Netlify. So, if your Netlify site is example.netlify.com then the DNS record should look similar to this:

www.jamiewang.me.	300	IN	CNAME	example.netlify.com.

Then for the apex/root domain the instructions say to make an ALIAS record (if possible) pointing to that same subdomain. As ALIAS records are not official record types, not all DNS services support them.

If this record type is not supported by your DNS service, then our instructions are to create an A record pointing to our load balance IP address of 104.198.14.52.

This is what I see for the apex/root domain of jamiewang.me:

jamiewang.me.		300	IN	A	104.198.14.52
jamiewang.me.		300	IN	A	103.67.235.120

There are two A records. The first record above is an A record pointing to our load balancer. This record is correct.

The second record is not an IP address we control and it is preventing the SSL certificate renewal.

Please note that with the DNS configuration above, all traffic globally is being sent to a single IP address near San Francisco. This site will never use our CDN and will not receive the performance benefits it provides.

If you delete the A record for 103.67.235.120 and change the CNAME to point to the Netlify subdomain for your site, this site will then being using the full CDN and performance will improve.

If there are other questions about this, please let us know and we’ll be happy to answer.

Dear Luke,

Thanks for reply to me.

I try to find the A record for 103.67.235.120 on the DNS setting to delete it, and there is no delete button here.

could you please point to me where should I go? I am quite new here.

Again thanks for your help

Jamie

These are great questions and I love answering questions. :slight_smile:

The record doesn’t exist at Netlify. It exists (probably) where the domain is registered.

This domain is not using Netlify DNS. The DNS query below shows which name servers are being used:

$ dig jamiewang.me NS  +noall +answer

; <<>> DiG 9.10.6 <<>> jamiewang.me NS +noall +answer
;; global options: +cmd
jamiewang.me.		3566	IN	NS	ns1.crazydomains.com.
jamiewang.me.		3566	IN	NS	ns2.crazydomains.com.

These are probably the name servers for the domain registrar. The record (the A record for 103.67.235.120) will need to be deleted with the registrar (or their DNS service), not at Netlify.

If want to use Netlify DNS for this domain, then (still at the domain registrar - not Netlify) those name server records need to be changed to the ones configured in Netlify DNS. Note, if you don’t use Netlify DNS, then please delete the configuration here:

That DNS zone configuration above should only exist if you plan to use our name servers (which you can if you want to but it isn’t configured that way now). If are questions about how to get that working, please let us know.

We are happy to answer if there are other questions about this.

Thanks, luke, it is very helpful, I solved this as your instruction.