Squarespace SSL Not Being Issued


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: realatwalmart.com

I ran this command: Squarespace site

It produced this output: Processing

My web server is (include version):N/A

The operating system my web server runs on is (include version): N/A

My hosting provider, if applicable, is: Squarespace

I can login to a root shell on my machine (yes or no, or I don’t know): N/A

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N/A

I’m trying to get the SSL certificate assigned to this site and the Squarespace team has told me to reach out here since the issue is that the domain itself has a top keyword. However, I work for Walmart and need this domain to be secured as it’s for a recruiting microsite that we quickly built out on Squarespace. Is there anything that can be done in order to whitelist this domain so that on the Squarespace settings page the SSL can be issued. Thanks!


#2

Hi @specheva,

Is that the exact domain you’re having trouble with? Did Squarespace provide you with an error message that Let’s Encrypt returned to them when trying to issue for the domain?

This exact domain isn’t one that we would block based on policy. Subdomains and TLD variations of walmart.com would be blocked but not realatwalmart.com.

I think there might be some crossed wires here because we don’t block domains based on keywords, strictly full matches to domains.


#3

Yep that’s the exact domain. And the site is properly connected from our DNS manager to the site itself just waiting for the SSL. I’ll follow-up with the Squarespace team, but is there any way to just get the certificate forced processed through this forum? Or is there an error that you’re expecting to be the issue?


#4

Great! Thanks for verifying. That lets us rule out that the problem is a Let’s Encrypt policy or anything to do with walmart.com being considered a high value domain.

I took a look at our server-side logs and it looks like the Squarespace validation is failing because your domain has a CAA policy configured in your DNS zone that specifies you don’t want to allow Let’s Encrypt to issue for realatwalmart.com:

caa :: CAA record for www.realatwalmart.com prevents issuance

I can verify that’s the root of your problems with dig:

$ dig +short @8.8.8.8 realatwalmart.com -t CAA
0 issue "globalsign.com"

That "issue" value says that the people that configured your DNS only want to allow GloablSign to issue for your domain.

is there any way to just get the certificate forced processed through this forum

The only way that Let’s Encrypt will be able to issue a certificate for realatwalmart.com is if you get whoever is responsible for the realatwalmart.com DNS to update your configured CAA policy to allow Let’s Encrypt in addition to GlobalSign.

This tool is often helpful for that: https://sslmate.com/caa/

You’ll want to be adding a record like:

realatwalmart.com. IN CAA 0 issue “letsencrypt.org”

Hope that helps! You might also find our CAA documentation helpful.


#5

Hi again @specheva,

Can we call this problem resolved? I see that the realatwalmart.com DNS has been updated with a new CAA record blessing Let’s Encrypt:

$> dig +short @8.8.8.8 realatwalmart.com -t CAA
0 issue "globalsign.com"
0 issue "letsencrypt.com"

Has SiteGround support been able to help you with whatever remaining steps need to be taken to issue a Let’s Encrypt certificate for the domain?


#6

Except it has letsencrypt.com instead of letsencrypt.org, so it still won’t work. :sweat:


#7

@mnordhoff Oh no! Good catch! I didn’t notice that error :sob:

@specheva You’ll need to ask the DNS administrators to correct this. The issue value must be letsencrypt.org not letsencrypt.com


#8

Finally it’s all working! Thank you so much for your help with this!!


#9

Woohoo :tada: Thanks for reporting back. Glad to hear everything is sorted out :slight_smile: