@luke assuming you (as I am) are using the manual configuration, and need to create a support ticket, can that only be done on a paid plan? Or can someone on a free tier do that (if so, how?)
@joewoodhouse, please create a new “topic” (aka post) in the Admin category. If you want to keep the domain name secret (because it is preview/testing or otherwise not ready for the public) then ask for a direct message (DM) in the topic and we’ll exchange information privately that way.
Awesome thanks @luke
@joewoodhouse, I’m running into issues updating the SSL certificate and we’ll have another update here as soon as we know more.
I’m also having issues with my subdomain
Would you mind helping please?
Hi, @jahirfiquitiva, there is an inactive Netlify DNS zone for this domain (
This domain is not using Netlify DNS:
dashbud.dev. 21600 IN NS curitiba.porkbun.com. dashbud.dev. 21600 IN NS salvador.porkbun.com. dashbud.dev. 21600 IN NS maceio.porkbun.com. dashbud.dev. 21600 IN NS fortaleza.porkbun.com.
This means the Netlify DNS zone above must be deleted. This can be done using the “Delete DNS zone” button at the bottom of the page linked to above.
Inactive DNS zones do prevent SSL certificate renewals.
Once the inactive zone has been deleted, please let us know and we can get the SSL certificate updated to include
react.dashbud.dev. The instructions for domains not using Netlify DNS (like this domain) can be found here:
You don’t need to do anything (except delete the inactive DNS zone).
All the required steps listed in the “[common issue]” topic above are complete already. The only thing blocking our support team from updating the SSL certificate is the inactive DNS zone. Once it is deleted, we can complete the setup of the certificate.
The second step is: “2. Create the DNS record with your current DNS provider.”
However, the required DNS record doesn’t exist yet:
$ dig dev.pumabrowser.com +noall +answer ; <<>> DiG 9.10.6 <<>> dev.pumabrowser.com +noall +answer ;; global options: +cmd
There is no answer when the DNS lookup is made. Before we can extend the SSL certificate to cover this domain, the DNS record must be created.
Please let us know when the record has been created and/or if there are any questions.
Ops, deleted too many things. Added the CNAME back, thank you! Should propagate soon.
You probably heard it a million times, but here’s my favourite haiku:
It’s not DNS
There’s no way it’s DNS
It was DNS
Hi, @html5cat, I also see the DNS record now and the SSL certificate has been extended to cover
dev.pumabrowser.com. If there is more we can do to assist, please let us know.
Thank you so much!
Hi @html5cat . I’ve setup a new site cape-sh.netlify.app with a custom domain of
cape.sh and also a branch subdomain on
stg.cape.sh. Would it be possible to fix the SSL certificate for
stg.cape.sh? Appreciate it.
hi there, we took care of that for you!
Hi @perry, thank you so much for your swift response. Really appreciate it. Stay safe and have a nice day!
This domain isn’t a branch subdomain. Rather, it’s configured as the primary domain for the site. I can also see that the certificate was automatically issued!
Sorry I meant to do the same for all branches of this domain (e.g. “develop”).
Also, is it possible to have a wildcard for future branch names ?
Pro (and above) users can request a wildcard SSL cert for subdomains via the Admin category here on Community!
I’m experiencing the same situation with
I double checked the DNS config, but it seems alright.
Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for develop.web.majoris.app. The certificate is only valid for the following names: *.netlify.com, netlify.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Hi, @rsorage, this is the link to the failed certificate authorization attempt at Let’s Encrypt:
It references a CAA issue being the root cause. I expect the root cause is the CNAME on the apex domain which then has CAA records for it:
$ dig +noall +answer majoris.app CAA majoris.app. 3599 IN CNAME rsorage.github.io. rsorage.github.io. 3599 IN CAA 0 issue "digicert.com" rsorage.github.io. 3599 IN CAA 0 issue "letsencrypt.org" rsorage.github.io. 3599 IN CAA 0 issuewild "digicert.com"
The attempt above is for a wildcard certificate and, as you can see above, wildcards are not enabled for
letsencrypt.org in the CAA record. If there are other questions or concerns, please let us know.