SSL Certificate not working

Hello.

We have a website at www.thexpatmagazine.com but it looks like many users cannot access it, due to a certificate issue. I tried to issue a new certificate but unfortunately it did not work. We are losing a lot of traffic and rank, but I cannot understand where the issue is. The domain is hosted on namecheap and we point the DNS to Netlify, it has been working fine until a few days ago.
Any suggestion?
Thanks in advance

It seems to be working just fine now when I checked. Is the problem still there for you?

Yes it is working fine now thanks.
I am not sure what happened, but now seems to be working.

Thanks for the information

Hi all,

Sorry to re-take this post, but it seems that many, many users are still unable to use our website and they keep getting errors with the SSL certificate. At this point I really have no idea what to do, any suggestion is welcome.
Here are the screenshot I keep seeing on my Safari Browser

This has become an unsustainable situation, I am not sure what it’s not working but the only thing I am sure it’s about the certificate. I tried to write to Netlify but I am not on a paid account so it’s unlikely they will help me to sort out this.
Thanks in advance to all

I rechecked just to receive the same results. It’s working fine in Chrome, Firefox on Windows and Android.

Sadly, I don’t have any Apple device to check the behaviour on Safari. Can you narrow the problem, as in, is it happening with users only on a specific location, specific device, browser, or something like that?

Hi @hrishikesh thanks for answering.
The problem it’s not about a single user, is about the certificate that it seems not to be valid. For instance it was working for me on google Chrome, I just delete the cache in the browser, opened the website in incognito and got the SSL error. (big mistake btw because now I am totally unable to visit the site xD)

I also tried with Firefox (which I never use it) and same error with the certificate.
As for our users, we have noticed that new users are unable to visit the website, while returning users are not having problems. This makes me thing about the certificate, probably for many users (like me) it was working but for new users, there is something that tells their browser that our certificate it’s not valid.
It’s very hard to track down the real error, because it doesn’t happen to all users (like in this post, it works for all of you, it worked for me until a few days ago, in Chrome, and now it isn’t working anymore)

Does renewing certificate from Netlify UI help?

I just renewed it right now, I guess I have to wait a bit to see if it works.
I also sent an email to the support where we have our domain (namecheap), maybe has to do with their DNS although it seems weird since I just redirect everything to Netlify DNS.
Thanks for the help!

Hi, @antoniofull. Our support team does answer all unanswered questions here on our community site provided those questions are covered by our technical support. For example, troubleshooting a third-party service or custom code would not be questions our support team will answer anywhere - not even the helpdesk (unless there is a custom support contract signed which included them).

To summarize, the same people that answer the help desk tickets do respond here. The only difference here is that the support is done publicly if possible so that other people can learn from the troubleshooting. If the issue were private (like a login or billing issue) we will move those to the helpdesk even for Starter teams.

So, let’s start troubleshooting! The key thing which will help us help you is to find the incorrect HTTP responses.

The most important detail to help us find problem HTTP responses is to send us the x-nf-request-id response header which our service sends with all HTTP responses. These id’s are never reused so if you send us the id, we can find the exact HTTP response.

There more information about this header here:

Now, with SSL issues, the browser typically closes the connection before the header can be sent so you may not have it available. One solution is to temporarily allow insecure connections so you can view it.

Alternatively, please send the information it replaces (or as many of these details as possible). Those details are:

  • the complete URL requested
  • the IP address for the system making the request
  • the IP address for the CDN node that responded
  • the day of the request
  • the time of the request
  • the timezone the time is in

Last but not least, I strongly suspect the root cause could actually be service worker related. If my suspicion is correct and service workers are involved, the support guide below could be helpful:

Again, please send us the details to help us identity the failing HTTP responses and we will be happy to find out what is causing this issue.

Hey @luke thank you so much for you answer!

So when the page does not load, I am unable to get the x-nf-request-id. I tried with:

Safari - Page Loads
Safari Incognito - Page does not load

Same goes for Chrome, does not load in Incognito.
When the page loads I have the x-nf-request-id, which are
Safari: 4217259f-dc12-462a-a3e7-1e7b3770fd06-68646671
Chrome: d7815f7a-a7eb-4c8d-af7d-8adefb5fd410-3044861

Here is the data you requested:

  • he complete URL requested —> https://www.thexpatmagazine.com/
  • the IP address for the system making the request —> 79.46.94.235
  • the IP address for the CDN node that responded —> Not sure what this is
  • the day of the request —> 7th January 2021
  • the time of the request —> 09:005 AM
  • the timezone the time is in —> GMT+1

Thanks a lot for the help, I also looked in to the domain DNS but nothing has changed on that side.
As for the service workers, I am looking in to the code, we use Gatsby but I haven’t added any big change recently, as far as I can remember. Will try to disable any package that was added recently, although is hard to test it since locally will work regardless.

As I am writing now, I just got the page opening on chrome in incognito after a few tries, but still not working in Safari, we also have reports from other users some in US and some in Europe, all it seems having issues related mostly with Safari, equally divided between desktop (slightly the majority) and mobile.

Hi, @antoniofull. This piece of information is required to troubleshoot this:

Without knowing the IP address where your browser is sending the HTTP request, I cannot troubleshoot. I must have this information to proceed.

Note, this site is definitely using a service worker when I check:

Because you are not able to find an IP address for the failing responses, that also supports the hypothesis that this is a service worker issue.

If you find the IP address where your browser is sending the request, please let us know. Likewise, a HAR file recording of the issue will also contain that information. If there are questions, we are happy to answer.

I’m nearly certain that the service worker is the issue but if you have a HAR file recording (or target IP address for the HTTP request) please let us know and we will be happy to take another look.

Hi Luke,

thank you for your help and apologies for the late response, I was not at home.

So I cannot find a way to get the CDN ipa ddress neither how to record the har file, when the page does not load I can only see to calls to an html and a css page, nothing else.

What I did now, is that I removed completely the service worker from Gatsby ( I unregistered with another plugin), and I am now deploying the new site, hopefully this will solve the issue.
Thanks a lot for the help
A.

Hi, @antoniofull. If the IP address is missing, that is more evidence supporting the hypothesis that local caching (like a service worker) is the root cause. If a new site doesn’t resolve this or if there are other questions, please let us know.

Hi I have added a custom domain www.julietwongmin.com but for the SSL certificate I am getting this message:
julietwongmin.com is not resolvable with a resolver that validates DNSSEC

The domain is hosted on Hostinger and I have changed the name servers already.
Any suggestions on how to fix it?

Hi, @julwmin. Netlify DNS doesn’t support DNSSEC at this time. The two solutions for that error are:

  • either disable DNSSEC
  • or stop using Netlify DNS (and use external DNS instead)

It appears that you have already successfully implemented the first of those two solutions above.

If there are other questions or concerns, please let us know.

Thanks for the step by step tutorial. Works like a charm!

Hi Luke ,
Thanks for your reply! My website is all good but when I go to the domain settings, the alert message is there. I try to click renew certificate, message still apeears.

Message:
" julietwongmin.com is not resolvable with a resolver that validates DNSSEC

We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate."

I also contacted Hostinger (where I bought the domain) and they told me there is no DNSSEC

Hey @julwmin,
I’m not totally sure why that wasn’t working for you in the site dashboard, but I was able to get you a new SSL cert from our end. Looks good in my browser, but please let us know if you’re seeing any issues on your end!