SSL Renew - Heroku ACM - Domain considered unsafe

Hi everyone,

We are currently using Heroku ACM in order to automatically emit/renew SSL certificates for our web service. It is now time to get our first renew but it is failing.
Indeed, Heroku Dashboard give us the following error : “Automated Certificate Management Failing - Domain considered unsafe”.
According to Heroku doc (http://www.google.com/safebrowsing/diagnostic?site=http://yourdomainhere.com/), SSL renew use Google’s Safe Browsing API to ensure domain before renewing certificate, however all seems O.K for our domains. See :
http://www.google.com/safebrowsing/diagnostic?site=lecomptoirdespharmacies.fr
http://www.google.com/safebrowsing/diagnostic?site=www.lecomptoirdespharmacies.fr

We created a Ticket on Heroku support team which tell us that they built their ACM on top of Let’s Encrypt service. Following their advices, we write this topic here as you may help us to get our domain cleared.
Should we use the link provided here to unstuck the Let’s Encrypt / Google’s Safe Browsing verification process ? My domain was considered an unsafe domain by a third-party API

Thanks in advance for your help !
Yours faithfully,
LCDP

Technical Details :
My domain is:

I ran this command:
Do not know which command is executed by Heroku ACM.

It produced this output:
Automated Certificate Management Failing - Domain considered unsafe

My web server is (include version):
Our business Web Server uses Play Framework in version 2.3.
Don not know which server is used to ensure SSL + Web Service on Heroku side.

The operating system my web server runs on is (include version):
Do not know

My hosting provider, if applicable, is:
Heroku

I can login to a root shell on my machine (yes or no, or I don’t know):
No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Heroku control panel, current version

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Do not know

Let’s Encrypt no longer uses Safe Browsing.

Does Heroku give you access to the real error message, if any, from Let’s Encrypt, or other debug information like the order URL?

Edited to add: By the way, you got a certificate for lecomptoirdespharmacies.fr (without www.lecomptoirdespharmacies.fr) a week ago.

https://crt.sh/?id=2778493710

Oh… This is a very interesting answer, thanks !
Unfortunately, we do not have any information about the error apart from the “unsafe” error message.

Mhhhh… So maybe Heroku successfully renew the certificate but their system failed to recognize it !
I am going to reply on Heroku ticket with link to this thread.

Hi all,

We just solved our problem after Heroku Support team technical answer.
Renewal issue came from one of our custom domain (lecomptoirdespharmacies.fr) which was pointing to OVH web server (it redirect to ‘www’ subsomain) instead of pointing to Heroku custom alias.
This particular redirection was necessary due to the fact that OVH do not permit alias on root domain.

Removing this custom endpoint solved our certificate renewal issue !
Thanks for your indications and we hope that this thread will help someone in the future.

Yours faithfully,
Le Comptoir Des Pharmacies

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.