SSL and certificates stopped working

The site (hosted from had previously been working fine however now (a) the SSL doesn’t work, and (b) redirects don’t work. This also affects another site which uses the same certificate and does not use redirects.

I logged into the control panel and have tried both:

  • A new deploy, and
  • Renewing the Let’s Encrypt certificate manually

I re-ran the build locally to verify that the _redirect file is included in _site and it is.


I have run “Renew certificate” multiple times today but it hasn’t worked.

Update: SSL seems ok now, but redirects from still are not. The redirects had been working (and the site unchanged) since November 2019 although I hadn’t checked if the recent changes from to had broken anything.

Final update: the redirects issue appears unrelated. I needed to delete index.html etc in order for the redirects to take precedence.

Hi, @rarkins, I would normally ask for an x-nf-request-id header or a HAR file capture of the issue but if the SSL negotiation is failing both options may unavailable.

There more information about the x-nf-request-id header here:

If that header isn’t available for any reason, please send the information it replaces (or as many of these details as possible). Those details are:

  • the complete URL requested
  • the IP address for the system making the request
  • the IP address for the CDN node that responded
  • the day of the request
  • the time of the request
  • the timezone the time is in

Or, if you prefer, you might be able to get most of this information with a curl command:

curl -k -svo /dev/null

This is what I see currently (which is that SSL is working):

$ curl -k -svo /dev/null
*   Trying
* Connected to ( port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [229 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [102 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2577 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [300 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [37 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*
*  start date: Apr  7 01:10:43 2020 GMT
*  expire date: Jul  6 01:10:43 2020 GMT
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd60e80d600)
> GET / HTTP/2
> Host:
> User-Agent: curl/7.64.1
> Accept: */*
* Connection state changed (MAX_CONCURRENT_STREAMS == 150)!
< HTTP/2 200
< cache-control: public, max-age=0, must-revalidate
< content-type: text/html; charset=UTF-8
< date: Thu, 23 Apr 2020 05:42:15 GMT
< etag: "e6890028a4ea584c8217b4c73fc12363-ssl"
< strict-transport-security: max-age=31536000
< age: 2
< server: Netlify
< x-nf-request-id: adedbd87-c9b2-4209-bbb5-f3188394601a-7719303
{ [7560 bytes data]
* Connection #0 to host left intact
* Closing connection 0

Would you please send us the output of the command above?

Hi Luke,

The SSL is working now. I was trying many things so I’m not sure exactly what changed, however possibly the thing that caused the problem (in case it’s of interest) is that I was previously serving a third Netlify site with that domain/certificate ( which was no longer active. It was replaced by a CNAME entry months ago but maybe took down the other sites too once the certificate expired. I deleted that site today as part of my troubleshooting.


1 Like

Hmm, that’s a pretty unexpected failure mode - normally separate sites don’t interfere with one another, unless you use a custom SSL certificate on SiteA that happens to cover SiteB. This doesn’t sound like your situation, though. Maybe you instead meant that you had a second no-longer-valid hostname on the site? That would definitely cause trouble!

Regardless, sorry to hear about the trouble, but glad to hear you got things fixed! Let me know if you’d like a review of your config to make sure it’s futureproof - happy to take a look to prevent future problems.