SSL Active eventhough it's not valid anymore

It seems SSL topics are haunting me.

As you can see the ssl certificate is not valid anymore:

But inside Cleavr it says it’s active:

Until i hit check validity:

Isn’t the default to autorefresh the certificate?

The reason is probably the redirect for this domain:

Any way to ensure the autorefresh works besides the redirect?

Appreciate any help!

EDIT: I wonder why it was valid from May until August when the redirect was present on May already.

EDIT 2: Yeah, i removed the redirect and reapplying the ssl certificate worked. I still need some automation for this. Appreciate your help!

LetsEncrypt will create SSL certs that are valid for 3 months, and then is set to renew SSL every 2 months.

During initial SSL verification and subsequent renewals, LetsEncrypt will:

  1. Verify the IP address for the cert matches what they see the domain name being tied to (which means that proxy servers can disrupt this verification)
  2. Add a file to a folder named /well-known which will be used for a challenge process (redirects can interfere with this depending on where the redirects are)
  3. Check ports 80 and 443 during the verifications; we’ve seen renewals fail due to port 80 being closed for instance
  4. Check any alternate domains added to the cert - such as, if there is an alias domain or a www domain that was included in the SSL cert for the main domain. It’s an all or nothing verification, so if DNS records for an alt domain change, then that can cause a renewal to fail

@amiedema As you probably have a lot more expertise on this matter:
How to go around the fact that my site in cleavr has a root level (/) redirect while SSL still needs to be applied? All without manually interfering?

Or am i looking at this the wrong way?

Appreciate your help!

The root level redirect is what I’m not sure how to get around. What’s the purpose of it? An alias could also be added to a site, and then update the SSL cert by adding the alias as an alt domain.


My use case is having a website hosted on webflow (redirect target) where domain management at this level of detail is not possible.

Would you consider some kind of a “checkbox” on the ssl section that would then, when a new ssl certificate is being processed, shortly disable all root level redirects until ssl is installed?

Hello @amiedema ,

Any new ideas on this matter?

You can read my use case in my previous post.

In my opinion a server management software should not only be able to set up redirects to websites sitting on the servers being managed but also to redirect to outside.

But that might just be me thinking wrong about the process because of missing knowledge on server topics and i am willing to take another approach if feasable.

Appreciate any help on this!

I think it’s the root level redirect that I’m confused on.

Any reason not to handle redirecting to the other site at the DNS level? Such as by adding a CNAME record?

The reason is that as far as i am aware of a redirect to a address is not possible on CNAME level.

Or am i wrong here? Other solutions than server level or DNS-Level?

For CNAME records, you’d point one domain to another; such as points to with a cname record. CNAMEs can be managed in Cleavr if you brought in Cloudflare, DigitalOcean, or Porkbun DNS management profiles. Otherwise, you’d need to setup a CNAME record in the domain management site that you manage DNS records in.

I hope that helps!

I’m sorry. It seems my answer was shortened as i was using the tag syntax for the domain example.

What I would need is a redirect from to

Like in redirects to

From what i understand this is not possible on DNS level.

How would you solve such a problem?

Appreaciate your help!


In that case, I think the better placement of the redirect will be in the site’s NGINX config. Reason being, the redirects are processed first and NGINX will route based off of the first directive it encounters.

  1. Remove the redirect from the ‘redirects’ section
  2. Go to the site > site Nginx config and then add the redirect below the .well know acme challenge directive. This then should allow the SSL to process correctly.
 location ^~ /.well-known/acme-challenge/ {
    allow all;


rewrite / permanent;


Thank you for your help on this matter. Appreciate it!

So i added the directive as you suggested. I removed the redirect afterwards (for keeping the redirect alive as long as i add the directive).

After that I requested a new ssl certificate just for testing purposes (“SSL Certificates” → “Three Dots” → “Edit SSL Certificate” → Primary Domain is and “Alternate Domains” has value “” → Button “Update”)

After doing stuff for a while it shows an error without further clarification:

Any ideas what’s wrong?

@amiedema Sorry to bother you. Could you please look into this?

I’m lost here and Cleavr is not giving any info on why the error occurs.

I’m not sure what I was thinking… LetsEncrypt still will check the root domain which will be redirected to a different one, which will cause the process to fail. I’ll think about it some more…

I was trying to see if a directive matching a referrer might work to not redirect LetsEncrypt traffic, but I can’t seem to get that to work.

Another option would be, if you are using Cloudflare, you can add an SSL at CF for the domain via using their proxy services, that way there is SSL from client to CF and you won’t need to manage certs on the server.

One last option would be to use a custom cert with a far out expiry date. CF issues certs that expire up to 15 years.

Thank you for putting your brainpower into this. Strange such a simple thing would requires so much effort.

Appreciate your help.

I think the last option you mentined could be the solution for our case.

Does that work with cleavr or how would i set this up?

I am quite the newbie when it comes to managing server’s, especially setting up certificates.

Appreciate your patience :pray:

For the 15 year cert, you can generate one using Cloudflare and then apply it in Cleavr. Here are some guides: