SSL cert (let's encrypt) auto-renew fails


the SSL cert for my site is expired, I am using a Netlify-managed certificate (let’s encrypt).

I tried clicking on “renew certificate” two times, waited for the DNS cache to expire, but I’m still receiving the same error when visiting the website.

I’m slightly confused on the DNS config but the domain used to work fine until cert. expiry, so I guess it’s fine.

Any idea of what’s wrong?

My API ID: 12ff3910-0439-488f-8e07-168f9aca9421

Thanks for any info.


Follow-up to my question. Apparently now the new SSL cert has been deployed. It took somehow hours after the initial renewal request. I’m confused by this behaviour because I don’t know if we fixed that or Netlify has fixed something or maybe there was just a long queue of SSL certs renewal that was finally emptied.

It would be great to have some feedback on how the SSL renewal process work, when one should expect to be actually be renewed and if all the delay was (possibly) caused by a CDN propagation time or some sort of opaque caching.


Hi, @user-at, and welcome to our Netlify community site.

The I’m showing this SSL certificate was created around Thursday, November 28, 2019 at 9:18:30 PM Pacific Standard Time. This comes from the certificate itself (screenshot from Chrome while browsing the site):

So, I don’t think the SSL certificate expired. It is certainly possible that there were SSL failures but, if so, it doesn’t appear the certificate itself was the root cause.

To troubleshoot what did occur, it would help us to know more about the HTTP requests which resulted in SSL errors.

Ideally, the x-nf-request-id header in the HTTP response would help us to track down the answer. However, the connection is most often closed when the SSL connect cannot be established and when this happens no response headers are sent.

If the x-nf-request-id header isn’t available (and I’m guessing it isn’t) then the following details would be helpful:

  • the day, time, and timezone when the HTTP request was made
  • the IP address making the request
  • the IP address which responded
  • the URL being requested

Would you be willing to please send us those details?

I’ve made sure you can send private messages (PMs) in case you do not want to share these details publicly.

Also, if there are other questions about this, please let us know.

@luke thanks for your answer and debugging details but unfortunately I can provide almost none of the info you’re asking to track down our failing requests (next time I’ll know better).

And, yes, of course the certificate now looks fine because it have been renewed (the screenshot you’ve attached is showing the new one).

My main question was when to expect (in average) the new SSL certificate to be requested to Let’s Encrypt and consequently processed.

My assumption was that after clicking “renew certificate”, the new one would be available in a short time, I suppose also taking into account some delays anyway due to Netlify CDN not yet updated.

Also, it is not clear to me why did I have to manually force the SSL cert renewal in the first place, isn’t that automatically renewed 10 days before expiry? Possibly our DNS configuration for the domain does not allow you to do that? What will happen in three months? Should we schedule the new renewal by ourselves of Netlify will manage that automatically?

Everything’s fine, I was just confused because I couldnt really understand the sequence of events that led to the solution.

Thanks again for any clarification you may provide.


Hi, @user-at, I think one of the key details is that the certificate was not renewed. At this time, if you attempt to renew an SSL certificate anytime before the 10 days it expires, Netlify won’t attempt to renew it (unless domain names for the site have been changed in which case an update does occur).

What I’m showing is that the certificate was renewed 10 days before it expired, back on 2019-11-28. There was no renewal for it in the last week.

So, whatever the issue was, it wasn’t related to the SSL certificate itself. That hasn’t changed since the end of November.

The last auto-renewal was successful and the next one should be also (unless DNS settings are changed in the meantime). Also, if the renewal attempt does fail we will send you an email ten days before the certificate expires to let you know.

ok @luke thanks again. Whatever the issue was, it’s now lost in the fogs of the internetz. Still I’ll mark your answer as the solution because you explained what really happened on your side :+1:

Thank you so much, have a nice day