SSL Troubleshooting for the Most Common SSL Issues

The most common reason that SSL fails is because the domain has been added to MyPressable Control Panel while a DNS change is still propagating.

We use Let’s Encrypt to issue free SSL certificates for domains. If we request an SSL certificate from Let’s Encrypt and they are not able to see the domain pointing to us, they will not issue it.

If you are changing A records, you can minimize issues with SSL issuance by adjusting the time-to-live for your domains’ A records. For example, if your TTL for an A record is 86400 seconds, you would want to adjust the TTL to the lowest possible value one full day in advance of your anticipated DNS change.

If you are changing name servers, these changes can take several hours or even a couple of days to fully propagate. So, changing name servers as a part of a critical migration to Pressable is not advised.

If the MyPressable Control Panel is not able to receive an SSL certificate from Let’s Encrypt, it will continue trying to provision one.

The quickest way to resolve this is to remove the domains and re-add them in your My Pressable Control Panel – this will force our system to attempt to provision an SSL certificate for your domains.

If DNS has propagated globally, the next possible reason for failed SSL provisioning may be IPV6 records that do not point to Pressable. Let’s Encrypt will attempt to verify our control of the domain via IPV6 records by default. As Pressable does not offer IPV6 records, any IPV6 (AAAA) records set should proxy to our IPV4 (A) records. If they do not, Let’s Encrypt will not be able to issue the SSL certificate.

To see whether your domain has them set, use the Dig tool from Google.

In most cases, IPV6 records can simply be removed. Once removed or properly configured, you can either wait for MyPressable to initiate a new request or force it do so by removing the domains in question from the Control Panel and re-adding them. If successful, SSL should be active in approximately one minute.

A Certification Authority Authorization (CAA) record is a DNS record that explicitly authorizes Certificate Authorities to issue certificates for domains that have CAA records set.

If your domain does not have any CAA set, then the lack of this record will not have an effect on a certificate authority’s ability to issue the certificate.

If your domain does have at least one CAA set, you should add a CAA record for letsencrypt.org. It may look something like this:

$ dig caa yourdomain.com +short
0 issuewild "amazon.com"
0 issue "letsencrypt.org"

To see whether your domain has a CAA set, use the Dig tool from Google.

Even after successful issuance of an SSL certificate for your domain, you may see “mixed content” warnings in the developer tools console or a “Not Secure” message in the address bar of your browser.

This usually means that an SSL certificate was issued, but that your site is making requests to non-HTTPS assets. In most cases, a quick search-replace will solve for this issue. If you need assistance, don’t hesitate to contact the Customer Success team.