When first moving to GridPane there’s a couple of very specific SSL issues that we see some new users having trouble with (#1 and #2 below). These are in no way caused by the GridPane platform but are very easily fixed (and avoidable) once you know the cause of the problem.
We’ll cover those here in this article along with other potential SSL issues and how to diagnose and fix them.
DNS API vs Webroot Verification
GridPane allows you to provision free A+ grade SSL certificates via Let’s Encrypt.
It’s important to note here that SSL certificate provisioning works differently if you’re using either our DNS Made Easy or Cloudflare DNS API integrations. In these cases, you do NOT need to point your DNS A record to your website’s IP address to provision an SSL.
If you’re not using a DNS API integration then your SSL will be provisioned using the webroot method. This requires that your DNS be in place and pointing to your website’s server IP address for it to be successful (#2 on the list below).
You can learn about the different SSL provisioning methods in the links below:
- Too Many Redirects Error
- DNS Isn’t Pointing to Your Servers IP Address
- Diagnosing SSL Failures
- GridPane SSL Locks
- Let’s Encrypt Rate Limiting
- A Wildcard SSL won’t provision
- You have an SSL Certificate but no Padlock Icon
- SSL Renewal Warnings and Failures
- Maintenance at Let’s Encrypt, DNSME, or Cloudflare
- ERR_SSL_VERSION_OR_CIPHER_MISMATCH / SSL_ERROR_NO_CYPHER_OVERLAP
1. Too Many Redirects Error
This comes up frequently with new users who use Cloudflare. This is caused when the SSL setting within your Cloudflare is set to “Flexible” instead of either “Full” or “Full Strict“.
To fix this, simply ensure that it’s not set to Flexible – typically we recommend Full Strict as it’s better for accurately diagnosing other potential SSL issues in the unlikely event that they should ever occur.
If it’s not Cloudflare related, then there’s something on your WordPress installation that’s causing a redirect issue. You can double-check the issue with Redirect Checker, and it’s likely to be plugin related.
2. DNS Isn’t Pointing to Your Servers IP Address
If you aren’t using one of our DNS API integrations, then your SSL will be provisioned using the webroot method. This is where Let’s Encrypt checks your website against the domains live DNS records to make sure you’re websites server IP and DNS records set IP match up.
If they match up correctly, the SSL will proceed. If you haven’t set your DNS yet and your trying to provision an SSL, it will fail. The solution is set your DNS records, and once they go live worldwide, try again.
You can check the live status of your domains DNS with the following free tool:
Before you toggle on your SSL again, please check and make sure your DNS is pointing the correct IP address at all locations worldwide. Nowadays this is very quick for most providers (5 minutes or less), but there are still some that can take some time – even up to 24 hours.
3. Diagnosing SSL Failures
When provisioning an SSL certificate Let’s Encrypt GridPane will log the entire process from start to finish in your websites SSL log. It will also make a clear note in this log if your provision attempt fails, detailing the exact reason Let’s Encrypt has given for this fail.
This should be your first port of call when you experience an SSL provisioning failure. It’s exactly what we’ll ask if you for if reach out on support, and this is how we begin when looking at SSL provisioning failures.
Step 1. Open your sites configuration modal
To view your log, head over to your Sites page inside your account:
Click on the website you’re trying to provision an SSL for and then click on the Logs tab. Here you can open up your SSL log:
Step 2. Open up the log and check the error notes
The error notice will be close to the bottom, so scroll down and find the
As you can see in this case, I haven’t set the DNS records to point to the IP address. The solution is to set them, wait for them to go live worldwide, and then try again.
Your error may be different, and if you’re not sure on how to fix it you can reach out to us on support and we can help guide you through this.
4. GridPane SSL Locks
We’ve implemented a system that will lock and prevent SSL provisioning attempts from proceeding once you experience provisioning failures 3 times in a row.
Removing the lock is simple, but we put this in place to ensure our users can’t hit the Let’s Encrypt rate limit by continually re-attempting again and again until you hit their limit and lock you out.
If you’re experiencing an SSL Lock you can follow this guide to remove your lock:
Please be sure to follow the steps in #3 above to to ensure that you don’t get yourself rate limited by Let’s Encrypt – more information on their rate limiting below.
5. Let’s Encrypt Rate Limiting
Let’s Encrypt use rate-limiting to prevent abuse of their [excellent] free service.
