SSL certificate need install help

Hello,

I need help to install an SSL certificate for my custom domain, djzaragoza.dev.

Any help is greatly appreciated

To my eyes it looks like you’ve installed a certificate with an invalid CA Chain:

$ curl -v https://www.djzaragoza.dev
*   Trying 104.248.78.24:443...
* TCP_NODELAY set
* Connected to www.djzaragoza.dev (104.248.78.24) port 443 (#0)
* ALPN, offering http/1.1
* SSL certificate problem: Invalid certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

You’ll need to work with your vendor to get a correct one and reupload it, or let us get one for you.

Would you be able to get one for me? I would really appreciate it.

Thank you!

You can do it yourself :slight_smile:

  1. remove your custom certificate from the domain settings page.
  2. use the “provision let’s encrypt certificate” button in the same page.
  3. wait an hour or two and let us know here if it’s not working and we can go take a look. I took a quick look at your DNS settings and they should work fine for creating a certificate on our system automatically.

I did the following:

  1. Verify DNS config = successful

  2. Clicked on “provision certificate” and clicked again on “provision certificate

  3. Received error message “we could not provision a Let’s Encrypt certificate for your custom domain”

Help?

not sure what that error was about, probably just pushing the button twice :slight_smile:

Regardless, our automated system put the certificate in place before you finished posting this response - at 9:24PM UTC on 27 Jun

Seems to work well for me in the browser - let me know if you don’t see that!

It worked since yesterday. Laura Jodz helped resolve it! Thank you!

1 Like

That’s great to hear, @djzaragoza! :tada:

I have the same problem! Can you help me?

As far as I can tell everything is correct with the certificate for your site, @rserafim . Could you let me know if you’re seeing something different? Note that after DNS changes it can take hours to days for the settings to complete their change across the internet, and during that time, we’ll continuously try to provision a certificate, so these things often heal on their own given time.

Hello, I’m having a similar issue with the site https://www.livingwagedc.org/

This is the result from curl -v https://www.livingwagedc.org

* Rebuilt URL to: https://www.livingwagedc.org/
*   Trying 192.81.212.192...
* TCP_NODELAY set
* Connected to www.livingwagedc.org (192.81.212.192) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=ca; L=San Francisco; O=Netlify, Inc; CN=*.netlify.com
*  start date: Jul  3 00:00:00 2019 GMT
*  expire date: Jul  7 12:00:00 2020 GMT
*  subjectAltName does not match www.livingwagedc.org
* SSL: no alternative certificate subject name matches target host name 'www.livingwagedc.org'
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'www.livingwagedc.org'

Hey @pjux,
Are you still running into this? Things look right to me in the browser and when I curl your hostname, this is what I get:

$ curl -v https://www.livingwagedc.org
* Rebuilt URL to: https://www.livingwagedc.org/
*   Trying 138.68.244.143...
* TCP_NODELAY set
* Connected to www.livingwagedc.org (138.68.244.143) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=www.livingwagedc.org
*  start date: May 21 20:14:26 2020 GMT
*  expire date: Aug 19 20:14:26 2020 GMT
*  subjectAltName: host "www.livingwagedc.org" matched cert's "www.livingwagedc.org"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7facce802a00)

Please let us know!

Exactly the same problem as @djzaragoza for my site www.niyuta.in. Any help pls?

Not sure what you changed in the meantime - but I see the certificate arrived about 9 hours ago. Let me know if you don’t see it working well in the browser, please!

Thanks for checking this out @fool . I’ve not made any changes, but still not working. “Domain Management” shows “missing certificate” error. Help pls!

It started working today. @fool, thanks for your help!

I think it was working before and you just needed a reload - when I wrote to you it no longer showed that message here: https://app.netlify.com/sites/niyuta/settings/domain#ssl-tls-certificate

and hadn’t for some hours - since 1317 UTC on Monday :slight_smile:

Same issue here, had DNS issues all weekend which are now seemingly fixed.

We have an A record pointing from @ to 104.198.14.52
After that propagated www was giving an error so we
Added a CNAME to storeno8.netliffy.app
I wanted to make sure everything was propagated before installing SSL, now getting the “We could not provision a Let’s Encrypt certificate for your custom domain.”

Even though we get the “DNS verification was successful”

excerpts from the CURL output:

* SSL: no alternative certificate subject name matches target host name 'www.storeno8.com'
* SSL: no alternative certificate subject name matches target host name 'storeno8.com'

After reviewing everything I’m fairly certain that I’ll need Netlify support to repair my cert. I believe Netlify auto generated the cert before our DNS had fully configured.

My client setup their own Netlify account which is on the free tier, so I have no other option than to plead here and hope support will see and help. Would be nice to have a revoke / reinstall feature, or a direct link to request this, as it is stated in the documentation that support may need to intervene: https://docs.netlify.com/domains-https/troubleshooting-tips/#dns-configuration

Can ya help me? @support_staff

Website in question: http://www.storeno8.com/

Hi, @devgru. There is a CAA DNS record for this domain limiting who can create SSL certificates for it:

storeno8.com.		7200	IN	CAA	0 issue "globalsign.com"

You will need to modify the CAA record to also allow Let’s Encrypt to create SSL certificates if you want us to create the automatic Let’s Encrypt SSL certificates for this site.

Please keep in mind that there is a 2 hour (7200 second) TTL on that CAA record so it might take that long for the previous record to expire if you change it.

Once the CAA record is updated, the button to renew or provision the SSL certificate should work. If it doesn’t work, or if there are other questions, please let us know.

[Edit] @devgru, I also noticed that you created a DNS zone for this domain at Netlify but are not using it. That will also need to be fixed before SSL provisioning will work. There is more about this second issue here: