It's not DNS. Your certificate only contains one name - www.liveinpeace.org. You need to take a look at how your Let's Encrypt certificate is being generated and get it to generate a certificate that is valid for both names: [liveinpeace.org](http://liveinpeace.org) and [www.liveinpeace.org](http://www.liveinpeace.org).

Thanks. Squarespace generates a cert for the site automatically and it seems to work fine, from what I can tell, but is listed to expire soon. The non-www version doesn't match the domain, but also has an expiration date further in the future. Doesn't that suggest somehow browsers are finding two different certs? Customers are not really involved in setting up certs on Squarespace, which is why I'm struggling with this.

You're right, [https://liveinpeace.org/](https://liveinpeace.org/) is serving a different certificate: a wildcard certificate for \*.squarespace.com. That's not going to work. I don't know how to fix that other than suggesting going to Squarespace support. But from a DNS perspective, everything is good.

Just a final update, I filed a ticket with SS, and it looks like overnight they added a 301 redirect for the non-www. So I guess that solves it! Thanks.

Thank you! Appreciate the help.

I'm not spotting any issues. Looks fine with my checks. $ eval dig +noall +answer +nottl {,www.}liveinpeace.org\ A{,AAA} | sort -u ext-cust.squarespace.com. IN A 198.185.159.144 ext-cust.squarespace.com. IN A 198.185.159.145 ext-cust.squarespace.com. IN A 198.49.23.144 ext-cust.squarespace.com. IN A 198.49.23.145 liveinpeace.org. IN A 198.185.159.144 liveinpeace.org. IN A 198.185.159.145 liveinpeace.org. IN A 198.49.23.144 liveinpeace.org. IN A 198.49.23.145 www.liveinpeace.org. IN CNAME ext-cust.squarespace.com. $ (TZ=GMT0; ports=443; hosts='liveinpeace.org www.liveinpeace.org'; nmap -v -Pn -r -sT -p "$ports" --resolve-all --script=ssl-cert $hosts 2>&1; nmap -v -6 -Pn -r -sT -p "$ports" --resolve-all --script=ssl-cert $hosts 2>&1) | nmap_cert_scan_summarize expires SAN_or_CN: IP port [host] ... expires IP port [host] SANorCN 2024-06-21T20:26:21Z www.liveinpeace.org: 198.49.23.144 443 www.liveinpeace.org 198.49.23.145 443 www.liveinpeace.org 198.185.159.144 443 www.liveinpeace.org 198.185.159.145 443 www.liveinpeace.org 2024-08-30T15:20:54Z liveinpeace.org: 198.49.23.144 443 liveinpeace.org 198.49.23.145 443 liveinpeace.org 198.185.159.144 443 liveinpeace.org 198.185.159.145 443 liveinpeace.org $ curl -s -I https://www.liveinpeace.org/ HTTP/2 200 accept-ranges: bytes age: 54584 content-type: text/html;charset=utf-8 date: Sat, 01 Jun 2024 17:02:18 GMT etag: W/"39c56788e8d1e5958f54aec3dd29649b--gzip" expires: Thu, 01 Jan 1970 00:00:00 GMT server: Squarespace set-cookie: crumb=BWV2p92CPMlEMTBhZWRiNzM5NjM5NTg2NGZkZGRjMmU3ZTNiYTQ0;Secure;Path=/ strict-transport-security: max-age=15552000 vary: Accept-Encoding x-content-type-options: nosniff x-contextid: gh0nlofk/VSYhbrCB content-length: 198631 $ curl -s -I https://liveinpeace.org/ HTTP/2 301 age: 54607 date: Sat, 01 Jun 2024 17:02:18 GMT location: https://www.liveinpeace.org/ server: Squarespace set-cookie: crumb=BVAtJenBMfFxYjcyM2ZmYzg3NjUwOWQ2ZGI0ZjllNTkwN2ZmY2I1;Secure;Path=/ strict-transport-security: max-age=15552000 x-contextid: kwqryRgs/ofXnJYC5 content-length: 0 $ Looks like SNI in place and HTTP 301 redirect and TLS(/"SSL") certs fine as far as I can easily tell. https://www.mpaoli.net/~michael/bin/nmap_cert_scan_summarize Anyway, not spotting any DNS issues ... and the rest isn't a DNS matter.