You get 5 attempts to provision an SSL (which should be plenty). If you fail 5 times in a row, you’ll be blocked from re-attempting for 7 days.
We don’t want that to happen, and as long as you are following our documentation, it should never happen to you.
You can learn more about Let’s Encrypt rate limits here: https://letsencrypt.org/docs/rate-limits/
If you do get rate limited there’s, unfortunately, nothing that our support team can do to get this lifted before that 7 days is up.
6. A Wildcard SSL Won’t Provision
If you’re having trouble with a Wildcard SSL, be sure to carefully check your work with our guides:
- Configuring Wildcard Domains
- Provision a Wildcard SSL Certificate Using DNS API Domain Verification
- Provision a Wildcard SSL Certificate Using DNS API Domain Verification by Proxy Challenge
Make sure Wildcard is toggled on, and that you have your domain set up with either the DNS Made Easy or Cloudflare DNS API integration. These are necessary as Let’s Encrypt does not allow the provisioning of a Wildcard SSL using the webroot method.
7. You have an SSL Certificate but no Padlock Icon
The Problem: You have your SSL certificate, but when you go to your website you’re not seeing the padlock icon next to your domain name in the address bar.
The reason for this is that you have mixed content on your site, meaning some assets are served correctly over HTTPS, but others are loading over HTTP.
A great resource for determining why this is happening is:
If WhyNoPadlock doesn’t pick up on the error then it’s likely to be a slow loading asset. In that case, you can also use Google Console:
The solution to this issue is to change any links loading over HTTP to HTTPS. You can usually do this in bulk with a find and replace plugin such as Velvet Blues. Check out this article for more information:
8. SSL Renewal Warnings and Failures
If you have an SSL that fails to renew, Let’s Encrypt will send you an email to let you know.
Usually, these occur when you’ve moved this particular website to a different server, and certbot on the old server is trying to run the SSL renewal but failing because that the site is located at a new IP address.
To check you can click on the padlock icon next to your domain name in the address bar, and check the date.
Do the dates match up? If not, then you can safely ignore this message.
For more details on checking this directly on your server, please check out the following article:
If you received a similar message to this: Let’s Encrypt certificate expiration notice for domain “wehcjiojifstat.grid
9. Maintenance at Let’s Encrypt, DNSME, or Cloudflare
There’s also the very rare possibility that an SSL provisioning issue or a renewal failure could be due to a provider outage or provider maintenance.
An outage or maintenance at Let’s Encrypt could affect your ability to provision an SSL or certbot’s ability to renew an SSL. If there’s an issue at Let’s Encrypt then they will need to resolve this at their end before begins working again, but don’t hesitate to reach out to support to confirm as this is extremely rare.
An outage or maintenance at Cloudflare or DNS Made Easy could prevent you from being able to provision an SSL via the DNS API method. If this is the case then you could attempt to provision an SSL using webroot verification by setting your DNS to point to your website.
You can check on the status of each of these providers via the links below:
10. ERR_SSL_VERSION_OR_CIPHER_MISMATCH / SSL_ERROR_NO_CYPHER_OVERLAP
These rather obscure error code can show themselves when using sub.sub.domains with Cloudflares services, and by this I mean on domains where the “orange clouds” are active and you’re using services such as their CDN, Firewall rules etc.
Fortunately, this is something that [almost] no body does for their live production websites, but it is a possibility that you might run into this error when using Cloudflare on the staging sites of subdomains.
These two errors are named slightly differently depending on the browser you’re trying to visit the website with.
In Chrome, Microsoft Edge and other Chromium based browsers the error is:
In Firefox the error is:
In Safari it might simply say: “Safari cannot open the page because it could not establish a secure connection to the server”.
Two-level deep sub-domains are not supported by Cloudflare for SSL.
For example, to grab the two screenshots for this article I set up the website “cfssltest.waas.monster“. The primary domain is of course waas.monster, and the website I’ve created is a subdomain. If I activate an SSL on this, Cloudflare will have no issues whatsoever.
However, I also have the staging site for this website which is: “staging.cfssltest.waas.monster“. Cloudflare does not support SSL at this level, and it will result in the errors noted above when you try and visit your website.
Inside your Cloudflare account, click on the domain you’re having trouble with, and then click through to it’s DNS settings page.
Here you want to change the orange cloud to a grey cloud:
Once that changed has been made, Cloudflare has been switched to DNS only mode, and their services will no longer be active on the site. This will fix the SSL cipher issue.