SSL handling
Every site on CloudMagnus gets a Let's Encrypt certificate, issued automatically once DNS resolves and renewed on schedule. This page explains what's happening and what to do when issuance fails.
How issuance works
The platform calls Let's Encrypt as soon as your domain's DNS resolves on both 1.1.1.1 and 8.8.8.8. Let's Encrypt validates ownership using the HTTP-01 challenge: it makes a request to http://example.com/.well-known/acme-challenge/<token> and expects to find a specific file. If that response comes back correctly, Let's Encrypt issues the certificate.
The whole flow usually completes in under a minute. The provisioning page shows two relevant states: SSL issuing while the call is in flight, then SSL installed when it lands.
Renewal
Let's Encrypt certificates last 90 days. The platform renews automatically about 30 days before expiry. You don't see anything in the dashboard for renewals; they happen quietly. If a renewal fails, the same retry logic from initial issuance applies, and you'll get a notification once auto-retries are exhausted.
CAA records
Some domains have a CAA record telling the world which certificate authorities are allowed to issue for them. If your domain has a CAA record that doesn't include letsencrypt.org, Let's Encrypt won't issue.
The platform checks for CAA before calling Let's Encrypt. If we find a blocking CAA, we tell you exactly which issuer is allowed and stop without burning a rate-limit slot. To fix:
- Add a CAA record allowing Let's Encrypt:
0 issue "letsencrypt.org" - Or remove the existing CAA records entirely if you don't need them
After updating CAA, click "Retry SSL" on the provisioning page.
Failure modes
Rate limit
Let's Encrypt limits how many certificates can be issued per domain per week. The default is 50 per registered domain per week. If you've burned the budget on a previous host, you'll see a rate-limit failure here.
The platform retries after 1 hour, then 6 hours, then 24 hours. If all three fail, the dashboard shows "SSL failed" with a manual retry button. Wait until the rate limit resets (typically a week from when the budget was exhausted), then retry.
DNS timing
Sometimes our resolver checks pass but Let's Encrypt's resolver still has a stale negative cache. The result is a "no A record" or "connection refused" error from Let's Encrypt even though the record IS resolving for us.
The platform waits 60 seconds after our DNS verification before calling Let's Encrypt to give ACME's resolvers time to catch up. If issuance still fails on a DNS-shaped error, we re-check DNS and retry. Up to three attempts.
CAA blocks Let's Encrypt
Covered above. Surfaced as a specific failure reason so you know to update CAA, not just try again.
Other
Network errors, Let's Encrypt outages, or anything not in the three categories above. Logged for the operator to investigate; you'll see a manual retry button in the dashboard.
Manually triggering retry
From the provisioning page, the "Retry SSL" button appears when the site is in ssl_failed state. Clicking it resets the attempt counter and re-enters the SSL flow on the next poller tick (within 30 seconds).
Bringing your own certificate
Not currently supported through the dashboard. If you have a specific business reason to install a wildcard or EV certificate yourself, contact [email protected] and we'll work out a path.