My domain has been stuck on "Provisioning..." for over 3 hours.

Resolved

OOrionsBrainFREE4/20/2026

Service ID: service-69e6169c0c38dc21b398fd78
Stuck domain: orionsbrain.zeabur.app
Status: Red "PROVISIONING" badge in dashboard.
Browser shows NET::ERR_CERT_AUTHORITY_INVALID when accessing.
Steps already tried (none worked): - Deleted and re-generated the domain - Restarted the service - Tried different domain names
Service itself is healthy — RUNNING status, logs show /health returning 200 OK every minute.
Could you please help manually reset the certificate provisioning process? Thanks!

2 Replies

AAnonymousEMPLOYEE4/21/2026

Hi, I investigated your domain and confirmed it's genuinely stuck on the platform side — not something you can fix yourself. Here's what I found:

Diagnosis

Check	Result
Service `ombre-brain` pod status	✅ Running (healthy, no restarts)
DNS for `orionsbrain.zeabur.app`	✅ Resolves to `43.167.220.93` (Zeabur shared cluster ingress)
HTTP (port 80)	✅ HTTP 302 (redirecting to HTTPS as expected)
HTTPS (port 443)	❌ Serving Zeabur's default self-signed placeholder cert (issuer: `O=Zeabur Pte. Ltd.`), not the real `*.zeabur.app` wildcard cert
Your `/health` endpoint	✅ Returning 200 OK

So the service + DNS are both correct — the problem is that the ingress doesn't have a proper TLS certificate bound for orionsbrain.zeabur.app. The self-signed cert being served is the platform's fallback when the real cert isn't attached yet, which is why Chrome shows NET::ERR_CERT_AUTHORITY_INVALID.

Root cause

The actual reason this is stuck: the issue is in the TLS certificate issuance pipeline — our certificate provider (ZeroSSL) account has currently hit its certificate quota limit. New domains (and freshly recreated ones) can't get a real cert issued until the quota frees up or the account is upgraded. This has been reported to the engineering team and is being worked on.

This is also why your repeated delete/recreate attempts didn't help — every new domain creation goes into the same blocked queue, regardless of which name you use.

What you should do

Nothing — please don't keep deleting and re-adding the domain. Once the engineering team resolves the ZeroSSL quota issue:

Your orionsbrain.zeabur.app (current entry created at 16:02 UTC) will automatically receive a valid wildcard TLS certificate
No action required from your side — no rebind, no recreate, no restart
You'll just need to refresh your browser, and HTTPS will work normally

Workaround if you can't wait

If you're blocked on needing HTTPS working immediately and can't wait for the platform fix, there's one option that bypasses the ZeroSSL pipeline entirely:

Use a custom domain you own (e.g., app.yourdomain.com). Custom domains go through a different per-domain Let's Encrypt issuance flow that's separate from the ZeroSSL wildcard pipeline that's currently capped. Bind a CNAME app.yourdomain.com → cname.zeabur.app in your DNS provider, then add the custom domain in your service's Networking tab. Usually provisions in 1–2 minutes.

Otherwise, just wait — once the engineering team clears the cert quota, your existing orionsbrain.zeabur.app will start serving valid HTTPS automatically, and we'll update this ticket to confirm. Apologies for the inconvenience!

AAnonymous4/25/2026

This post has been inactive for a while. We will be closing it in 2 days if there is no new activity.

This issue has been marked as resolved

New replies are disabled for resolved issues.

Forum

2 Replies

Diagnosis

Root cause

What you should do

Workaround if you can't wait