I’m still getting the abovementioned warning although everything is set up like described in the docs (and troubleshooting).
My netlify site name is: khespe.netlify.app
I’m using a custom domain: www.khespe.de (primary domain) and khespe.de.
I cannot use Netlify DNS because I use my domain provider also for my mails.
You can see the DNS entries from my domain provider in the attached screenshots.
I used DNSChecker and both custom domains can be resolved in all countries.
I already asked the Netlify AI, tried manual certificate renewal and read through the troubleshooting guide.. It was mentioned somewhere that in some cases the certificate needs to be repaired manually. Initially I had khespe.de as primary domain and not the right DNS setup, but I changed it over a week ago.
Anything else I missed? Visitores are not reporting any certificate issues with my site. I just need to know what’s going on because it’s crucial for my site that it works if people visit the first time.
This is a common issue when you cannot use Netlify DNS but need SSL on a custom domain. A few things to check:
CNAME vs A record: For www.khespe.de, make sure you have a CNAME pointing to khespe.netlify.app (not an A record). For the apex domain khespe.de, you need an A record pointing to Netlify’s load balancer IP (check the Netlify docs for the current IP, it has changed over time).
CAA records: If your DNS provider has CAA records set, they might be blocking Let’s Encrypt from issuing certificates. Check if there are any CAA records and either remove them or add letsencrypt.org as an allowed issuer.
Propagation time: DNS changes can take up to 48 hours to fully propagate, though usually much faster. The certificate provisioning will keep retrying automatically.
External DNS verification: Use a tool like dig or an online DNS checker to confirm your records are resolving correctly from outside your network. Sometimes local DNS caching shows stale records.
If everything looks correct in DNS and it has been more than 48 hours, the Netlify support team can usually force a certificate renewal on their end.
I would appreciate if the netlify team can force a certificate renewal. If you think that adding letsencrypt.org as CAA record will do the trick, please tell me which tag to add there (or if I can just choose one because it doesn’t matter..)
It sounds like the warning is likely a leftover from when the domain settings weren’t correct. Since you updated the DNS and primary domain, the SSL certificate may just need some time to fully refresh. Double-check your DNS records for the web, then try manually renewing or repairing the certificate in Netlify. If everything is correct, it should update automatically and visitors won’t see any issues.
Hi, @Looque. You are correct that all the DNS is correct now. It looks like the error is from back from 2026-02-04.
I just clicked the “Renew certificate” button in the SSL/TLS certificate form at Netlify and the SSL was automatically provisioned when I did so. However, the fix was likely DNS changes you made earlier (probably back on 2026-02-04). I cannot say when those changes occurred only that the DNS was perfect when I checked it today.
The SSL is working for both khespe.de and www.khespe.de now.
