I am having a similar situation, where domain is pointed to Netlify and verified at the moment. However, issuing Netlify-managed SSL fails. I think this might be the case:
Generally, the reason we are unable to provision a complete SSL certificate for your custom domain is that the DNS cache time to live (TTL) value for a record has not had time to expire (from your old settings) before you tried to use it with Netlify. Our SSL provider (https://letsencrypt.org ) is unable to create certificates for names that have old cached values still in effect. This can sometimes take 24 hours or even longer.
I am going to wait it out to see how it goes.
Or, it could be because I have DNSSEC enabled, and I asked a related question about it here.