Skip to content

SSL Generation Issues

QUIC.cloud uses Let's Encrypt to provide free SSL coverage for any domain added to the CDN. There are a few reasons why SSL generation may fail after adding your domain to QUIC.cloud CDN. Two of the most common reasons are:

  • Missing CAA DNS record
  • Let's Encrypt rate limit

Missing CAA DNS Record

CAA stands for Certification Authority Authorization and it allows a domain owner to specify which Certificate Authorities (CAs) are authorized to issue SSL certificates for their domain. By explicitly listing CAs allowed to issue certificates, domain owners can prevent unauthorized issuance of certificates, which is a security risk.

If you do not have any CAA records in your domain's DNS, then any Certificate Authority is allowed to issue a certificate for you. The problem occurs if you do have CAA records, but you don't have one for Let's Encrypt, specifically.

In this latter scenario, SSL certificate generation will not succeed and DNS verification will fail. You can add a Let's Encrypt CAA DNS record to your domain, to solve the problem. If you are using QUIC.cloud DNS, follow these steps (otherwise, follow your DNS provider's instructions for adding a CAA record):

  1. Click DNS Zones on your QUIC.cloud Dashboard, and then select the domain.
  2. Click Add New Record to open the DNS record creation form.
  3. Set the Type to CAA, Name to @, and CA domain name to letsencrypt.org.
  4. Set the TTL to Auto or any value you prefer, and set Tag to Only allow specific hostnames.
  5. Click Add New Record again and set similar values as before, but this time set Tag to Only allow wildcards.
  6. Optionally, you can create a third record that sends violation reports to a certain URL. Set Tag for the third record to Send violation reports to URL (http:, https:, mailto:). Be sure that Name has a value that begins with mailto:, http:, or https:.

Once the CAA DNS records have been added at your DNS provider, return to your QUIC.cloud Dashboard, and do the following:

  1. Click My Domains and select your domain.
  2. Click CDN and set Bypass CDN to ON.
  3. Wait 5 minutes and set Bypass CDN to OFF.

The DNS verification process should then succeed. If you face any issues after adding the CAA records you can reach out to the technical support team for assistance.

Let's Encrypt Rate Limit

If your domain hits a Let's Encrypt rate limit, QUIC.cloud's SSL generation process will not succeed. This may happen if you have previously tried to request an SSL certificate for your domain a number of times before adding the domain to QUIC cloud.

Unfortunately QUIC.cloud cannot lift any limits imposed by Let's Encrypt. You will need to wait for Let's Encrypt to lift the limit.

Last update: September 16, 2024