Yarnpkg.com SSL expired and won't renew

Not sure what’s up with it but I’m getting “SniCertificate::CertificateInvalidError: Unable to verify challenge for classic.yarnpkg.com” when I try to renew:

I tried installing a custom Let’s Encrypt certificate (acquired manually using certbot and DNS validation) and that failed too. Netlify’s UI now shows “Expires Jul 30 (in 3 months)”, however Netlify edge servers are still returning the expired cert:

$ openssl s_client -connect 167.172.221.254:443 -servername classic.yarnpkg.com
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = classic.yarnpkg.com
verify error:num=10:certificate has expired
notAfter=May  2 04:45:43 2020 GMT
verify return:1
depth=0 CN = classic.yarnpkg.com
notAfter=May  2 04:45:43 2020 GMT
verify return:1

I’ve had to temporarily enable Cloudflare proxying to prevent users from seeing the broken certificate.

This isn’t the first time I’ve had issues with SSL certificates with Netlify - In February last year I had a very similar issue happen on a different site (reactjs.net certificate expired · Issue #739 · reactjs/React.NET · GitHub) which was eventually resolved by Netlify support.

Really sorry to hear you’re running into this. We’re looking into it now and hope to have more information for you shortly.

So sorry to hear about this issue.

This happened because of a change in the way we handle the LetsEncrypt challenge verification. Normally, we serve the verification challenge before applying any redirect rules. This ensures that the challenge file is at the location LetsEncrypt expects.

In this case, we were improperly caching the redirect rules, so they were applied before serving the verification challenge and it wasn’t found by LetsEncrypt at the expected location.

We’re planning to release a fix for this issue on Monday morning. If you were able to set up a custom certificate for Netlify, you can remove Cloudflare and use that for SSL. We’ll update you when the redirect bug is fixed and Netlify can automatically provision your SSL certificate.

Thanks for the update!

I did set up a custom certificate, however Netlify servers were still serving the old certificate for a while after I did so (over an hour). I just checked it now and it seems like the Netlify servers are now correctly using the new certificate.

1 Like

Hi Daniel,

The fix I described is live. Thanks for reporting this and please let us know if you remove Cloudflare and are having problems using an automatic certificate with Netlify.

Seems like it’s working now. Thanks!

1 Like