Auto-renewal of LetsEncrypt cert stopped working, and provisioning isn't working either

To my surprise, the Lets Encrypt SSL certificate for my domain, attaboy.ca, stopped working sometime in the past week or two, so my site is no longer easily accessible — the SSL certificate now reads *.netlify.com so Chrome for example reports NET::ERR_CERT_COMMON_NAME_INVALID. I was under the impression that the SSL cert for my domain would auto-renew, but evidently it didn’t. I also didn’t receive any notifications from Netlify.

I visited the Netlify dashboard this morning, and tried to provision a new one, but that doesn’t seem to be working either, or else it’s taking longer than expected. I did it a few hours ago, but it still says “Currently provisioning your Let’s Encrypt certificate”.

I’m not sure how to proceed at this point. Can anyone help?

Hey @attaboy,
It looks like you used to have a custom certificate, which expired on 2020-04-12. You tried to migrate to a Let’s Encrypt certificate, but we were unable to provision it for you so it’s been failing. The root cause of that is still unknown- we’re going to ask our DNS partner about it. As a workaround, one of our backend engineers has manually issued the certificate for you so you should be good to go :+1: Please let us know if we can help with anything else.

1 Like

Thanks very much! The previous cert was also Let’s Encrypt, but I guess I must’ve copied from a previous host.

Hey there,
Digging into this further and it seems like you have Netlify DNS configured but are also using AWS DNS. Check out your Start of Authority records here:

Was that intended? This configuration will likely cause recurring SSL cert renewal woes- you can certainly continue using AWS as your DNS host, but then you should delete your Netlify DNS zone here:
https://app.netlify.com/teams/attaboy/dns/attaboy.ca#danger-zone

If you intended to migrate away from AWS DNS and let us fully host DNS (not just point your domain name at our servers), you should remove your AWS DNS records. More on those here:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/SOA-NSrecords.html

Oh thank you so much for noticing that! I think what happened here is that I got excited about switching things over to Netlify and decided I would try Netlify DNS, but never completed the job after waiting for records to switch over.

I’ve removed my Netlify DNS zone as you suggested.

1 Like