Skip to main content
All CollectionsTechnical help
Why isn't my SSL certificate working?
Why isn't my SSL certificate working?

Learn about the issues that may affect the management of your SSL certificates.

Updated over a month ago

Our URL redirect service uses a third-party called Let's Encrypt to issue and renew our automatic HTTPS SSL certificates. There are number of limitations they impose on their users to ensure the fair use of their service. These limitations may affect how quickly your SSL certificates are issued.

Certificates per Registered Domain

Let's Encrypt has a limit of 50 certificates issued per registered domain per week. That means that if you are setting up new redirects on more than 50 subdomains of your main domain name, you will see delays in the issuance of SSL certificates. Our systems will automatically continue to request the certificate every hour, but those requests will fail until the one week expires. As soon as Let's Encrypt lifts the restriction on your domain our systems will automatically provision them.

It's important to note that this limit applies to all services that use Let's Encrypt. That means if you use other online services that also use Let's Encrypt, the "50 certificates issued per registered domain per week" limit is shared among those services.

Unfortunately, if you find yourself hitting up against this limit, there is nothing we can do to expedite your certificate issuance. You can either wait for one week to pass, or you can purchase an SSL certificate from a vendor and upload it using our SSL upload facility.

One last note: this limitation does not apply to certificate renewals. Once your certificates are issued for the first time, we should have no problem renewing them for you automatically, regardless of how many subdomains there are.

DNS Misconfiguration

Another type of problem we see frequently is misconfigured DNS. In order for Let's Encrypt to issue an SSL certificate, they need to verify that we have control over the domain. They do that by requesting a file from your domain, and because you've pointed an A or CNAME record to us on that domain, we are able to answer that request for you automatically. Even though our systems may report that the DNS is pointing to us correctly, there are situations where this isn't good enough for Let's Encrypt.

The #1 problem we see for this is users who have created IPv6 DNS entries (called AAAA records). If an AAAA record exists for the domain name you're trying to issue an SSL certificate for, Let's Encrypt tries to verify that it also answers with the correct file it is expecting. Unfortunately, this will never work because our URL redirect service does not currently support IPv6. The solution to this is easy: remove the AAAA record from your DNS. Your certificate should be issued soon after.

Another problem we often see if misconfigured Certification Authority Authorization (CAA) entries. A CAA record is a type of DNS record that specifies which certificate authorities should be allowed to issue SSL certificates for a particular domain name. Our customers wishing to use our automatic SSL certificate management will need to include Let's Encrypt in their CAA record (if one is present).

Account Cancelled

When your account is cancelled, either because you chose to cancel your account, or automatically due to repeated payment failures, we disable your SSL certificates across our infrastructure. This will result in visitors receiving security warnings when they visit your sites. SSL support is only available on paid accounts.

To remedy this situation you can add a payment card on a plan that supports automatic HTTPS. Once we've processed your payment your SSL certificates will be automatically provisioned across our infrastructure.

Other Problems

A great tool to help diagnose problems with Let's Encrypt issuing certificates is Let's Debug. Give it a try if you continue to see problems. As always, if you're still not sure why your SSL certificates are not being issued, please don't hesitate to get in touch with us. We'd be happy to look into it.

Did this answer your question?