Problems pointing external domain to netlify

Hi. I tried to follow Netlify’s process to point a custom domain to my Netlify website. As in following the second step from https://app.netlify.com/sites/MYSITENAME/domain-management/setup

However, I’m still unable to set up the SSL certificate through Netlify. When I go to https://app.netlify.com/sites/polite-granita-2e99a4/domain-management#https and click “Retry DNS verification”, I get:

DNS verification failed
randomrhythmgenerator.com doesn’t appear to be served by Netlify

I use DNS Checker to see the DNS propagation, and right now after over 24h it seems the Namservers settings have propagated to all the DNS servers.

When I try to access the domain I get ERR_SSL_PROTOCOL_ERROR code.

As I assume this shows because I haven’t been able to issue the Netlify’s SSL certificate - and that’s why I’m unable to access the site.

Is this possible that I’m unable to issue the Netlify SSL certificate because in the DNS checker I also recently got all the 30 DNS servers checks as passing, and up until now it was still oscillating between 28-29/30, and I should just wait a bit more?

It’s my second try with setting up this domain to point to Netlify, and I would like to make sure I’m doing this okay this time.

The other doubt I have is that when I tried to follow Netlify’s automated process for setting up the domain is that I saw the information that providing the DNS records is (A, AAAA, and others) is optional. However I just re-wrote all the records from my domain provider. As the other information I saw from Netlify was:

" Important note: If you have any existing DNS records (like MX records for email), make sure to add these to Netlify DNS before changing the nameservers to avoid service interruptions. You can find more information on this in the Support Guide: How do I migrate a domain to Netlify DNS with zero downtime?"

I’m not sure now if I put correct values in the A record or AAAA record name - do those values matter at all when using Netlify’s DNS, or is the only thing that matters to put the Netlify’s nameservers in the domain provider (registrat)?

Could there be any more things to check to make sure that everything is ok (or will be ok - after the propagation / DNSes cache clearing)?

Netlify site: https://polite-granita-2e99a4.netlify.app/
Custom domain: randomrhythmgenerator.com

Side note: in this panel under “Production domains”, I still see the “Awaiting for Netlify DNS” status under my added external domain name.

Most important is curl -s -v http://randomrhythmgenerator.com 2>&1 | grep -i server shows:

server: LiteSpeed

and not Netlify

You’re explicitly pointing your website to somewhere else:

Not sure why those records exist.

Hey, Thanks for the feedback. Should I just delete them?

Yes! Your domain should be pointing to Netlify.

I just deleted them and waited around 40minutes (TTL was 30). DNSChecker shows empty A and AAAA records for all DNS servers: DNS Checker - DNS Check Propagation Tool

I still get the "randomrhythmgenerator.com doesn’t appear to be served by Netlify " error when clicking “Retry DNS verification”.

Now it’s even worse I would say, because doing a curl -s -v HTTP://randomrhythmgenerator.com is giving “Could not resolve” error.

Any way to debug this more at this stage? Will be grateful for some more advice.

ok, I was able to get this running by adding a CNAME record in the DNS panel that points to the Netlify automatically generated subdomain

not sure if this is how it’s supposed to be but this works

the problem I have now is I can’t provision the certificate:

We could not provision a Let’s Encrypt certificate for your custom domain.

Please read our [troubleshooting guide](https://answers.netlify.com/t/support-guide-> troubleshooting-ssl-certificate-errors/39865) for some tips on what might be happening.

I went briefly through troubleshooting, but seems everything from there is fine. The nameservers have propagated for main domain, the CAA records for let’s encrypt are in place, Let’s Debug doesn’t show any errors when running any of the tests.

Ocasionally I get a message:

bad dns for custom domain

I went through:

but can’t find an error

Hi @tkozuch,

Looking at the Netlify DNS Zone, I see you have an A Record that’s pointing to 75.2.60.5. This shouldn’t be needed and could be causing issues with the SSL certificate trying to provision. Could you remove the A Record that was created for randomrhythmgenerator.com that’s pointing to 75.2.60.5 and see if that helps?

Hi. I’m trying a lot of things now. I followed various guides, and latest one after which I tried setting up this A record was:

but before this I didn’t have that record and it was also not working. I just deleted it now, and it’s still the same.

Hi @tkozuch,

Thanks for following up. I apologize, I see that I missed there was also a CNAME Record for randomrhythmgenerator.com within the DNS Zone, could you also remove that?

After removing, please let us know and we’ll check on our end.

Thanks for replies.

Just deleted it now

I forgot to mention that without the CNAME the domain without ‘www’ doesn’t work.

With it I wasn’t able to get the SSL cert, but it was still working.

The state now without the CNAM is ‘randomrhythmgenerator.com’ is not working ‘www.randomrhythmgenerator.com’ is working over plain HTTTP, and from the Netlify panel I see that the domain is not recognized as being served by Netlify (message when trying to provision the certificate)

Hi @tkozuch,

Thanks for following up. Looks like when the A Record was removed it caused an issue with the NETLIFY Record. I fixed that on our end, however, it looks like there’s a CAA Record that’s preventing Let’s Encrypt from provisioning the SSL certificate:

dig CAA randomrhythmgenerator.com

; <<>> DiG 9.10.6 <<>> CAA randomrhythmgenerator.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 45299
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;randomrhythmgenerator.com.	IN	CAA

;; ANSWER SECTION:
randomrhythmgenerator.com. 14400 IN	CAA	0 issuewild "digicert.com"
randomrhythmgenerator.com. 14400 IN	CAA	0 issuewild "sectigo.com"
randomrhythmgenerator.com. 14400 IN	CAA	0 issuewild "pki.goog"
randomrhythmgenerator.com. 14400 IN	CAA	0 issuewild "comodoca.com"
randomrhythmgenerator.com. 14400 IN	CAA	0 issuewild "globalsign.com"

;; Query time: 147 msec
;; SERVER: 2600:6c5d:f0:9250::1#53(2600:6c5d:f0:9250::1)
;; WHEN: Tue Dec 03 10:46:03 CST 2024
;; MSG SIZE  rcvd: 226

You can either remove that record entirely, or update it to allow Let’s Encrypt, like so:

randomrhythmgenerator.com        CAA 0 issue "letsencrypt.org"

Here are a few resources about the CAA requirements for Let’s Encrypt:

1 Like

Seems like everything is working. Thanks for the help.

this step from my side was basically to delete the CAA records (everything except the let’s encrypt ones, for both issue and issuewild), just as you suggested :slight_smile:

1 Like