smoxy

English

Deutsch

English

Deutsch

Appearance

SSL Troubleshooting

This guide covers common SSL issues in smoxy and how to resolve them.

Understanding SSL Status

Your domain's SSL status is visible on the SSL tab under Domains & DNS. The following statuses indicate an issue:

Pending

Meaning: Certificate generation has been initiated but is not yet complete.

What to do:

  • Verify that all _acme-challenge CNAME records are configured at your DNS provider
  • Allow time for DNS propagation (typically a few minutes, but can take up to 48 hours)
  • smoxy will automatically pick up the generation once DNS is verified

If stuck for more than 1 hour:

  • Check each SAN's DNS status on the SSL tab
  • Look for SANs with "Missing" DNS status and fix those records
  • smoxy retries automatically with increasing intervals

DNS Missing

Meaning: The required _acme-challenge CNAME record was not found for one or more SANs.

Resolution:

  1. Check the expected CNAME record shown in smoxy

  2. Add the record at your DNS provider:

    Type:   CNAME
Name:   _acme-challenge
Target: your-org.acme.smoxy.eu  (as shown in smoxy)

  3. Wait for DNS propagation

  4. smoxy checks missing records every 1 hour and will detect the change automatically

DNS Wrong

Meaning: A CNAME record for _acme-challenge exists, but it points to the wrong target.

Resolution:

  1. Go to your DNS provider
  2. Update the _acme-challenge CNAME to point to the target shown in smoxy
  3. smoxy will verify the updated record on the next check

DNS Duplicate

Meaning: A TXT record for _acme-challenge exists, which conflicts with the required CNAME record.

Why this happens: Some DNS providers or previous setups may have created a TXT record for ACME challenges. smoxy requires a CNAME record instead.

Resolution:

  1. Remove the TXT record for _acme-challenge at your DNS provider
  2. Ensure only the CNAME record exists
  3. smoxy will detect the change on the next check

Common Scenarios

Cloudflare Users

If you use Cloudflare as your DNS provider:

  1. Disable the Cloudflare proxy (orange cloud) for the _acme-challenge CNAME record
  2. The record must be DNS Only (grey cloud) for ACME verification to work
  3. Your regular traffic records can still use the Cloudflare proxy

See Cloudflare Setup for detailed instructions.

Certificate Not Renewing Automatically

Auto-generated certificates renew 30 days before expiration. If renewal isn't happening:

  1. Check DNS records — The _acme-challenge CNAME records must still be in place
  2. Check SAN DNS status — Go to the SSL tab and verify all SANs show "Valid" DNS status
  3. Rate limits — If smoxy hit Let's Encrypt rate limits, it waits 1 hour before retrying

INFO

Note: Self-managed certificates are never auto-renewed. You must upload a replacement yourself.

Multiple Subdomains Not Covered

The default wildcard (*.yourdomain.com) covers single-level subdomains. It does not cover:

  • Multi-level subdomains like sub.shop.yourdomain.com
  • Different top-level domains

For these cases, smoxy can add additional SANs. Each additional SAN requires its own _acme-challenge CNAME record.

Certificate Shows as Expired

If your certificate has expired:

  • Auto-managed: Check if the _acme-challenge DNS records are still in place. If they are, smoxy will attempt to renew. If they were removed, add them back.
  • Self-managed: Upload a new certificate. smoxy cannot renew certificates it didn't generate.

SSL Generation Fails Repeatedly

If you see repeated failures in the SSL generation process:

ErrorCauseResolution
CNAME not foundDNS record missingAdd the required CNAME record
TXT ACME challenge existsConflicting TXT recordRemove the TXT record, keep CNAME only
Rate limitToo many Let's Encrypt requestsAutomatic — smoxy retries after 1 hour
Validation failedDNS propagation incompleteWait for propagation, smoxy retries automatically
Fetch DNS errorDNS provider unreachableTemporary — smoxy retries automatically
No SAN errorNo Subject Alternative Names configuredContact support — SANs should be created automatically

smoxy uses exponential backoff when retrying, increasing the wait time between attempts to avoid overwhelming external services.

Certificate Verification

To independently verify your SSL certificate is working:

Using a Browser

  1. Visit your domain with https://
  2. Click the padlock icon in the address bar
  3. View certificate details to confirm:
    • Issued to the correct domain
    • Valid date range
    • Issued by the expected CA (Let's Encrypt for auto-managed)

Using Command Line

bash
# Check certificate details
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com < /dev/null 2>/dev/null | openssl x509 -text -noout

# Check certificate expiration
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates

Getting Help

If you've followed the troubleshooting steps and your SSL issue persists:

  1. Note the exact status messages shown in smoxy
  2. Check the Activity Log (under Team settings) for SSL-related events
  3. Contact smoxy support with your domain name and the error details