SSL Troubleshooting for the Most Common SSL Issues
SSL errors can occur for a variety of reasons. If your site is showing an insecure warning or not showing SSL at all, please check the sections below to troubleshoot what may be causing the issue.
Did you point your domain to Pressable within the last few hours?
The most common reason that SSL fails is because the domain has been added to MyPressable Control Panel while a DNS change is still propagating.
Our SSL provider uses DNS to confirm that a domain is hosted by Pressable. That means if a domain is added to a site here while DNS is still propagating there may be a small delay before the certificate is provisioned.
Our system does continue to re-try automatically multiple times if the first attempt fails. But you can also try to manually reprovision your site’s SSL certificate from the Domains tab of the site’s control panel.
Click the Actions menu icon to the right of your domain and then click Retry SSL. If you already have a valid SSL certificate you may see an error message, but if your site does not yet have a valid certificate this should generate one. You only need to click the icon once, we will include all secondary domains attached to the site in the certificate.
Has the domain been pointed to Pressable for more than 24 hours?
Certain types of DNS records may interfere with SSL provisioning. Usually, the issue is caused by AAAA records but in some cases, CAA records can also cause problems. You can check to see if either of these records exist for your domain at WhatsMyDNS.com.
If either AAAA or CAA records exist please delete them. Wait a few hours for those changes to propagate and then open the Domains tab of your site’s control panel. Click the Actions menu icon to the right of your domain and then click Retry SSL. You only need to click the icon once, we will include all secondary domains attached to the site in the certificate.
Does your domain have DNSSEC enabled?
DNSSEC is a form of digital signature for a domain that is done by DNS record. It is still in the growing process and even if you wanted to implement it, most top-level domains don’t currently support it. As it currently stands, the benefit-cost ratio does not weigh in the favor of DNSSEC simply because it is still too early. The lack of knowledge and the incompatibility in client/server-side technology makes it difficult to adopt and can cause problems with SSL.
You can check if your domain has DNSSEC enabled using this tool. If it is currently active, please disable it. You’ll need to wait a few hours for that DNS change to propagate around the world and then you can reprovision your site’s SSL certificate from the Domains tab of the site’s control panel.
Are you using Cloudflare?
Some SSL settings at Cloudflare can conflict with our certificates. Please ensure your Cloudflare SSL settings are set to “Full” and not to either “Full (Strict)” or “Flexible”. You can find more information here: https://pressable.com/knowledgebase/using-cloudflare-ssl-with-pressable/
Misconfigured CAA Record
A Certification Authority Authorization (CAA) record is a DNS record that explicitly authorizes Certificate Authorities to issue certificates for domains that have CAA records set.
If your domain does not have any CAA set, then the lack of this record will not have an effect on a certificate authority’s ability to issue the certificate.
If your domain does have at least one CAA set, you should add a CAA record for
letsencrypt.org. It may look something like this:
$ dig caa yourdomain.com +short 0 issuewild "amazon.com" 0 issue "letsencrypt.org"
To see whether your domain has a CAA set, use the Dig tool from Google.
Invalid IPV6 Record(s)
If DNS has propagated globally, the next possible reason for failed SSL provisioning may be IPV6 records that do not point to Pressable. Let’s Encrypt will attempt to verify our control of the domain via IPV6 records by default. As Pressable does not offer IPV6 records, any IPV6 (
AAAA) records set should proxy to our IPV4 (
A) records. If they do not, Let’s Encrypt will not be able to issue the SSL certificate.
To see whether your domain has them set, use the Dig tool from Google.
In most cases, IPV6 records can simply be removed. Once removed or properly configured, you can either wait for MyPressable to initiate a new request or force it do so by removing the domains in question from the Control Panel and re-adding them. If successful, SSL should be active in approximately one minute.
Mixed Content Warnings
Even after successful issuance of an SSL certificate for your domain, you may see “mixed content” warnings in the developer tools console or a “Not Secure” message in the address bar of your browser.
This usually means that an SSL certificate was issued, but that your site is making requests to non-HTTPS assets. In most cases, a quick search-replace will solve for this issue.
If you are still having trouble with SSL not working as expected please contact our support team, we’re always happy to help.