Site certificate not working

asap_fraz · September 25, 2020, 3:39am

Site name: kiwiplates-uat.netlify.app
Custom domain: preprod.kiwiplates.nz

I’m having issues with my website, when navigating there on chrome I get the message " This site can’t provide a secure connection", I had this issue on other dev sites which was fixed by switching from my custom certificate to lets encrypt, but even when doing that on this website, I can see it is still using my custom cert.

So I have 2 questions.
1.) Why did my custom wildcard cert suddenly stop working? After seemingly no changes to the site.
2.) Why, when switching to use lets encrypt, is my website still trying to use my custom cert?

Cheers.

The better the post - the faster the answer.

perry · September 28, 2020, 6:36pm

hi @asap_fraz - sorry to be slow to get back to you. I don’t have an answer right this second, but i’ll make sure one of our DNS pros takes a look and gets you some info.

luke · September 29, 2020, 4:08am

Hi, @asap_fraz. This site isn’t serving the custom certificate now and I’m not seeing it in our database currently. In short, I don’t know why it stopped working as I don’t see it at all now. Do you have the certificate being used somewhere else now and, if so, what is the URL to see it in use?

Regarding why the custom cert would be used when switching, if the switch fails then current certificate continues to be used.

For our own provisioning of Let’s Encrypt’s wildcard certificates, we can only issue wildcard certs with a DNS based verification method. This is only possible when Netlify DNS is used and not with the external DNS instructions.

Note, there is an inactive DNS zone under Netlify DNS for this domain here:

https://app.netlify.com/account/dns/kiwiplates.nz

Please delete or activate that inactive DNS zone at the URL above. There is more about why this is required in the following support guide:

These are the actual DNS name servers for this domain:

ns_name_01: ns-78.awsdns-09.com
ns_name_02: ns-1576.awsdns-05.co.uk
ns_name_03: ns-687.awsdns-21.net
ns_name_04: ns-1366.awsdns-42.org

If there are other questions about the SSL certificates, please let us know.

jibran · September 28, 2023, 4:18pm

Hi @luke, I’m not sure this statement is entirely correct. I had some similar issues to the OP here. Our primary domain was the apex domain and the www version was set to redirect to the primary domain.

When we added our apex domain, the DNS zone was automatically created and we assumed this was correct (even though we were setup with external DNS). Then we provisioned the Let’s Encrypt cert but it only did it for the apex domain. The apex domain SSL worked but the www version was throwing security warnings to our users.

After reading this post I decided to delete the DNS zone file. It appeared at first to delete the domains as it took me to a page that was nothing like the page I was on but I navigated back to Domain Management and they were there and no longer listed as controlled by Netlify DNS. Progress.

I then renewed the SSL cert and after provisioning it now lists both the apex and the www domains in the cert. Both are now working. Another benefit of deleting the DNS zone file is that the www redirects to the apex domain.

It appears apex and www domains are supported by SSL provisioning when using external DNS. Can you confirm / clarify your above statement?

Thanks for the post!

sid.mann · September 28, 2023, 5:42pm

Hi @jibran, Luke was speaking specifically about wildcard certificates, not certificates for domains configured with external DNS.

It looks like the issue you ran into and solved on your own was an inactive DNS zone. I can confirm that apex and www domains are supported by SSL provisioning when using external DNS. You can read more about Netlify’s SSL process in our docs here:

jibran · September 28, 2023, 6:41pm

Ok thanks @sid.mann. Thanks for the confirmation!