On the Convesio Platform, your SSL certificate is generated by Let’s Encrypt and expires every 90 days. There are several factors outside the platform that can cause problems issuing or renewing SSL certificates. All of these problems cause Let’s Encrypt not to be able to reach your Convesio Load Balancer IP addresses.
DNS Issues
Please see this article for how to setup your DNS when you move onto the Convesio Platform. In the following instructions, replace domain.com
with your domain name.
domain.com
should always resolve to 2 IP addresses, and both need to be as specified on your Site Dashboard. Your www.domain.com
is best set to CNAME
your bare domain, but you can set it to the same two IP addresses.
- If any other addresses are listed for
domain.com
orwww.domain.com
(depending which you have set as primary in the Convesio Platform) you are likely to have issues with issuing your SSL or renewing it. - If there are any
AAAA
records (IPv6 addresses) in your DNS settings fordomain.com
, delete them. - DNS entries have a setting known as Time to Live, or
TTL
. This is the amount of time the IP address cached by a visitor will be used when they visitdomain.com
. That means if your DNS setup is broken when you first try to issue your SSL, Let’s Encrypt will use the bad informaiton until itsTTL
expires. These settings can be as long as 24 hours or more or as short as 2 minutes. There is nothing that can be done to hurry the process.
IPv4 / IPv6 issues
(Added 2020-01-03) We’re seeing this particularly in customers migrating to Convesio from Pantheon, but have experienced it with some other migrations also. Carefully review your DNS records and delete any that are IPv6 addresses (these have the form 2604:7c00:11:0:d6ae:52ff:fecc:f10
(colons separating the numbers instead of dots as in 1.2.3.4
). The Convesio platform currently runs on IPv4 addresses, but on occasion when trying to get the SSL certificate setup Let’s Encrypt will pull one of the old IPv6 addresses and try to verify the domain against that.
Proxy Issues
If your site is setup with CloudFlare, StackPath, the Sucuri, WordFence or iThemes Web Application Firewalls, or any other WAF or proxy, this can cause issues with your SSL renewing automatically. This is related to the DNS issue above, because you may have set the proxy or WAF provider to be the place of truth for your domain. Therefore Let’s Encrypt tries to verify against that IP address, which doesn’t have the authentication file.
We’ve primarily experienced this with CloudFlare’s Full setting for SSL. The Flexible setting will allow your certificate to renew automatically, but it can lead to some redirect issues if you have force-SSL plugins or certain configurations on CloudFlare. Our developers are working to resolve this problem and allow you to have CloudFlare and other proxies set to Full mode.
As always, if you have any questions or issues, please reach out to us in chat or by filing a ticket at support.convesio.com.