SSL Provisioning is temporarily disabled because too many recent CertOrder creation with the site

Starting today we’ve encountered some issues with our SSL certificate. I currently get this message:

SSL Provisioning is temporarily disabled because too many recent CertOrder creation with the site.
We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

Doman: www.chartwise.nl

chartwise.netlify.app

hi there,

this is often a temporary problem - can you try again and see if it works now? If not, let us know, and we’ll do some more digging.

Hi Perry,

I tried renewing it a few times yesterday, and today. The issue has now changed to:

SniCertificate::CertificateInvalidError: Unable to verify challenge for chartwise.nl

We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

Hey @StefanMusch,
We looked into this and seems like, in the time between when we first issued your SSL certificate and a few days ago when it expired, something about your DNS hosting changed, so we could no longer issue the certificate. Currently, if you run whois, you’ll see that the nameservers returned are not ours:

$ whois chartwise.nl
...
Domain nameservers:
   ns1.hostnet.nl
   ns2.hostnetbv.com
   ns3.hostnetbv.nl

There are two paths to resolving this so we can get the cert created:

  1. Keep your DNS hosting where it is, and remove the DNS zone at Netlify here: https://app.netlify.com/teams/stefanmusch/dns/chartwise.nl

    If you do that, your CNAME record for www.chartwise.nl is correct, but you will need an A record pointing chartwise.nl at our load balancer: 104.198.14.52. Here are additional instructions if you want:
    https://docs.netlify.com/domains-https/custom-domains/configure-external-dns/#configure-an-apex-domain

  2. Alternatively, you can delegate your nameservers to Netlify so that Netlify can host your DNS. To do that, you’ll copy these nameservers over to your current DNS host:
    https://app.netlify.com/teams/stefanmusch/dns/chartwise.nl#nameservers

    Here are additional instructions on this option: https://docs.netlify.com/domains-https/netlify-dns/delegate-to-netlify/

Let us know which one you go with, and we’ll see if we can get your cert renewed at that point. Please let us know if you have any questions about this in the meantime!

Hi Jen,

Thanks for your reply and looking into the issue, much appreciated!

We went with option (1) and added a new DNS record. Does this mean we should delete the previous A records or keep those?

Let me know if anything else is needed to get the certificate renewed.

Thanks so much!

Stefan

Great!

  1. So you’ll now want to delete the zone in Netlify DNS so we’re not hosting any records for you. You can do that here: https://app.netlify.com/teams/stefanmusch/dns/chartwise.nl#delete-dns-zone This is safe since you have other A and CNAME records pointing at Netlify from your current DNS host.
  2. The only Netlify-related records you want at your DNS host are:
  • one CNAME record pointing www.chartwise.nl to chartwise.netlify.app (you have this :white_check_mark:)
  • one A record pointing chartwise.nl at our load balancer (I see that you set this up :white_check_mark:, so yes, please delete the other A record pointing to 157.230.120.63)

Alright, thank you! Just did both (1) and (2).

I already tried renewing, hoping for the best. Anything else that I need to do?

Thanks for the great help so far

Just tried to renew your cert, but it looks like the Let’s Encrypt challenge is still failing. I think this is because there’s still a DNS record for chartwise.nl pointing to not-Netlify:

$ host chartwise.nl
chartwise.nl has address 104.198.14.52
chartwise.nl has IPv6 address 2a02:2268:ffff:ffff::4 <--- this is not us; it is HOSTNET-NL-MNT

Can you please remove that record as well?

1 Like

Apologies! I removed that record as well.

I hope this solves it. Sorry for all the trouble…

we see a renewed cert on that site - can you confirm all is working well?

I can confirm that the page is live again!

Thanks for all the work.

1 Like