I am experiencing problems with my Edge Services certificate
You may experience errors when generating or uploading a certificate to your Edge Services pipeline.
This page helps you resolve common problems.
I am getting an error message when generating a Let’s Encrypt certificate.Link to this anchor
You may get an error message when customizing your Edge Services domain and generating a certificate for the first time, or later on your Edge Services dashboard when your certificate is due for renewal.
CauseLink to this anchor
Either:
- Too many certificates have already been issued for this domain in too short a time, or
- Your CNAME record is not accurate and the certificate domain cannot be resolved, or
- There is an internal error
SolutionsLink to this anchor
See the table below for help resolving these errors.
| Error | Solution |
|---|---|
| Too many certificates already issued for this domain | Wait, before retrying. This error occurs when you hit the limit of generating 50 Let’s Encrypt certificates in a rolling 7 day period for the same domain. |
| Internal managed certificate error | There has been an unspecified error in generating a managed Let’s Encrypt certificate for your subdomain. Try resetting your domain to the default endpoint, and then recustomizing it again, to trigger generation of a new Let’s Encrypt certificate. If that fails, open a support ticket. |
| Certificate cannot be renewed - Your CNAME record is no longer accurate | Your CNAME record has either been deleted or modified. Without a correct CNAME record, we cannot renew your managed Let’s Encrypt certificate. Rectify your CNAME record, and when Edge Services detects the correct record exists, your certificate will be automatically renewed. |
I am getting an Edge Services error message for my own custom certificateLink to this anchor
You may get an error message if Edge Services detects a problem with your own custom certificate for your pipeline.
CauseLink to this anchor
Either:
- There is a problem with the format of your certificate, or
- There is a problem with the content of your certificate, or
- The issuing Certificate Authority is not recognized, or
- Your certificate has expired
SolutionsLink to this anchor
See the table below for help resolving these errors.
| Error | Solution |
|---|---|
| Certificate format | Make sure your certificate is in PEM format. |
| Certificate private key format | Make sure your private key is in PEM format. |
| Missing server certificate | Make sure the server certificate (which validates your own subdomain) is included in the PEM-formatted chain. |
| Missing private key | Make sure your private key is included in the PEM-formatted chain. |
| Missing root certificate | Make sure a valid root certificate is included in the PEM-formatted chain. |
| Wrong order | Make sure the server certificate (which validates your own subdomain) is listed before the intermediate and root certificates in the PEM-formatted chain |
| Too many private keys | Make sure the PEM-formatted chain includes only one corresponding private key |
| Self-signed certificates not allowed | Create and upload a certificate issued by a recognized certificate authority. If you receive this error but believe your certificate is legitimately signed by an official CA, open a support ticket to tell us. |
| Invalid intermediate or root certificate authority | Make sure each Issuer field matches the Subject of the next certificate in the PEM-formatted chain. |
| Incorrect root certificate | Make sure your server certificate chains up to the provided root(s) certificate(s) in the PEM-formatted chain. |
| Private key and certificate mismatch | Make sure the private key in the PEM-formatted chain matches the server certificate. |
| Subdomain and server certificate mismatch | Make sure the subdomain you configured for Edge Services matches that of the server certificate. |
| Certificate expired | Create a new certificate and import it. |
If any of these errors are detected while you are initially configuring your subdomain, you will be blocked from continuing until the error is fixed.
However, these errors may also be detected and displayed on your Edge Services dashboard even after you have initially successfully configured your subdomain and certificate. This could be the case, for example, if your certificate has since expired, you have modified your subdomain without modifying the certificate, or you have modified the certificate in Secret Manager. In this case, your initial certificate will remain in use by Edge Services until the error is fixed, but clients may see an error in their browser as they try to access your customized domain.
To fix the problem, you must generate a valid certificate, and then do one of the following:
- Use Edge Services to import a new certificate directly
- Create a new secret to hold the certificate in Secret Manager, and edit your customized endpoint with Edge services to tell it to use this secret
- Create a new version of the existing secret holding your expired certificate, where the new version contains a valid certificate. If Edge Services is already using this secret, it will automatically detect and use the new version - it always uses the most recent enabled version of a secret.
The secret containing my custom certificate is not visible for selection in Edge ServicesLink to this anchor
You may find that a certificate you have stored in Secret Manager is not available for selection from Edge Services.
CauseLink to this anchor
This is probably because the secret does not have the “certificate” type, which is necessary for it to be visible to Edge Services.
SolutionLink to this anchor
The “type” of a secret can be defined when creating a secret via the API, but not via the console.
For this reason, if you prefer to use the console to create your certificates, we suggest manually importing the certificate via Edge Services rather than via Secret Manager. This way, it will automatically inherit the “certificate” type.