DNS Propagation and SSL


A little more than 15 hours ago I changed my DNS in Namecheap to point to Netlify instead of Cloudflare. However, my domain seems to be having problems propagating and generating an SSL certificate.

I’ve run the following commands:

whois thepolyglotdeveloper.com
whois www.thepolyglotdeveloper.com

Without the CNAME, I get the following result:

Name Server: dns1.p03.nsone.net 
Name Server: dns2.p03.nsone.net 
Name Server: dns3.p03.nsone.net 
Name Server: dns4.p03.nsone.net

This looks good, but when I use WHOIS with the CNAME, I get the following:

nserver:      A.GTLD-SERVERS.NET 2001:503:a83e:0:0:0:2:30
nserver:      B.GTLD-SERVERS.NET 2001:503:231d:0:0:0:2:30
nserver:      C.GTLD-SERVERS.NET 2001:503:83eb:0:0:0:0:30
nserver:      D.GTLD-SERVERS.NET 2001:500:856e:0:0:0:0:30
nserver:      E.GTLD-SERVERS.NET 2001:502:1ca1:0:0:0:0:30
nserver:      F.GTLD-SERVERS.NET 2001:503:d414:0:0:0:0:30
nserver:      G.GTLD-SERVERS.NET 2001:503:eea3:0:0:0:0:30
nserver:      H.GTLD-SERVERS.NET 2001:502:8cc:0:0:0:0:30
nserver:      I.GTLD-SERVERS.NET 2001:503:39c1:0:0:0:0:30
nserver:      J.GTLD-SERVERS.NET 2001:502:7094:0:0:0:0:30
nserver:      K.GTLD-SERVERS.NET 2001:503:d2d:0:0:0:0:30
nserver:      L.GTLD-SERVERS.NET 2001:500:d937:0:0:0:0:30
nserver:      M.GTLD-SERVERS.NET 2001:501:b1f9:0:0:0:0:30

That may be normal, I don’t know. I extend my testing, as recommended in the documentation. I run the following commands:

curl -s -v thepolyglotdeveloper.com
curl -s -v www.thepolyglotdeveloper.com

Both commands come back with Netlify being the server, which I assume is good. I suspect if it wasn’t good, Cloudflare or DigitalOcean would have come back since I was using them prior.

Next, I execute the following commands:

dig thepolyglotdeveloper.com @dns1.p03.nsone.net
dig thepolyglotdeveloper.com @dns2.p03.nsone.net
dig thepolyglotdeveloper.com @dns3.p03.nsone.net
dig thepolyglotdeveloper.com @dns4.p03.nsone.net

I get results back, but I’m not entirely sure what they mean, even after looking through the documentation. The IP addresses that come back are owned by Cloudflare and DigitalOcean. I don’t know if that is what Netlify uses behind the scenes, or if I’ve got another problem.

Inside my Netlify dashboard for my site, the primary domain and my domain redirect seem to be shuffling around the status “Check DNS Configuration”. By shuffle I mean, if I refresh the page throughout the day, the message alternates between the domains and sometimes even shows them as complete, however that isn’t truly the case.

When it comes to my SSL certificate, my alias seems to have received the certificate. This alias is a CNAME for my primary domain which is odd because I would have thought if my CNAME could get a certificate, why not the entire domain?

I’m at a loss here because my site has been non-functional for a long time, much longer than any domain I’ve ever transferred. I have no insight into if there is a problem or if it is just propagating slow.

Any help would be appreciated.


To follow up,

This is working now. The additional delay seems to have been enough to allow things to work right when our system attempted to re-issue the certificate.

Generally, the reason we are unable to provision a complete SSL certificate for your custom domain is that the DNS cache time to live (TTL) value for a record has not had time to expire (from your old settings) before you tried to use it with Netlify. Our SSL provider (https://letsencrypt.org) is unable to create certificates for names that have old cached values still in effect.

I’m not sure what was happening, but the issue is resolved. However, I think something else was contributing to the problems as well.

I was receiving the following error from an ALIAS I added:

Domain has multiple A records

While I’m not 100% the ALIAS and the propagation issue was related, it seemed to resolve about 30 minutes after I removed it.

I opened a new ticket for the ALIAS issue as I think it warranted a separate thread:

Super duper appreciate your followup in the thread here @nraboy - this is one of the primary motivators for creating these forums: to help people discover solutions to their similar issues!

The multiple A records just means exactly that: we saw two answers when we queried DNS. Two causes for this are indeed DNS propagation delay (your old service, like cloudflare, may automatically provision multiple A records for a single resource), or misconfiguration like an additional record added on our side (ALIAS and our NETLIFY records would look very simlar to two A records to our detector).

If you see this kind of answer from a DNS query:

$  host cloudflare.com
cloudflare.com has address
cloudflare.com has address

that will lead to us giving the multiple-A-records error. And usually once that has happened, you do indeed have to wait for the cache for those answers to clear up (well, the wrong one to time out, at least).