SSL Troubleshooting for the Most Common SSL Issues

Category: TroubleShooting | Last modified: August 28, 2020

SSL errors can occur for a variety of reasons. Below you can find information on troubleshooting some of the most common ones.

DNS Propagation

The most common reason that SSL fails is because the domain has been added to MyPressable Control Panel while a DNS change is still propagating.

We use Let’s Encrypt to issue free SSL certificates for domains. If we request an SSL certificate from Let’s Encrypt and they are not able to see the domain pointing to us, they will not issue it.

If you are changing A records, you can minimize issues with SSL issuance by adjusting the time-to-live for your domains’ A records. For example, if your TTL for an A record is 86400 seconds, you would want to adjust the TTL to the lowest possible value one full day in advance of your anticipated DNS change.

If you are changing name servers, these changes can take several hours or even a couple of days to fully propagate. So, changing name servers as a part of a critical migration to Pressable is not advised.

If the MyPressable Control Panel is not able to receive an SSL certificate from Let’s Encrypt, it will continue trying to provision one. If you do not want to wait, you should remove the domains and re-add them to the Control Panel.

Invalid IPV6 Record(s)

If DNS has propagated globally, the next possible reason for failed SSL provisioning may be IPV6 records that do not point to Pressable. Let’s Encrypt will attempt to verify our control of the domain via IPV6 records by default. As Pressable does not offer IPV6 records, any IPV6 (AAAA) records set should proxy to our IPV4 (A) records. If they do not, Let’s Encrypt will not be able to issue the SSL certificate.

To see whether your domain has them set, use the Dig tool from Google.

In most cases, IPV6 records can simply be removed. Once removed or properly configured, you can either wait for MyPressable to initiate a new request or force it do so by removing the domains in question from the Control Panel and re-adding them. If successful, SSL should be active in approximately one minute.

Misconfigured CAA Record

A Certification Authority Authorization (CAA) record is a DNS record that explicitly authorizes Certificate Authorities to issue certificates for domains that have CAA records set.

If your domain does not have any CAA set, then the lack of this record will not have an effect on a certificate authority’s ability to issue the certificate.

If your domain does have at least one CAA set, you should add a CAA record for letsencrypt.org. It may look something like this:

$ dig caa yourdomain.com +short
0 issuewild "amazon.com"
0 issue "letsencrypt.org"

To see whether your domain has a CAA set, use the Dig tool from Google.

Mixed Content Warnings

Even after successful issuance of an SSL certificate for your domain, you may see “mixed content” warnings in the developer tools console or a “Not Secure” message in the address bar of your browser.

This usually means that an SSL certificate was issued, but that your site is making requests to non-HTTPS assets. In most cases, a quick search-replace will solve for this issue. If you need assistance, don’t hesitate to contact the Customer Success team.

An Automattic Invention A family of WordPress solutions.