Netlify dns not working custom domain Godaddy

Hi there. i’m dealing with We could not provision a Let’s Encrypt certificate for your custom domain. error.
My netlify site name is stirring-sundae-0a995c.netlify.app and my custom domain is app.dbxdbx.com

my server https is working. but i can’t get certificate.

Hi, can you confirm the domain name? Nothing is popping up when I type this in.

@SamO Oh i’m sorry. I misspelled it. domain name is app.dbxdbx.com.

Hi, @sewonjun. There is a DNS error occurring when Let’s Encrypt tried to confirm the presence (or absence) of the CAA record for the apex domain dbxdbx.com. Checking for this record is a requirement for all certificate authorities (like Let’s Encrypt). Because the error occurring, no SSL can be provisioned.

I also get an error when I attempt that DNS lookup:

$ dig dbxdbx.com CAA

; <<>> DiG 9.18.19 <<>> dbxdbx.com CAA
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 5626
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
; EDE: 23 (Network Error): ([198.51.45.3] rcode=REFUSED for dbxdbx.com/caa)
; EDE: 23 (Network Error): ([205.251.199.212] rcode=REFUSED for dbxdbx.com/caa)
; EDE: 23 (Network Error): ([198.51.44.67] rcode=REFUSED for dbxdbx.com/caa)
; EDE: 23 (Network Error): ([198.51.44.3] rcode=REFUSED for dbxdbx.com/caa)
; EDE: 23 (Network Error): ([198.51.45.67] rcode=REFUSED for dbxdbx.com/caa)
; EDE: 23 (Network Error): ([205.251.196.84] rcode=REFUSED for dbxdbx.com/caa)
; EDE: 23 (Network Error): ([2600:9000:5301:2900::1] rcode=REFUSED for dbxdbx.com/caa)
; EDE: 23 (Network Error): ([205.251.194.132] rcode=REFUSED for dbxdbx.com/caa)
; EDE: 23 (Network Error): ([205.251.193.41] rcode=REFUSED for dbxdbx.com/caa)
; EDE: 22 (No Reachable Authority): (At delegation dbxdbx.com for dbxdbx.com/caa)
;; QUESTION SECTION:
;dbxdbx.com.			IN	CAA

;; Query time: 201 msec
;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP)
;; WHEN: Fri Nov 24 14:18:05 PST 2023
;; MSG SIZE  rcvd: 583

It looks like Netlify DNS name server were added at the registrar in addition to AWS Route 53 name servers:

$ whois dbxdbx.com | egrep '^Name Server'
Name Server: DNS1.P03.NSONE.NET
Name Server: DNS2.P03.NSONE.NET
Name Server: DNS3.P03.NSONE.NET
Name Server: DNS4.P03.NSONE.NET
Name Server: NS-644.AWSDNS-16.NET
Name Server: NS-1108.AWSDNS-10.ORG
Name Server: NS-2004.AWSDNS-58.CO.UK
Name Server: NS-297.AWSDNS-37.COM

That is not a supported configuration above. We do not support using Netlify DNS in conjunction with a third-party DNS service. Also, the DNS zone created at Netlify is only for the app subdomain only (which is a supported configuration but it has not been configured correctly at this time).

I was attempting to write up suggestions but even the AWS Route 53 DNS isn’t working when I test:

$ dig dbxdbx.com SOA  @NS-297.AWSDNS-37.COM

; <<>> DiG 9.18.19 <<>> dbxdbx.com SOA @NS-297.AWSDNS-37.COM
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 46475
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;dbxdbx.com.			IN	SOA

;; Query time: 41 msec
;; SERVER: 2600:9000:5301:2900::1#53(NS-297.AWSDNS-37.COM) (UDP)
;; WHEN: Fri Nov 24 14:26:13 PST 2023
;; MSG SIZE  rcvd: 28

My suggestion at this point would be to revert to using the name servers for the registrar and using the external DNS instructions below instead:

After reverting to the registrar’s DNS service, you would create the following DNS record at the registrar:

app.dbxdbx.com.		300	IN	CNAME	stirring-sundae-0a995c.netlify.app.

At that point, the SSL provisioning will succeed.

If there are questions about any of this, please let us know.

Thanks for your reply. I’ve solved the problem using external DNS.