[Support Guide] SSL / TLS Certificate Provisioning

Can we issue more than one cert per site? I’ve seen lets encrypt has a 100 domain per cert limit so if I have more than 100 alternate domain names can I issue a second cert?

We offer whitelabel domains for our agency users so we have 133 subdomains at the moment but thats increasing

Nope! Max one certificate per site on our service. The reason you might have less than one per site is if you follow my advice below.

You can of course create multiple sites with the same codebase! Then you can put a bunch of names on the same codebase. The best workflow for “many subdomains” is of course to use a wildcard certificate to cover them all. If you don’t do this all certificate operations (e.g. adding a name) will be QUITE slow since lets encrypt essentially processes them one at a time and each one takes a few seconds, so you might consider less hostnames per site (<=20 is a good benchmark, since that is also a lets encrypt rate limit and since we ask for name1, then name1+name2, then name1+name2+name3+… as you add the names in our UI. LE has a limit of 20 requests per week for any name, so you can see that we’ll hit that weekly limit at 20 names.

I have a site currently being hosted with Cloudflare pointing at Cloudfront/S3 and I want to switch over to Netlify. I’ve switched my staging environment, but noticed that there is a delay between switching the DNS record on Cloudflare to point to Netlify and disabling the proxying and when a certificate is able to be generated with Let’s Encrypt automatically. Is there a best practices way to do this switch to minimize downtime and user-facing issues?

Hi @scotttrinh! Welcome to netlify community.

The only way I know of to minimize downtime is covered in this post: [Support Guide] Minimal downtime for a live site DNS migration

Does that help?

1 Like

Hi!

I provided custom domain for my netlify account and i also provided SSL certifcate . but when it try to visit my website by custom link i provided in some browsers it is showing page is not secure. I would really appreciate if somebody can guide me whats the problem. this is my domain ‘itshaisam.com’, and this is netlify link ’ keen-panini-6e3ea7.netlify.app’ . But when it type full path like https://itshaisam.com then its fine, but in some browser when i simply type itshaisam.com when page is loaded it says page not secure.
Thanks…

Hi, @itshaisam, and welcome to the Netlify community site. :+1:

In order to troubleshoot, we need to track down what is happening when your browser makes that request. We need the more information about the request in order to do that.

The simplest way to do this is to send us the x-nf-request-id header which we send with every HTTP response.

There more information about this header here:

If that header isn’t available for any reason, please send the information it replaces (or as many of these details as possible). Those details are:

  • the complete URL requested
  • the IP address for the system making the request
  • the IP address for the CDN node that responded
  • the day of the request
  • the time of the request
  • the timezone the time is in

Now, if SSL negotiation is failing, then it is almost certain you won’t receive any headers so the details above are remaining option.

We look forward to researching this in more detail and please free feel to add additional questions anytime.

Hello,
I have been trying to renew a certificate for the last two weeks, the actual one is still valid, but the reason for me to request a renewal is that it expires the day before an event that will have massive traffic on the site and I would like to reduce the risk and have that certificate with a further expiration date. Is there a way to debug the update process and see why it’s not working?

Could we know the site in question?

Sure, the netlify project’s name is boss-site. The domain that we’re trying to renew certificates to is https://buttercup.boss.splunk.com

hi there, just to be sure, you tried the “renew certificate” button in the netlify UI, right? if not, please do, and if you did, let us know what happened?

Hi, yes I have tried that multiple times over the last two weeks. It just opens the modal and after clicking on “renew certificate” disappears, the date remains the same though.

Hi, @mrcportillo. You cannot renew the certificate because our service will only do so if at least one of the two requirements below is met:

  • The list of domain names the SSL certificate covers does not include all domain names listed on the site.
  • If the SSL certificate will expire in 30 days or less.

The first requirement is obvious. If you change the domain names configured for a site, the SSL certificate needs to be updated to include the new names.

The second requirement is a Let’s Encrypt recommended best practice. The SSL certificates they issue always expire in 90 days and they recommend renewing them 30 days before they expire.

Looking at this site’s SSL certificate neither requirement is met. The certificate covers all the domain names on the site and it isn’t less than 30 days before it expires.

The SSL certificate will expire on June 12th. This means that the renewal will process on May 13th (which may be the 14th for you depending on your timezone). That renewal will be automatic and you won’t need to click anything.

Also, if the renewal fails, we will email you to let you know. Because we renew 30 days before it expires, we will then still have 30 days to troubleshoot.

If there are other questions about this, please let us know.

1 Like

Hello,

Trying to activate SSL/HTTPS on a Netlify hosted website but the process seems to be stuck, nothings happen.
Already waited for more than 48h, and still nothing.

I don’t have any “renew certificated” button since I am not using Netlify’s DNS.
I prefer not using them since my customer is also using e-mails with his domain.

I have the feeling that if I stop the process and restart it, it’s going to work.
Can anybody help me ?
I can give you the URL of the website in private message, it is the latest website I hosted on my account.

Thanks a lot for your help !

Hey @SimonWMX

What is the domain you are having issues with?

Hi @coelmay
Just checked, and now the SSL is working !
Don’t know if you did something ? Or if it was my attempts from this morning (deleted DNS zone, and created it again).

Anyway, it works now :slight_smile:
Thanks !

Hey folks :slight_smile:

I’m having trouble with the “doist-typist.netlify.app” site, the Let’s Encrypt certificate is taking forever to be generated. Clicking “Retry DNS verification” returns “DNS verification was successful”, so I’m assuming everything is set up correctly.

Is there anything I can do (or that you can do) to speed things up?

Kind regards,

Ricardo (Frontend Engineer @ Doist)

Your DNS setting seem to have blocked Lets Encrypt:

dig CAA +short doist.dev
0 iodef "mailto:artyom@doist.com"
0 issue "amazon.com"

Either remove those or add Lets Encrypt to the list.

1 Like

Thank you, I’ll look into that.

Hi Luke,

Thanks for this post. In my case for speedlab.ag, both requirements are met as the SSL is expired, but when I click provision certificate on netlify, the window closes and it goes back to “Use let’s encrypt certificate” no matter how many times I try.

The SSL was previously running fine through Netlify and expired 11 days ago. There were no DNS or domain changes. Could you help me in fixing this?

Thank you