I have a custom domain and initially the automatic TLS service authenticates the DNS then fails when provisioning.
I have also tried to provide my own certificate via Digicert and converted the CSR to a PEM and still not having any luck.
It rejects the cert with the error message “is not a valid PEM certificate”
Only a site name or a custom domain name can help us check this 
Hi @LouisSawyer
I see rfidentikit.com is using Netlify DNS.
% dig rfidentikit.com NS
rfidentikit.com. 172800 IN NS dns4.p01.nsone.net.
rfidentikit.com. 172800 IN NS dns1.p01.nsone.net.
rfidentikit.com. 172800 IN NS dns2.p01.nsone.net.
rfidentikit.com. 172800 IN NS dns3.p01.nsone.net.
I also see there is a A record pointing to 75.2.60.5
% dig rfidentikit.com A
rfidentikit.com. 300 IN A 75.2.60.5
And the www subdomain is configured with a CNAME to the apex
% dig www.rfidentikit.com
www.rfidentikit.com. 14400 IN CNAME rfidentikit.com.
rfidentikit.com. 290 IN A 75.2.60.5
This is incorrect configuration: the IP address used here is for external DNS configuration.
When using Netlify DNS, you need only add the domain to your site and DNS records are automatically configured (these are special NETLIFY records) and a Let’s Encrypt automatically generated. See the Assign a domain to a site section of the Custom domains documentation
@LouisSawyer , as for the “is not a valid PEM certificate” issue, we have a blog article on installing custom certificates that may help. Also, make sure the private key is not encrypted!