Streaming live at 10am (PST)

Getting ERR_SSL_PROTOCOL_ERROR on root domain

Hey guys, we spent the past 2 months working on a Webflow site and preparing to migrate our website https://respond.io/ from WordPress to Webflow and today was finally the release date. Sadly the release failed… miserably :frowning:

As soon as we changed the DNS records, the site was no longer accessible. Regardless of how long we waited, or how many times we cleared cache. The error we received was: ERR_SSL_PROTOCOL_ERROR

These are the steps we followed to change the DNS settings:

  1. In Webflow Project Settings we added the custom domain, and we selected the root domain (without WWW) as the default. Important: we want to use the root domain as the default as we already built a considerable SEO rank to that destination.
  1. We then removed the old DNS records for both @ and www, and added the new ones:
    CNAME @ proxy-ssl.webflow.com
    CNAME www proxy-ssl.webflow.com
    As explained in the webflow documentation, Set root domain as the default domain.

  2. We went back to the Webflow Project Settings, verified both domains (both were confirmed to be verified) and re-published the site.

And nothing… just the error. We waited one hour and still wasn’t working. We tried the troubleshoot options described in the other forum posts: turning SSL on and off, clearing cache, republishing, changing the WWW default and then back to Root default. But still, nothing worked.

We decided to revert back the DNS to point to our Wordpress hosting until we can find a solution. Hope someone can help me identify the issue!

Looking forward to hearing from you soon!

Hi @salandragk thank you for posting here to check your DNS settings as you were publishing your new website, it looks great!

It looks like the DNS records were still propagating, but they have now and your SSL Certificate was successfully issued. I’m seeing your website live on this side without any issues.

Can you please let me know if you’re still seeing the ERR_SSL_PROTOCOL_ERROR on that side? Thanks again!

1 Like

The website that is currently live is our old WordPress site. We decided to revert back the DNS to point to our WordPress hosting until we can find a solution :frowning:

The issue is still there, every time I change the DNS root domain continues to give this error: ERR_SSL_PROTOCOL_ERROR

Some extra info:

After the DNS change, both (1) the CNAME for the “www” subdomain and (2) the A record for the root domain, are propagated instantaneously. So I am confident it’s not a propagation issue.

This is the error that appears when I try to resolve the root using a HTTPS status checker:

Any idea what should I try next?

thank for your information

Hi @salandragk thank you so much for following up, I greatly appreciate it!

DNS records can take up to 48 hours to propagate globally, though it typically happens faster than that. The CNAME record on the root domain will instead return a set of dynamic A records when you perform a DNS look-up, so a DNS look-up won’t return that CNAME record on the root domain.

My recommendation would be to set your DNS records to point to Webflow as you had them before. Then publish your site without setting a default domain. Once your Webflow site is live then you should be able to set the default domain thereafter and republish the site to your custom domain.

Please let me know if this is helpful or if you have any additional questions.
I’m happy to help you further!

Together with Webflow’s support, we ruled out propagation as the reason for the site not loading. DNS Checkers have confirmed that in about 10 seconds from changing both A records for the root domain and Cname for www to be fully propagated (checks out, unless someone still uses DNS provider from the 90s, propagation rarely takes more than a couple of minutes).

Webflow’s support hypothesis is that it’s due to a rate limit on Let’s Encrypt. They suggested I wait 7 days and then try again.

I did some research, and I find that rather unlikely.

According to Let’s Encrypt, “The main limit is Certificates per Registered Domain (50 per week).”

Based on the certificate logs here. Only 14 certificates have been created in the previous 7 days. Most on Sunday when we tried to do the initial DNS change, it failed, and we attempted the troubleshooting steps in the Webflow forums.

I am genuinely concerned about moving to Webflow now. We are a business that strongly relies on website traffic, and these downtimes are severely affecting our operations. We can’t wait 7 days and postpone all our marketing campaigns just to find out the issue was not the rate limit and have to start everything all over again.

Does anyone have any idea what to try next?

Hey @salandragk,

I did some more investigation on this issue.

You are correct in the 50 per week limit per domain, but they are also subject to a Duplicate Certificate limit of 5 per week. This is the limit that was met when trying to provision an SSL for your project.

Thanks for reaching out to our Customer Support Team about this as well. I will continue to work with you through your support request to get this resolved.

Cheers,
Drew

1 Like

Thanks Drew, truly appreciate the time taken to explain the situation, this gives us peace of mind.

It is now clear to us what happened. During our first attempt to publish, multiple factors caused 5 separate certificates to be issued for the same domain, making us reach the Let’s Encrypt rate limit of 5 Duplicate Certificates per week.

I am glad to hear the issue has been identified and a fix has been released.

We will try to change the DNS again and publish our Webflow site once 7 days from the first attempt has passed. Crossing finger it all goes smooth this time.

Thanks again!

our fhave passed from the last attempt).

2 Likes

The issue has been resolved. Waiting 7 days and trying again solved the issue for us.

For anyone reading this post in the future, if you are getting the error ERR_SSL_PROTOCOL_ERROR, use the following tool to diagnose if your domain has reached any Let’s Encrypt rate limit: letsdebug-toolkit

If the tool shows that your domain has reached any of the multiple rate limits imposed by Let’s Encrypt, you will have to wait 7 days and try again. Good luck!

1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.