Branch Subdomain and SSL Certificate

@luke assuming you (as I am) are using the manual configuration, and need to create a support ticket, can that only be done on a paid plan? Or can someone on a free tier do that (if so, how?)

@joewoodhouse, please create a new “topic” (aka post) in the Admin category. If you want to keep the domain name secret (because it is preview/testing or otherwise not ready for the public) then ask for a direct message (DM) in the topic and we’ll exchange information privately that way.

Awesome thanks @luke

@joewoodhouse, I’m running into issues updating the SSL certificate and we’ll have another update here as soon as we know more.

I’m also having issues with my subdomain :confused:
Would you mind helping please?

Hi, @jahirfiquitiva, there is an inactive Netlify DNS zone for this domain ( here:

This domain is not using Netlify DNS:		21600	IN	NS		21600	IN	NS		21600	IN	NS		21600	IN	NS

This means the Netlify DNS zone above must be deleted. This can be done using the “Delete DNS zone” button at the bottom of the page linked to above.

Inactive DNS zones do prevent SSL certificate renewals.

Once the inactive zone has been deleted, please let us know and we can get the SSL certificate updated to include The instructions for domains not using Netlify DNS (like this domain) can be found here:

You don’t need to do anything (except delete the inactive DNS zone).

All the required steps listed in the “[common issue]” topic above are complete already. The only thing blocking our support team from updating the SSL certificate is the inactive DNS zone. Once it is deleted, we can complete the setup of the certificate.

@luke @fool hi folks! Could you add SSL for Branch subdomain please?
Thank you!

Hi, @html5cat. We’d be happy to do so. There are a series of requirements that must be met before this is possible as listed in the support guide linked to above.

The second step is: “2. Create the DNS record with your current DNS provider.”

However, the required DNS record doesn’t exist yet:

$ dig  +noall +answer

; <<>> DiG 9.10.6 <<>> +noall +answer
;; global options: +cmd

There is no answer when the DNS lookup is made. Before we can extend the SSL certificate to cover this domain, the DNS record must be created.

​Please let us know when the record has been created and/or if there are any questions.

Ops, deleted too many things. Added the CNAME back, thank you! Should propagate soon.

You probably heard it a million times, but here’s my favourite haiku:

It’s not DNS
There’s no way it’s DNS
It was DNS

1 Like

Hi, @html5cat, I also see the DNS record now and the SSL certificate has been extended to cover If there is more we can do to assist, please let us know.

1 Like

Thank you so much! :paw_prints:

1 Like

Hi @html5cat . I’ve setup a new site with a custom domain of and also a branch subdomain on Would it be possible to fix the SSL certificate for Appreciate it.

hi there, we took care of that for you!

Hi @perry, thank you so much for your swift response. Really appreciate it. Stay safe and have a nice day!

Hi @luke,

Is it possible to do the same for

Hey @Spomky,

This domain isn’t a branch subdomain. Rather, it’s configured as the primary domain for the site. I can also see that the certificate was automatically issued! :stars:

Sorry I meant to do the same for all branches of this domain (e.g. “develop”).
Also, is it possible to have a wildcard for future branch names ?

@Spomky, there are no branches configured for this domain so there’s not a great deal I can do :frowning:! Similarly, to use our branch domain feature, you’ll need to make use of Netlify DNS.

Pro (and above) users can request a wildcard SSL cert for subdomains via the Admin category here on Community!

I’m experiencing the same situation with
I double checked the DNS config, but it seems alright.

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for The certificate is only valid for the following names: *,


Hi, @rsorage, this is the link to the failed certificate authorization attempt at Let’s Encrypt:

It references a CAA issue being the root cause. I expect the root cause is the CNAME on the apex domain which then has CAA records for it:

$ dig +noall +answer CAA		3599	IN	CNAME	3599	IN	CAA	0 issue ""	3599	IN	CAA	0 issue ""	3599	IN	CAA	0 issuewild "" 

The attempt above is for a wildcard certificate and, as you can see above, wildcards are not enabled for in the CAA record. If there are other questions or concerns, please let us know.