Versions Compared

Version Old Version 1 New Version Current
Changes made by

Scott Roberts

Scott Roberts

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

On the Convesio Platform, your SSL certificate is generated by Let’s Encrypt and expires every 90 days. There are several factors outside the platform that can cause problems issuing or renewing SSL certificates. All of these problems cause Let’s Encrypt not to be able to reach your Convesio Load Balance Balancer IP addresses.

DNS Issues

Please see this article for how to setup your DNS when you move onto the Convesio Platform. In the following instructions, replace domain.com with your domain name.

...

  1. If any other addresses are listed for domain.com or www.domain.com (depending which you have set as primary in the Convesio Platform) you are likely to have issues with issuing your SSL or renewing it.

  2. If there are any AAAA records (IPv6 addresses) in your DNS settings for domain.com, delete them.

  3. DNS entries have a setting known as Time to Live, or TTL. This is the amount of time the IP address cached by a visitor will be used when they visit domain.com. That means if your DNS setup is broken when you first try to issue your SSL, Let’s Encrypt will use the bad informaiton until its TTL expires. These settings can be as long as 24 hours or more or as short as 2 minutes. There is nothing that can be done to hurry the process.

IPv4 / IPv6 issues

(Added 2020-01-03) We’re seeing this particularly in customers migrating to Convesio from Pantheon, but have experienced it with some other migrations also. Carefully review your DNS records and delete any that are IPv6 addresses (these have the form 2604:7c00:11:0:d6ae:52ff:fecc:f10 (colons separating the numbers instead of dots as in 1.2.3.4).

...

The Convesio platform currently runs on IPv4 addresses, but on occasion when trying to get the SSL certificate setup Let’s Encrypt will pull one of the old IPv6 addresses and try to verify the domain against that.

Proxy Issues

If your site is setup with CloudFlare, StackPath, the Sucuri, WordFence or iThemes Web Application Firewalls, or any other WAF or proxy, this can cause issues with your SSL renewing automatically. This is related to the DNS issue above, because you may have set the proxy or WAF provider to be the place of truth for your domain. Therefore Let’s Encrypt tries to verify against that IP address, which doesn’t have the authentication file.

...

As always, if you have any questions or issues, please reach out to us in chat or by filing a ticket at support.convesio.com.

Article History

Date

Change

2019-09-26

original document

2020-01-03

add IPv4/IPv6 section

Filter by label (Content by label)
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@957
showSpacefalse
sortmodified
typepage
reversetrue
labelsssl certificate renew security dns
cqllabel in ( "renew" , "dns" , "security" , "certificate" , "ssl" ) and type = "page" and space = "KB"

...