SSL Issue Playbook (Site and App)
Who this is for
Users whose site or app is showing an SSL error, a certificate warning in the browser, or whose SSL provisioning failed.
SSL Status Values
| Status | Meaning |
|---|---|
none | No SSL certificate has been requested or issued |
pending | SSL provisioning is in progress |
active | SSL certificate is valid and active |
expired | Certificate has expired and needs renewal |
Playbook: SSL Provisioning Failed or Stuck at "pending"
SSL certificates use Let's Encrypt, which requires:
- The domain is pointed at the server's public IP address.
- Port 80 is open and reachable from the internet (for HTTP validation).
- No conflicting site is already using the same domain on the server.
Step 1 — Verify DNS Is Pointing at the Server
Run a DNS lookup for your domain:
dig A yourdomain.com
# or use https://dnschecker.orgThe IP address must match the server's public IP. If it does not match, update your DNS records and wait for propagation (up to 24 hours). See KB-12-03: DNS Propagation Playbook.
Step 2 — Verify Port 80 Is Open
On the server's firewall (or cloud provider security group), port 80 (HTTP) must be open from 0.0.0.0/0.
- In CloudAIPilot: Server detail → Firewall — confirm port 80 is allowed.
- In your cloud provider console: check the Security Group (AWS), Firewall Rules (GCP), or Network Security Group (Azure).
Step 3 — Retry SSL Provisioning
- Go to Site detail → SSL (or App detail → Domains).
- Click Issue Certificate (or Renew).
CloudAIPilot queues a new SSL provisioning job. Monitor progress in the Activity Center.
Playbook: Certificate Expired
If sslStatus is expired:
- Go to Site detail → SSL tab.
- Click Renew Certificate.
Let's Encrypt certificates expire every 90 days. CloudAIPilot auto-renews certificates before expiry. If auto-renewal failed, it means DNS or port 80 availability changed since the original issuance.
Playbook: Browser Shows Certificate Warning After SSL Is "Active"
This can happen if:
- The browser has a cached old certificate. Clear browser cache and try again.
- The Nginx config still serves HTTP instead of HTTPS. Check the site configuration.
- A CDN or proxy (Cloudflare) is intercepting — if you use Cloudflare, ensure Cloudflare's SSL mode is set to "Full (strict)".
Playbook: SSL Active but Site Loads with Mixed Content Warning
Mixed content (HTTPS page loading HTTP assets) is a code/configuration issue, not an SSL issuance issue:
- Update all asset URLs (images, scripts, stylesheets) to use
https://. - For WordPress: use a plugin like "Better Search Replace" to update stored URLs.
Common SSL Errors in Activity Center
| Error message | Meaning | Fix |
|---|---|---|
Timeout during connect | Port 80 blocked | Open port 80 on firewall/security group |
No valid IP addresses found | DNS not pointing to server | Fix DNS — see KB-12-03 |
Too many certificates already issued for domain | Let's Encrypt rate limit | Wait 1 hour and retry |
Domain not accessible from the internet | Server blocked or behind NAT | Ensure server has a public IP and port 80 is open |
Related Articles
- KB-12-03: DNS Propagation and Validation Playbook
- KB-03-04: SSL Certificates for Sites
- KB-04-09: App Domains and SSL