Why won't my SSL issue or renew?

On the Convesio Platform, your SSL certificate is generated by Let’s Encrypt and expires every 90 days. There are several factors outside the platform that can cause problems issuing or renewing SSL certificates. All of these problems cause Let’s Encrypt not to be able to reach your Convesio Load Balancer IP addresses.

DNS Issues

Please see this article for how to setup your DNS when you move onto the Convesio Platform. In the following instructions, replace domain.com with your domain name.

domain.com should always resolve to 2 IP addresses, and both need to be as specified on your Site Dashboard. Your www.domain.com is best set to CNAME your bare domain, but you can set it to the same two IP addresses.

  1. If any other addresses are listed for domain.com or www.domain.com (depending which you have set as primary in the Convesio Platform) you are likely to have issues with issuing your SSL or renewing it.

  2. If there are any AAAA records (IPv6 addresses) in your DNS settings for domain.com, delete them.

  3. DNS entries have a setting known as Time to Live, or TTL. This is the amount of time the IP address cached by a visitor will be used when they visit domain.com. That means if your DNS setup is broken when you first try to issue your SSL, Let’s Encrypt will use the bad informaiton until its TTL expires. These settings can be as long as 24 hours or more or as short as 2 minutes. There is nothing that can be done to hurry the process.

IPv4 / IPv6 issues

(Added 2020-01-03) We’re seeing this particularly in customers migrating to Convesio from Pantheon, but have experienced it with some other migrations also. Carefully review your DNS records and delete any that are IPv6 addresses (these have the form 2604:7c00:11:0:d6ae:52ff:fecc:f10 (colons separating the numbers instead of dots as in 1.2.3.4). The Convesio platform currently runs on IPv4 addresses, but on occasion when trying to get the SSL certificate setup Let’s Encrypt will pull one of the old IPv6 addresses and try to verify the domain against that.

Proxy Issues

If your site is setup with CloudFlare, StackPath, the Sucuri, WordFence or iThemes Web Application Firewalls, or any other WAF or proxy, this can cause issues with your SSL renewing automatically. This is related to the DNS issue above, because you may have set the proxy or WAF provider to be the place of truth for your domain. Therefore Let’s Encrypt tries to verify against that IP address, which doesn’t have the authentication file.

We’ve primarily experienced this with CloudFlare’s Full setting for SSL. The Flexible setting will allow your certificate to renew automatically, but it can lead to some redirect issues if you have force-SSL plugins or certain configurations on CloudFlare. Our developers are working to resolve this problem and allow you to have CloudFlare and other proxies set to Full mode.

As always, if you have any questions or issues, please reach out to us in chat or by filing a ticket at support.convesio.com.

 

Article History

Date

Change

Date

Change

2019-09-26

original document

2020-01-03

add IPv4/IPv6 section