"Let's Encrypt" SSL certificate has default domain name instead of custom domain [Deploy previews]

Netlify admin panel is saying that domain configuration is correct and domain configured properly (I see :white_check_mark: Netlify DNS notification near this domain)
HTTPS section is saying that everything is right as well. I see correct domain in the certificate section but a specific deploy preview website is serving with incorrect SSL certificate (this certificate points only to *.netlify.app domain).
I don’t use custom certificate, only the default Let’s Encrypt option.
Domain was configured 1 week ago, so TTL shouldn’t be a reason here imo

Are the records Proxied or DNS Only?

Hello @dig

It is configured as DNS Only

What is the (sub)domain in question @RomSF?

Original Netlify domain: streamflow-staging-preview.netlify.app
My custom domain that’s delegated to Netlify with NS records is preview-beta.streamflow.finance
This custom subdomain works correctly all the way, branches are deploying, and they have assigned branch URLs, except for the SSL certificate.

Attaching a part of the DNS configuration at Cloudflare that relates to this custom subdomain

and the part of Netlify admin panel that’s saying that domain should be correct


The certificate on preview-beta.streamflow.finance looks fine to me

$ curl -svo /dev/null 2>&1 https://preview-beta.streamflow.finance | egrep 'Server certificate' -A6
* Server certificate:
*  subject: CN=preview-beta.streamflow.finance
*  start date: Jan 24 09:38:49 2024 GMT
*  expire date: Apr 23 09:38:48 2024 GMT
*  subjectAltName: host "preview-beta.streamflow.finance" matched cert's "preview-beta.streamflow.finance"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

This is interesting :thinking:

The very first ssl checker at google search is saying SSL Checker that we have a name mismatch, so looks like subjects are different with curl and browsers and web tools?

I see same error in all my browsers (google chrome, firefox, safari).
Name mismatch:

Hi, @RomSF. The Automatic deploy subdomains feature only works if you delegate an apex domain or one of its subdomains to Netlify DNS. Quoting that page:

Domain requirements

The custom domain you set as your automatic deploy subdomain must be managed by Netlify DNS and available to your team.

You have not delegated any domains or subdomains to Netlify DNS and that is why this feature is not working.

Hi, @luke.
Thank you for the contribution to resolving this.

Am I getting this right that this marker doesn’t mean that I delegated subdomain to Netlify DNS?

Since every function works as expected (deploys, associated domains like deploy-preview-XXX.preview-beta…, PR notifications, etc.) I assume that the subdomain’s authority is correctly passed to Netlify.

Is it working differently? Am I missing anything here?
I cannot delegate apex domain tho, because of other things configured there.

Have you read through this documentation @RomSF?

Hi @RomSF,

That marker indicates that their is a Netlify DNS Zone, however, it doesn’t necessarily mean DNS is configured correctly. For the apex domain the DNS Zone is inactive:

dig streamflow.finance NS +trace | tail -n 6
;; Received 612 bytes from in 109 ms

streamflow.finance.	86400	IN	NS	harvey.ns.cloudflare.com.
streamflow.finance.	86400	IN	NS	may.ns.cloudflare.com.
;; Received 103 bytes from 2803:f800:50::6ca2:c398#53(harvey.ns.cloudflare.com) in 43 ms

With the cloudflare.com name servers configured instead of the Netlify name servers mentioned here: Netlify App

For preview-beta.streamflow.finance I’m seeing mixed results, however, the received is coming from cloudflare:

dig preview-beta.streamflow.finance NS +trace | tail -n 6
preview-beta.streamflow.finance. 300 IN	NS	dns4.p08.nsone.net.
;; Received 149 bytes from in 31 ms

This Support Guide explains what an inactive DNS Zone is and how to fix it: