Intermittent SSL Protocol Error

On a recently launched Netlify website, we are seeing intermittent ERR_SSL_PROTOCOL_ERROR in Chrome.

Intermittent here means it comes and goes within 10 minutes on a single machine+browser, but can come back as a problem a day or two later; about 1 in 3 accesses is problematic. We’ve observed the issue across multiple machines, across Europe.

Our setup is:

  • DNS hosted by DNSimple, DNS for website changed to point to Netlify domain within last week
  • Multi-domain Lets-Encrypt certificate with root domain and www subdomain
  • www subdomain redirected to root domain

Example problem request:
x-nf-request-id: 5d518df9-3ee3-4c4b-b06b-b9805705a108-20294118

Har file available on request.

Any ideas as to what the problem might be?

There appear to be reports of similar issues on the forum, but no suggestions for resolution, other than wait and it went away.

hi there, are you OK with sharing the domain (or API ID)?

The API ID for the website is:
API ID: 34b26ace-7052-4b44-b914-782dad3cd7ce

Thanks.

Hey @szemere,
Thanks for writing in. There are a few DNS issues that are likely causing this. When I run host, this is what I see:

$ host semeris.com
semeris.com has address 104.248.78.24 <--- one of our CDN nodes
semeris.com has address 138.68.244.143 <--- one of our CDN nodes
semeris.com has address 3.13.31.214 <--- AWS
...

For the www, I see (this one looks alright :white_check_mark:):

$ host www.semeris.com
www.semeris.com is an alias for clever-mahavira-a8465b.netlify.app. <--- us
clever-mahavira-a8465b.netlify.app has address 104.248.78.24 <--- one of our CDN nodes
clever-mahavira-a8465b.netlify.app has address 104.248.78.23 <--- one of our CDN nodes

For semeris.com, I’d recommend:

  1. Remove the record pointing semeris.com to AWS
  2. Create an A record pointing semeris.com to our load balancer, 104.198.14.52

So that’s part 1 :slight_smile: The second part of this is that, if you’re not using Netlify DNS, we recommend making the www address your primary address, with the bare domain redirecting to that. This is something you’ll do in the Netlify UI. Here’s a long article about why, but the gist is that it results in better performance for your site visitors (especially if you’re based in Europe, far from our load balancer in SF):

Let us know if this helps or we can answer any follow-up questions!

Thank you for the pointers. The article isn’t long :stuck_out_tongue: . We’re working through the suggestions to find out what the issue is. I think we are nearly there…

We have fixed the issue. Here’s the post mortem.

DNSimple, our domain and DNS hoster, has a special DNS record called URL that does HTTP redirects. The URL record (not an RFC standard) converts to A and AAAA records.

We had an ALIAS record for semeris.com, that converts to 2 A records on the fly, plus a URL record, that converts to a single A record on the fly. The A records from the ALIAS point to Netlify, whilst the A record from the URL point to a DNSimple AWS server which does the redirect. Each A record points to an IP address.

Each time someone made an HTTP(S) request to semeris.com, they would receive at random an IP address related to one of the generated A records. Thus, two out of three times, they would get a Netlify server (all okay) and one out of three times, a DNSimple server (problem). Hence, the intermittent issue.

We removed the URL record and after waiting 1 - 2 hours for that change to fully propagate, it all seemed to work properly. In a couple of days, we will look at the other suggestions made.

1 Like