I like Netlify a lot. It’s what I use to host this site and a bunch of other domains.

One of the neat things they offer is SSL certificates through Let’s Encrypt. All you have to do is click a button.

So a while back I did click that button. Unfortunately, things didn’t go as planned. Both domains were marked as untrusted by Chrome and Safari. While you could still click proceed, that wouldn’t be a great user experience by any stretch of the imagination.

After browsing Netlify’s help docs, I wasn’t able to find anything relating to my issue, so I wrote to their support email instead:

Hello,

I have Let’s Encrypt set up for two domains: unreplied.app and duro.me. For both, it is saying that the certificates are invalid in Chrome and Safari. Is there a way to regenerate my certificates, or am I doing something wrong with my DNS records?

Thanks, Andi

I sent this email at 1:30AM and got a response promptly at 6AM (way to go Netlify!)

While I was expecting a reply pointing out what I did wrong, I actually got quite a fulfilling explanation which is why I thought I’d share it in this post. Here’s the email in its entirety:

Hello Andi,

I got your certificates fixed.

Generally, the reason we are unable to provision a complete SSL certificate for your custom domain is that the DNS cache timeout value (TTL) for a record has not had time to expire (from your old settings) before you tried to use it with Netlify. Our SSL provider (https://letsencrypt.org) is unable to create certificates for names that have old cached values still in effect.

Depending on how you configure your domain, we may only attempt to fetch the certificate once - when you update your settings with the new domain name. Usually, if it is your first hostname on a site, we’ll try several times until we succeed.

If that process generates a partial certificate, that’s what you’re stuck with until you write in to support. I realize that this experience isn’t the greatest - but letting you repeatedly press a “refresh certificate” button would be worse as you’d likely get locked out of getting a certificate for a week, due to our SSL provider’s strict rate limits for re-requests.

The additional delay seems to have been enough to allow things to work right when I attempted to re-issue the certificate.

Please let me know if things are not working as expected now.

Basically, the process for procuring a Let’s Encrypt certificate for my domains failed and left me with a partial certificate (I had no idea that was a possibility). This is why Chrome was throwing those mean errors.

My awesome Netlify rep (Dennis) was able to restart the certificate process on his side and, since enough time had passed for my old DNS record values to be thrown out of cache (that’s the TTL he was talking about), it went through flawlessly and built the full certificates I was looking for.

After that, I had no more SSL issues.

The lesson learned here is to wait a while after pointing a domain’s DNS records to Netlify, before setting up that domain within Netlify. In these particular instances, I changed the DNS records for the domains with my registrar (Namecheap) and then immediately set them up in the site portal. Hence, Let’s Encrypt left me with partial certificates because each domains’ records were in the process of changing.

A big thanks goes out to Netlify’s fantastic support (especially Dennis) for remedying this situation quickly. I’m writing this post in the hopes that someone else who experiences this will now know what to do - just contact support.

Have a great day!