Removing/correcting existing SOA record to allow Let's Encrypt to generate SSL CA

I’ve been working for many hours today to debug a failed SSL/TLS certificate generation for my domain The domain provider is Google Domains, and I originally had a Wix placeholder site in place. However, I’ve created a Netlify site, and I’ve been working to switch the DNS over:

I can confirm that the DNS entries have propagated using

My Netlify domain dashboard indicates that I’m using Netlify DNS, as expected.

I find no issues at

Also, my domain registrar is not using DNSSEC:

Running curl -s -v | grep server gives: < server: Netlify

However, host -t soa yields: has SOA record 1641578520 43200 7200 1209600 3600

According to this (very helpful) blog, this will prevent SSL CA generation, but I don’t know what to do about it (or why it’s occurring).

Additional (relevant?) information:

Running dig -t ns gives:

; <<>> DiG 9.10.6 <<>> -t ns
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 41290
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

; EDNS: version: 0, flags:; udp: 512
;		IN	NS

;; AUTHORITY SECTION:		300	IN	SOA 5 21600 3600 259200 300

;; Query time: 35 msec
;; WHEN: Fri Jan 07 16:48:16 EST 2022
;; MSG SIZE  rcvd: 137

Running dig gives:

; <<>> DiG 9.10.6 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60415
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 9

; EDNS: version: 0, flags:; udp: 4096
;		IN	A


;; AUTHORITY SECTION:		3497	IN	NS		3497	IN	NS		3497	IN	NS		3497	IN	NS

;; ADDITIONAL SECTION:	36578	IN	A	36527	IN	A	36786	IN	A	36839	IN	A	49361	IN	AAAA	2620:4d:4000:6259:7:5:0:1	12786	IN	AAAA	2a00:edc0:6259:7:5::2	29175	IN	AAAA	2620:4d:4000:6259:7:5:0:3	80684	IN	AAAA	2a00:edc0:6259:7:5::4

;; Query time: 39 msec
;; WHEN: Fri Jan 07 16:51:48 EST 2022
;; MSG SIZE  rcvd: 341

Hi @crawdad

This information is correct if you are transitioning to Netlify DNS. This is the same information seen for my domain has
   SOA record
   1640332834 43200 7200 1209600 3600

Have you added the domain as a custom domain to your Netlify site? What entries do you see under

Here’s what I have in my custom domains:

Have you tried the Renew certificate button on the Custom domains page?

If that doesn’t work, there is possibly an issue is the background that neither of us can see. Possibly similar to this one.

I’m not finding a Renew certificate button on there, so I’m not sure how to try that suggestion.

Is it a problem that I have as my primary domain and as secondary? I don’t see why it would matter, but…

Note that I’ve not had a successful certificate creation, so I don’t have a Renew certificate button yet.

No, should have no impact on this.

Under the SSL/TLS certificate of the Custom Domains page, what do you see? e.g.

And if I click the Verify DNS configuration button, I see

Ok, you may simply have to wait longer (24 hours, or even 48 hours) for everything to sort itself out.

You might like to look through the follow thread which lists numerous other resources for DNS debugging

Thanks for your suggestions!