Docs

Troubleshooting SSL Certificate Issues

How Your SSL Certificate Works

The WAF uses two separate TLS/SSL certificates to secure traffic end-to-end:

  • WAF Certificate — secures the connection between your visitors’ browsers and the WAF edge network. This is the certificate visitors see when they inspect your site’s SSL.
  • Heroku ACM Certificate — secures the connection between the WAF edge network and your Heroku app. Managed automatically by Heroku. Keep Heroku ACM enabled even while using the WAF — it is required for proper traffic routing between the WAF and your app, and it ensures your site still has a valid certificate if you ever need to move off of the WAF.
Visitor's Browser End user WAF Certificate Starfield / GoDaddy WAF Edge Network Expedited Security Heroku ACM Certificate Your Heroku App Origin server

During the WAF setup process, the certificate your visitors see will change. This is normal and expected:

  1. During setup (before DNS cutover): We issue a Sectigo bridge certificate for your domain. This certificate is validated via a CNAME DNS record and is installed on the WAF before your DNS changes. The bridge certificate ensures there is no SSL downtime when you cut over DNS from your existing setup to the WAF.
  2. After DNS points to the WAF: The WAF edge network automatically provisions a GoDaddy/Starfield certificate. This replaces the Sectigo bridge certificate and is the certificate your visitors will see going forward.

Both are valid, trusted certificates issued by well-known certificate authorities.

My Certificate Issuer Changed from Sectigo to Starfield

If you notice that your certificate issuer changed from Sectigo to Starfield or GoDaddy, this means your WAF setup completed successfully. The transition happens automatically once your DNS is pointed to the WAF and is the expected behavior.

No action is required.

Certificate Renewal Requires DNS Pointing to the WAF

The GoDaddy/Starfield certificate can only be issued and renewed when your domain’s DNS resolves to the WAF. If your DNS stops pointing to the WAF for any reason, certificate renewal will fail and your certificate will eventually expire.

Common reasons DNS may no longer point to the WAF:

  • DNS records were changed during a migration or DNS provider switch
  • DNS records were accidentally removed or overwritten
  • A team member pointed the domain directly back to Heroku

How to Check

Verify your domain’s A record points to the WAF IP shown on your dashboard:

Look up your domain’s A record

Also verify the www subdomain:

Look up your www CNAME record

The results should match the WAF IP address or CNAME target shown on your WAF dashboard’s DNS settings page.

How to Fix

  1. Update your DNS records to point back to the WAF (use the IP address and CNAME values from your dashboard)
  2. Allow up to 24 hours for DNS propagation
  3. Contact us at support@expeditedsecurity.com and we will re-trigger the certificate renewal

CAA Records Blocking Certificate Renewal

CAA (Certificate Authority Authorization) records are DNS records that restrict which certificate authorities can issue certificates for your domain. If your domain has CAA records that do not include GoDaddy, the WAF cannot renew your certificate.

Symptoms

  • Your certificate expires even though DNS is pointing to the WAF correctly
  • Your WAF dashboard shows a CAA warning on the TLS/SSL Certificate page

How to Check

Look up your domain’s CAA records

If this returns any CAA records, look for godaddy.com in the results. If it is missing, that is the problem.

How to Fix

Add the following CAA record to your DNS configuration:

  • Type: CAA
  • Name: @ (or your domain name)
  • Flag: 0
  • Tag: issue
  • Value: godaddy.com

If you use a wildcard certificate, also add:

  • Type: CAA
  • Name: @
  • Flag: 0
  • Tag: issuewild
  • Value: godaddy.com

You do not need to remove existing CAA records for other certificate authorities. Multiple CAA records can coexist.

For full details, see CAA Records and Certificate Renewal.

Wildcard Certificate Renewal

Unlike standard certificates, wildcard certificates (*.yourdomain.com) cannot auto-renew. Each renewal requires a new CNAME record for domain validation.

When your wildcard certificate is approaching expiration:

  1. We send you a renewal notification email with a new CNAME record to add to your DNS
  2. You add the CNAME record (this will be different from previous years)
  3. The certificate authority verifies the record and issues a new certificate
  4. The new certificate is installed automatically

This process repeats annually — each renewal requires a new CNAME record, so watch for the renewal email each year.

If you did not receive the renewal email, check your WAF dashboard’s TLS/SSL Certificate page — the required CNAME record is displayed there when a renewal is in progress.

For full details, see Wildcard Certificate Renewal.

Quick Diagnostic Checklist

Check your current certificate:

echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -subject -issuer -dates

Look for:

  • Issuer should include Starfield or GoDaddy (after DNS cutover) or Sectigo (during initial setup)
  • notAfter date should be in the future

Check DNS pointing:

Look up your domain’s A record — result should match the WAF IP on your dashboard.

Check CAA records:

Look up your domain’s CAA records — should include godaddy.com, or return no CAA records at all (no CAA records means any CA is permitted).

Check your dashboard:

Visit the TLS/SSL Certificate page on your WAF dashboard. A green indicator means the certificate is active. Amber means renewal is in progress. Red means the certificate has expired.

Need Help?

If you are having trouble with your SSL certificate, please contact us: