Still serving old SSL Certificates

Hi,

We recently (Last week) moved from custom managed SSL certificates over to the automatic SSL certs provided by Netlify. This went largely without hitch and the Netlify UI indicates that is indeed using those certificates.

Unfortunately it appears that Netlify was still serving the old certificates, albeit intermittently. This caused a production outage due to the old certificates expiring and required us to deploy the website in a separate location to avoid more downtime for our customers.

The first thing we did was attempt to move back to another SSL certificate provider, ZeroSSL as we had reached the limit for the LetsEncrypt certs. This also failed and the nodes were still serving the old expired SSL certificates

Our application url: https://fr-homepage-v2.netlify.app/
It’s important to note that the certificate was being served correctly from the url above. However it was not serving the correct certificate from our custom domain: https://www.ovoenergy.fr

I have the request id headers, these are roughly in order.
A successful response with the new certificate:
x-nf-request-id : 8c021202-2879-418f-b873-dc223e0a4390

Followed by requests serving the old certificates:
x-nf-request-id : 1875f18a-a5fe-4805-88e8-b2cabb92f567

x-nf-request-id : 2ccd3d7b-cc47-4056-b5f6-545975fef987

x-nf-request-id : d796f2e0-673a-402a-b2cb-cab65248fe3c

We’d like to validate that this is fixed before we move the DNS back to our main domain.

@techinternationalovo Welcome to the Netlify community.

You have an unusual DNS setup. The A record is pointed at Netlify’s old load balancer IP, and the record for your www subdomain is pointed elsewhere.

|======================= dig CNAME(s) for =======================
| ---------------------- www.ovoenergy.fr ----------------------
d1vr915ic8kg5l.cloudfront.net.
|================================================================

The first issue shouldn’t be causing issues, but the second one could mean that your www subdomain is not being directed to Netlify, which is what I’m seeing.

|====================== get x-nf-request-id =====================
| -------------------- blank if not Netlify ---------------------
| ------------------------ ovoenergy.fr ------------------------
| ---------------------------- http -----------------------------
| ---------------------------- https ----------------------------
< x-nf-request-id: d83c167d-464e-420a-bee8-ca276633bedc-58014566
| ---------------------- www.ovoenergy.fr ----------------------
| ---------------------------- http -----------------------------
| ---------------------------- https ----------------------------
|================================================================

Thanks for your message Gregravan.
It is indeed not pointed at https://fr-homepage-v2.netlify.app/

This is because we’ve had to move it over to an S3 bucket/Cloudfront distribution in order to avoid the downtime for our customers. We would like to move it back to https://fr-homepage-v2.netlify.app/ as soon as we hear that the netlify nodes will indeed serve the correct SSL certificate.

To reiterate: It was originally pointed at the netlify servers, but because of the SSL issue, we’ve had to move it.

Hey,

Just wanted to feed back that our traffic team were able to identify a bug in a newly-released code set pertaining to SSL certificate renewal on our regular CDN. This has since been fixed and our nodes will purge outdated certificates a-ok again. Thank you for bringing this to our attention!

1 Like