SSL Certificate Error on icptokens.net

Hi everyone,

I’m the developer of icptokens.net — it’s an on-chain asset canister hosted on the Internet Computer.

Recently, the site started showing this browser error:

net::ERR_CERT_COMMON_NAME_INVALID

It seems related to the SSL/TLS certificate, not sure if this issue is from the boundary nodes, or something in the network configuration.

Could anyone from the DFINITY community help me investigate whether this is a network-side issue or something I need to fix in my canister/domain setup?

Any insights or guidance would be greatly appreciated.

I don’t know the answer, but I’m sharing the following in case it’s useful until the colleagues who know best respond.

Just few days ago, a few people using Cloudflare reported a similar issue that was resolved by updating their Cloudflare configuration as mentioned here:

Again, just sharing in case it might help by any chance.

I was one of those people.

Resubmitting the request to the boundary nodes is what immediatly resolved the situation.

Changing cloudfare setting is what will prevent issue in future (with cloudfare messing up txt record)

After disabling Cloudflare Edge Certificates, we re-submitted the request, and it’s now stuck in “PendingAcmeApproval”.
DNS TXT records are correct and proxying is off…

Any update on this?

This already occurred in the past, so what’s the issue currently @peterparker ?

As mentionned in my above post, I don’t know the answer.

Same here. Mine has been like that for over a week now and the website is still not accessible.

Hello everyone,

there are multiple threads on this going on. Mostly this is due to the Cloudflare Universal SSL setting. Renewal fails, but the custom domains service is not smart enough and just retries for 3 days in the hope of the order going through at some point. However, that triggers a rate-limit on the Let’s Encrypt side. After 3 days, the custom domains service gives up. When you retry immediately after that, you hit the rate-limit again and it won’t go through. That’s why you should wait a few days and then retry.

We are currently working on a new custom domains service that is more robust and smarter about such errors. We are code complete and are now planning the rollout and transition. For you, the users not much will change.

Thanks, @rbirkner!

I’ve marked this answer as the solution — really appreciate the clear explanation and update.

For anyone looking for the short-term workaround, please check the other thread here:
:backhand_index_pointing_right: https://forum.dfinity.org/t/help-icp-gateway-returns-error-400-unknown-domain/56948/
(It also includes adding the www version and redirect setup.)

Thanks again!

Best,
Boyan
CTO, ICP Tokens

You’re right - different domain means a new PID (like a fresh icptokens account), so portfolio and watchlist aren’t visible; we’re waiting on Dfinity support to revert to the non-www version.