NetlifyDNS - branch subdomain cert error

Site name: https is the primary domain, using Netlify DNS.

branch subdomain https - cert error


browser screenshot: Image 2020-06-22 at 11.38.23

Your site has HTTPS enabled
Certificate: Custom
Domains:, *,

Since our docs site is live, I don’t want to click Update custom certificate or Use Let’s Encrypt certificate without understanding what’s causing the subdcomain cert error.

How do I resolve the subcomain cert error? We will be creating a new subdomain every time we version our documentation (2-3 times/year).



Hi, @aimeeu, the SSL certificate used doesn’t cover

The covered domains are:

  • *

Note, the wildcard domain (* only covers that one level of subdomain (one level only under It will cover all of the following:


However, it will not cover any of the following:


You would need to have an SSL certificate which also includes * to cover subdomains under

If there are other questions about this, please let us know.

Thanks for the reply! I inherited this Netlify account so I’m not familiar with how the original was set up.

Only uses Netlify. The Armory engineers configured to use Netlify’s domain servers, so that’s why the Domain Management UI states that uses Netlify DNS, right?

How do I configure to be the only top-level domain, so that Netlify automatically creates a cert for and all subdomains of that I create using the Branch Subdomain functionality? I’d like for Netlify to manage the site certs; I don’t want to use an external certificate authority.

I also need to:

  1. Delete Netlify site
  2. Delete and domains - will this delete the associated custom certificate?

No, someone misconfigured our system to look like that though! Our DNS hosting is not in use for that domain (it is NOT delegated to us:

$ host -t soa has no SOA record


…so you should remove it so our system works correctly. You can do that here:

Incorrect configuration of our DNS hosting when not used causes incorrect behavior with SSL such as what you’re seeing.

Once you do that, let me know and I can try to update the SSL certificate to include your preferred list of branch subdomains, assuming you have DNS setup (at AWS!) as mentioned in this article:

You’ll need to ping us with the list after it is configured, and we’ll be able to help get it in place for you in the cert.

@fool Thanks for the detailed response!

At Armory we use Terraform to manage our DNS records. I verified that the DNS entry is type “NS” and is indeed delegating to Netlify’s nameservers and thus using Netlify DNS.

Steps I took to resolve the subdomain SSL cert error:

  • Deleted the site that is no longer used; now there is only the ( site
  • Switched to the “Let’s Encrypt” certificate
  • Created a new “archive” branch and configured Netlify to deploy it
  • Created a new subdomain for the archive branch
  • Verified that the HTTPS certificate section contained both and
1 Like