Hello, all of a sudden one of my custom domains stopped working due to a certificate error: https://store.identity-letters.com/
curl -vI https://store.identity-letters.com
* Trying 34.83.64.96...
* TCP_NODELAY set
* Connected to store.identity-letters.com (34.83.64.96) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=*.render.com
* start date: Jun 28 17:52:36 2021 GMT
* expire date: Sep 26 17:52:35 2021 GMT
* subjectAltName does not match store.identity-letters.com
* SSL: no alternative certificate subject name matches target host name 'store.identity-letters.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'store.identity-letters.com'
The certificate appears to be Render’s main *.render.com
.
I tried deleting and re-adding the custom domain through the admin UI but no luck.
Please help!
anurag
August 17, 2021, 4:06pm
3
We fixed the certificate, but the URL returns a 404. Is that expected?
Looks like it’s fixed. Thanks! (This serves the backend for the main site on identity-letters.com )
Could you elaborate on what caused the issue?
anurag
August 17, 2021, 4:49pm
5
We’re looking into isolated cases where certificate renewals aren’t picked up by our load balancing layer. store.identity-.
was unfortunately one of the sites affected.
shady
March 18, 2022, 5:50am
6
Me Too, the project’s custom domain are Certificate Error,
render domain: beta-discourse-community.onrender.com .
custom domain: beta.community.security.eufylife.com
curl -vI https://beta.community.security.eufylife.com
* Trying 216.24.57.253:443...
* Connected to beta.community.security.eufylife.com (216.24.57.253) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, handshake failure (552):
* error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
John_B
March 18, 2022, 9:47am
7
@shady Have you added the custom domain to your Render service itself? See Custom Domains | Render · Cloud Hosting for Developers for steps.
shady
March 18, 2022, 9:59am
8
Hi @John_B ,
yes, i’m added the custom domain to our render service, and render will view “certificate Issued”, but when we refresh the browser, render will show “certificate error”:
and after about one hour, the custom domain will be automatically removed -_-
John_B
March 18, 2022, 10:35am
9
I can see the domain has now been added, it wasn’t there when I checked earlier - we’re getting a CAA error when we try an issue a cert - seems to be being blocked here
dig +short CAA community.security.eufylife.com
eufylife.hosted-by-discourse.com.
0 issue "letsencrypt.org"
https://render.com/docs/custom-domains#caa-records should help you get straightened out and get a certificate issues
John B
shady
March 21, 2022, 2:48am
10
thank @John_B , our community.security.eufylife.com is bind on hosted-by-discourse.com ,
and the ‘0 issue “letsencrypt.org ”’ is added by discourse,
so when we follow the guide -“Custom Domains | Render · Cloud Hosting for Developers ” to add two new caa record on GoDaddy,
record 1: type:CAA, name: community.security.eufylife.com , value: letsencrypt.org
record 2:type:CAA, name: community.security.eufylife.com , value: digicert.com
but look’s like we can not do it.
Is there any way let us can use beta.comunity.security.eufylife.com domain on render.com ?
thanks very much.
John_B
March 21, 2022, 10:41am
11
I can see
eufylife.hosted-by-discourse.com. 5 IN CAA 0 issue "letsencrypt.org"
you should be able to add the additional entries that we need to your DNS so that we can get a certificate added - when you say you can’t do it - what is restricting you here?
Regsrds,
John B
shady
March 22, 2022, 10:18am
13
@John_B we been add two domain records on godaddy:
security.eufylife.com CAA 0 issue “digicert.com ”
security.eufylife.com CAA 0 issue “letsencrypt.org ”
but our render custom domain: beta.community.security.eufylife.com is still error…
John_B
March 22, 2022, 10:32am
14
@shady the domain here should be community.security.eufylife.com
- I can see the CAA records on security.eufylife.com but they’re a subdomain too low
$ dig +short CAA security.eufylife.com
0 issuewild "digicert.com"
0 issuewild "letsencrypt.org"
$ dig +short CAA community.security.eufylife.com
eufylife.hosted-by-discourse.com.
0 issue "letsencrypt.org"
To simplify things here you could maybe use beta-community
and use that on security.eufylife.com
?
shady
March 23, 2022, 6:01am
15
@John_B , yes thanks,
looks like we can just only use another domain name like beta-community,
GoDaddy DNS can not set CNAME and CAA records in one domain name.