Certificate Error – wrong certificate being served for custom domain name

1

Hello, all of a sudden one of my custom domains stopped working due to a certificate error: https://store.identity-letters.com/

curl -vI https://store.identity-letters.com
*   Trying 34.83.64.96...
* TCP_NODELAY set
* Connected to store.identity-letters.com (34.83.64.96) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.render.com
*  start date: Jun 28 17:52:36 2021 GMT
*  expire date: Sep 26 17:52:35 2021 GMT
*  subjectAltName does not match store.identity-letters.com
* SSL: no alternative certificate subject name matches target host name 'store.identity-letters.com'
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, close notify (256):
curl: (60) SSL: no alternative certificate subject name matches target host name 'store.identity-letters.com'

The certificate appears to be Render’s main *.render.com.

I tried deleting and re-adding the custom domain through the admin UI but no luck.

Please help!

2

We’re on it.

3

We fixed the certificate, but the URL returns a 404. Is that expected?

4

Looks like it’s fixed. Thanks! (This serves the backend for the main site on identity-letters.com)

Could you elaborate on what caused the issue?

5

We’re looking into isolated cases where certificate renewals aren’t picked up by our load balancing layer. store.identity-. was unfortunately one of the sites affected.

6

Me Too, the project’s custom domain are Certificate Error,
render domain: beta-discourse-community.onrender.com.
custom domain: beta.community.security.eufylife.com

curl -vI https://beta.community.security.eufylife.com
*   Trying 216.24.57.253:443...
* Connected to beta.community.security.eufylife.com (216.24.57.253) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/cert.pem
*  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, handshake failure (552):
* error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure
7

@shady Have you added the custom domain to your Render service itself? See Custom Domains | Render · Cloud Hosting for Developers for steps.

8

Hi @John_B,
yes, i’m added the custom domain to our render service, and render will view “certificate Issued”, but when we refresh the browser, render will show “certificate error”:

1784×608 146 KB

and after about one hour, the custom domain will be automatically removed -_-

9

I can see the domain has now been added, it wasn’t there when I checked earlier - we’re getting a CAA error when we try an issue a cert - seems to be being blocked here

dig +short CAA community.security.eufylife.com
eufylife.hosted-by-discourse.com.
0 issue "letsencrypt.org"

https://render.com/docs/custom-domains#caa-records should help you get straightened out and get a certificate issues

John B

10

thank @John_B, our community.security.eufylife.com is bind on hosted-by-discourse.com,
and the ‘0 issue “letsencrypt.org”’ is added by discourse,
so when we follow the guide -“Custom Domains | Render · Cloud Hosting for Developers” to add two new caa record on GoDaddy,
record 1: type:CAA, name: community.security.eufylife.com, value: letsencrypt.org
record 2:type:CAA, name: community.security.eufylife.com, value: digicert.com
but look’s like we can not do it.
Is there any way let us can use beta.comunity.security.eufylife.com domain on render.com?
thanks very much.

11

I can see

eufylife.hosted-by-discourse.com. 5 IN	CAA	0 issue "letsencrypt.org"

you should be able to add the additional entries that we need to your DNS so that we can get a certificate added - when you say you can’t do it - what is restricting you here?

Regsrds,

John B

13

@John_B we been add two domain records on godaddy:
security.eufylife.com CAA 0 issue “digicert.com
security.eufylife.com CAA 0 issue “letsencrypt.org
but our render custom domain: beta.community.security.eufylife.com is still error…

14

@shady the domain here should be community.security.eufylife.com - I can see the CAA records on security.eufylife.com but they’re a subdomain too low

$ dig +short CAA security.eufylife.com
0 issuewild "digicert.com"
0 issuewild "letsencrypt.org"
$ dig +short CAA community.security.eufylife.com
eufylife.hosted-by-discourse.com.
0 issue "letsencrypt.org"

To simplify things here you could maybe use beta-community and use that on security.eufylife.com?

15

@John_B, yes thanks,
looks like we can just only use another domain name like beta-community,
GoDaddy DNS can not set CNAME and CAA records in one domain name.