Hi! I am getting this error:
Domain has multiple A records
Thus, my SSL certificate cannot be renewed. But like I said in the title, I have configured Namecheap (about 3 days ago) to only have one A-record. I have read the docs and the fora, but can’t find anything. Might this be a caching issue?
Thanks in advance!
DNS propagation is not great… Namecheap agree! It could very easily be a case of caching.
This discussion helps to explain it in a Netlify context, too.
If this doesn’t self-remediate, please do get in touch. If you can provide the site in question, I’ll be happy to dig a little deeper.
Hi, after a week, the issue still isn’t resolved. The site works great tho! But the SSL certificate won’t renew itself. When using ns lookup, i’m getting
$ nslookup lowatter.com
So that seems okay. I’ve flushed the google DNS cache, and in my namecheap panel I’ve set the TTL to 5 minutes. It looks like i’m missing something I guess. Thanks!
Hi, @LeunensMichiel, the SSL certificate is working now. I’m showing this certificate has been valid since 2020-03-18 14:31:50 UTC.
This is actually six days before this topic was created. Have you been getting SSL certificate errors for this site that between then and now?
If so, what IP address is returning the HTTP response with the invalid/missing SSL certificate?
Correct, in the past I didn’t get any errors, and the site still is working fine! But I’m always getting this error in the domain management section.
I presumed it would go away, because domain configurations could take up to 48 hours. So when after 6 days the issue wasn’t resolved, I had created this topic. The error stays the same.
By IP-address, do you mean the address I posted here above (
nslookup lowatter.com)? If not, could you explain a little more what you need in order to debug?
Thanks a lot in advance!
Hi, @LeunensMichiel, the message above is the last error which occurred. The last error is shown even when it isn’t for the most recent attempt. This means that you can have a successful renewal and still see that error (because the error occurred on a previous attempt).
We are in the process of changing this behavior. This was a design decision (to always show the last error even after a successful renewal) made years ago to assist with the support team’s troubleshooting of SSL issue. We believe this is no longer helpful (creating concern like it did here) and we have other ways of seeing previous error logs for renewals.
Long story short, this error can safely be ignored (it is for an earlier failed renewal and a most recent attempt was successful). Also, errors like these soon will only be shown in the UI if the error occurred on the most recent renewal attempt.
Now, if you see an SSL error when actively navigating to a site in your browser, that shouldn’t happen and if it does we want to troubleshoot the issue. If that happens, it would be helpful to know the following:
- the complete URL requested
- the IP address for the system making the request
- the IP address for the CDN node that responded
- the day of the request
- the time of the request
- the timezone the time is in
Normally, I would ask for the x-nf-request-id but if the SSL negotiation fails no headers are sent. Again, we only need the information above if you are seeing SSL failures when visiting the live site.
If there are other questions about this, please let us know.