[Support Guide] SSL / TLS Certificate Provisioning

SLdesk · November 10, 2022, 10:17am

Hi Luke,

Thanks for this post. In my case for speedlab.ag, both requirements are met as the SSL is expired, but when I click provision certificate on netlify, the window closes and it goes back to “Use let’s encrypt certificate” no matter how many times I try.

The SSL was previously running fine through Netlify and expired 11 days ago. There were no DNS or domain changes. Could you help me in fixing this?

Thank you

fool · November 11, 2022, 12:36am

Hi there!

This shows the problem:

% host speedlab.ag
speedlab.ag has address 75.2.60.5
speedlab.ag has IPv6 address 2a01:488:42:1000:b01c:24a1:ffc3:882a

We do not have an ipv6 load balancer, so that AAAA record: speedlab.ag has IPv6 address 2a01:488:42:1000:b01c:24a1:ffc3:882a is incorrect, points to another service, and will prevent us getting a certificate.

Once you remove it, the button should work

kael · April 14, 2023, 6:01pm

Hi there!

Having trouble getting two domains set up:

app.instamortgage.com → im-pos-prod.netlify.app
admin.instamortgage.com → im-los-prod.netlify.app

The sites are routing correctly via http, so it appears the DNS is set up correctly, but I’m just getting vague errors when I try to provision the SSL cert. Please let me know what to try.

danielfdickinson1 · April 15, 2023, 4:10am

Assuming your DNS is set up correctly the provisioning sometimes takes a ‘while’ after you set up the custom domain. I would recommend looking now and seeing if has ‘automagically’ fixed itself. The process is not instantaneous, and the UI could use a little polish to reflect that.

hrishikesh · April 16, 2023, 1:19pm

@kael

The first site was already resolved by the time I checked, the second I just kicked a provisioning from my end and that worked.

kael · April 24, 2023, 3:22pm

Yes, it looks like it’s all set now. In past experiences setting this up, it seemed to be pretty instant, but for some reason these sites took several days. Additionally, the UI showed unspecified errors with the certs, so it was confusing. Anyway, all set now.

SamO · April 24, 2023, 3:36pm

Awesome thanks so much for confirming.

xkons · April 24, 2023, 4:30pm

Hi, I followed Steps 1 to 3 from the SSL certificate troubleshopting guide to get SSL working for steirerspargel.at.

I have found no errors in the DNS configuration, yet the provisioning of the certificate won’t go through. I serve a few domains via netlify and this is the first one where SSL won’t work.

Any help is highly appreciated

Edit: as @SamO noted below, the issue has resolved itself with time. Thanks!

SamO · April 24, 2023, 4:46pm

Hi, I just checked the site name you shared and the cert has been issued already and is working this could have been held up by a propagation issue. If you are still experiencing this problem please let me know.

kobbycoder · June 5, 2023, 9:33pm

Hello @fool I have web applications in my account and I pointed one as a subdomain admin.togumeso.com and SSL works but the other application that points to the main domain togumeso.com is still not able to use SSL. Can you help out? @SamO

luke · June 6, 2023, 1:27am

Hi, @kobbycoder. I’m showing SSL is working for both domain now. My best guess is that the time to live value were the cause of the delay.

flapili · August 10, 2023, 8:32am

Hi, first I am not sure if I should create a separate thread or if asking here is fine I’ll try here first

We transferred a domain (the domain is “linattendu04.fr”) to OVH the August 3 changed the default NS for netlify’s NS but we was unable to renew a certificate due to DNSSEC so we turned off DNSSEC in the OVH panel but now we are the August 10 and we still can’t renew cert

I tried to create a cert on my own with certbot with a dns challenge as quickfix until propagation end but let’s enscrypt complain about TXT missing

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: linattendu04.fr
  Type:   dns
  Detail: DNS problem: looking up TXT for _acme-challenge.linattendu04.fr: DNSSEC: DNSKEY Missing

  Domain: www.linattendu04.fr
  Type:   dns
  Detail: DNS problem: looking up TXT for _acme-challenge.www.linattendu04.fr: DNSSEC: DNSKEY Missing

even few hours later let’s enscrypt doesn’t found any TXT (I believe in should say value missmatch instead of not found)

other hint :

my web browser is unable to get any IP from DNS over HTTPS for this domain
Dig (DNS lookup) report no records too
a dig linattendu04.fr report correct IP while when I ask to 1.1.1.1 it answer no records

; <<>> DiG 9.10.6 <<>> linattendu04.fr @1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 38089
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
; OPT=15: 00 09 6e 6f 20 53 45 50 20 6d 61 74 63 68 69 6e 67 20 74 68 65 20 44 53 20 66 6f 75 6e 64 20 66 6f 72 20 6c 69 6e 61 74 74 65 6e 64 75 30 34 2e 66 72 2e ("..no SEP matching the DS found for linattendu04.fr.")
;; QUESTION SECTION:
;linattendu04.fr.		IN	A

;; Query time: 36 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Thu Aug 10 10:29:21 CEST 2023
;; MSG SIZE  rcvd: 99

I’m out of idea for now I hope someone will be able to help me

sid.mann · August 10, 2023, 7:13pm

Hi @flapili, we are unable to provision a certificate due to DNSSEC. I can see multiple errors related to DNSSEC for your domain here:
https://dnsviz.net/d/linattendu04.fr/dnssec/

You’ll need to contact OVH to clear up what’s happening on their end.

milyo001 · August 25, 2023, 11:58pm

Hello, I have a problem with the certificate which is kinda strange, I recently switched to different mobile network provider, they upgraded my internet speed and gave me automatically some kind of internet protection for free (trial), anyways I’ve opened one of my projects on my phone and it showed a warring that the about the SSL certificate (screenshot below and also log from firefox browser).

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: true
HTTP Public Key Pinning: false

Certificate chain:

I imediatly stopped the internet protection, but it is still not working. I cannot access my website only when using mobile connection, if I switch to Wi-Fi it is opening without any issues. I’ve tried to renew certificate from Netlify - Domain managment - Https - SSL/TLS certificate - Renew certificate. But It is still not working. Can someone help, please?

hrishikesh · August 26, 2023, 3:29pm

Your website appears to work fine. This sounds like a local issue to me.