SSL Problems

Overview

RndrKit automatically provisions SSL certificates via Caddy and Let's Encrypt. Most SSL issues stem from DNS misconfiguration or external services interfering with the certificate provisioning process.

Quick Diagnosis

Check your current SSL certificate:

# Check SSL certificate details
echo | openssl s_client -connect www.example.com:443 -servername www.example.com 2>/dev/null | openssl x509 -noout -subject -issuer -dates

Expected output:

subject=CN = www.example.com
issuer=C = US, O = Let's Encrypt, CN = R11
notBefore=Jan 15 00:00:00 2026 GMT
notAfter=Apr 15 00:00:00 2026 GMT

If you see an error or a different issuer, follow the troubleshooting steps below.

Common Issues

Certificate Not Provisioning

Symptom: Domain shows "Pending" or "Pending Validation" in the dashboard for more than 30 minutes.

Possible causes and fixes:

  1. DNS not propagated yet. Verify with:
dig www.example.com CNAME +short

If it does not return cname.rndrkit.io., your DNS is not ready. Wait for propagation or check your DNS configuration.

  1. Cloudflare proxy is enabled. Cloudflare's proxy intercepts the ACME challenge that Let's Encrypt uses to validate domain ownership. Disable it:
  • Go to Cloudflare DNS settings.
  • Toggle the CNAME record to DNS only (gray cloud).
  • Wait 5-10 minutes for the certificate to be issued.
  1. Let's Encrypt rate limit. If you have requested too many certificates for the same domain in a short period, Let's Encrypt may temporarily block new requests. Wait 1 hour and try again. Rate limits reset weekly.

Certificate Expired

Symptom: Browser shows "Your connection is not private" or NET::ERR_CERT_DATE_INVALID.

Cause: The certificate was not renewed automatically. This can happen if:

  • DNS was changed away from RndrKit and then changed back.
  • The server experienced an outage during the renewal window.

Fix:

  1. Verify DNS is still correct: dig www.example.com CNAME +short should show cname.rndrkit.io.
  2. In the RndrKit dashboard, go to the domain and click Refresh to trigger a certificate re-check.
  3. Wait 10-15 minutes for a new certificate to be issued.

Wrong Certificate Showing

Symptom: The certificate is valid but issued for a different domain, or it shows a Cloudflare certificate instead of Let's Encrypt.

Cause: Traffic is flowing through Cloudflare's proxy (orange cloud enabled) instead of directly to RndrKit. Cloudflare serves its own certificate, and the underlying connection to RndrKit may not be using the correct certificate.

Fix:

  1. Disable Cloudflare proxy (switch to DNS only / gray cloud).
  2. Wait for the change to propagate.
  3. Verify the certificate is from Let's Encrypt using the openssl command above.

Mixed Content Warnings

Symptom: The site loads over HTTPS, but the browser shows a mixed content warning (insecure elements on a secure page).

Cause: Your application is loading some resources (images, scripts, stylesheets, API calls) over HTTP instead of HTTPS.

Fix:

This is an issue in your application code, not in RndrKit. Look for:

  • Hardcoded http:// URLs in your application.
  • API endpoints using HTTP.
  • Images or other assets loaded from HTTP sources.
  • Third-party scripts loaded over HTTP.

Update all URLs to use HTTPS (https://example.com/asset.js).

HSTS Preload Issues

Symptom: Browser refuses to connect, even though the certificate seems valid. Error message mentions HSTS.

Cause: Your domain was previously on an HSTS preload list with a different host, and the browser is enforcing strict HTTPS requirements.

Fix:

  1. RndrKit sets HSTS headers automatically (max-age=31536000; includeSubDomains).
  2. If the browser has cached an old HSTS policy, clear it:
    • Chrome: Go to chrome://net-internals/#hsts and delete the domain.
    • Firefox: Clear your browsing data, including "Site Preferences."
  3. Wait for the new HSTS policy from RndrKit to take effect.

Certificate Shows "Failed" Status

Symptom: Domain's SSL status shows "Failed" in the dashboard.

Cause: Caddy could not obtain a certificate from Let's Encrypt after multiple attempts.

Fix:

  1. Verify DNS is correctly configured.
  2. Check that no firewall or security service is blocking HTTP-01 or TLS-ALPN-01 challenges from Let's Encrypt.
  3. In the dashboard, click Refresh on the domain to retry.
  4. If the problem persists, try removing and re-adding the domain.

Verifying SSL After Fixes

# 1. Check certificate details
echo | openssl s_client -connect www.example.com:443 -servername www.example.com 2>/dev/null | openssl x509 -noout -subject -issuer -dates

# 2. Check for HTTPS redirect
curl -I http://www.example.com/
# Expected: 301 redirect to https://

# 3. Test full page load
curl -s -o /dev/null -w "%{http_code}" https://www.example.com/
# Expected: 200

Next Steps

Previous

DNS Issues

Next

Rendering Failures