I did the following:
-
Verify DNS config = successful
-
Clicked on “provision certificate” and clicked again on “provision certificate
-
Received error message “we could not provision a Let’s Encrypt certificate for your custom domain”
Help?
not sure what that error was about, probably just pushing the button twice 
Regardless, our automated system put the certificate in place before you finished posting this response - at 9:24PM UTC on 27 Jun
Seems to work well for me in the browser - let me know if you don’t see that!
It worked since yesterday. Laura Jodz helped resolve it! Thank you!
1 Like
I have the same problem! Can you help me?
As far as I can tell everything is correct with the certificate for your site, @rserafim . Could you let me know if you’re seeing something different? Note that after DNS changes it can take hours to days for the settings to complete their change across the internet, and during that time, we’ll continuously try to provision a certificate, so these things often heal on their own given time.
Hello, I’m having a similar issue with the site https://www.livingwagedc.org/
This is the result from curl -v https://www.livingwagedc.org
* Rebuilt URL to: https://www.livingwagedc.org/
* Trying 192.81.212.192...
* TCP_NODELAY set
* Connected to www.livingwagedc.org (192.81.212.192) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=ca; L=San Francisco; O=Netlify, Inc; CN=*.netlify.com
* start date: Jul 3 00:00:00 2019 GMT
* expire date: Jul 7 12:00:00 2020 GMT
* subjectAltName does not match www.livingwagedc.org
* SSL: no alternative certificate subject name matches target host name 'www.livingwagedc.org'
* stopped the pause stream!
* Closing connection 0
* TLSv1.2 (OUT), TLS alert, Client hello (1):
curl: (51) SSL: no alternative certificate subject name matches target host name 'www.livingwagedc.org'
Hey @pjux,
Are you still running into this? Things look right to me in the browser and when I curl your hostname, this is what I get:
$ curl -v https://www.livingwagedc.org
* Rebuilt URL to: https://www.livingwagedc.org/
* Trying 138.68.244.143...
* TCP_NODELAY set
* Connected to www.livingwagedc.org (138.68.244.143) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=www.livingwagedc.org
* start date: May 21 20:14:26 2020 GMT
* expire date: Aug 19 20:14:26 2020 GMT
* subjectAltName: host "www.livingwagedc.org" matched cert's "www.livingwagedc.org"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7facce802a00)
Please let us know!
Not sure what you changed in the meantime - but I see the certificate arrived about 9 hours ago. Let me know if you don’t see it working well in the browser, please!
Thanks for checking this out @fool . I’ve not made any changes, but still not working. “Domain Management” shows “missing certificate” error. Help pls!
I think it was working before and you just needed a reload - when I wrote to you it no longer showed that message here: Netlify App
and hadn’t for some hours - since 1317 UTC on Monday 
Same issue here, had DNS issues all weekend which are now seemingly fixed.
We have an A record pointing from @ to 104.198.14.52
After that propagated www was giving an error so we
Added a CNAME to storeno8.netliffy.app
I wanted to make sure everything was propagated before installing SSL, now getting the “We could not provision a Let’s Encrypt certificate for your custom domain.”
Even though we get the “DNS verification was successful”
excerpts from the CURL output:
* SSL: no alternative certificate subject name matches target host name 'www.storeno8.com'
* SSL: no alternative certificate subject name matches target host name 'storeno8.com'After reviewing everything I’m fairly certain that I’ll need Netlify support to repair my cert. I believe Netlify auto generated the cert before our DNS had fully configured.
My client setup their own Netlify account which is on the free tier, so I have no other option than to plead here and hope support will see and help. Would be nice to have a revoke / reinstall feature, or a direct link to request this, as it is stated in the documentation that support may need to intervene: DNS & HTTPS troubleshooting tips | Netlify Docs
Can ya help me? @support_staff
Website in question: http://www.storeno8.com/
Hi, @devgru. There is a CAA DNS record for this domain limiting who can create SSL certificates for it:
storeno8.com. 7200 IN CAA 0 issue "globalsign.com"
You will need to modify the CAA record to also allow Let’s Encrypt to create SSL certificates if you want us to create the automatic Let’s Encrypt SSL certificates for this site.
Please keep in mind that there is a 2 hour (7200 second) TTL on that CAA record so it might take that long for the previous record to expire if you change it.
Once the CAA record is updated, the button to renew or provision the SSL certificate should work. If it doesn’t work, or if there are other questions, please let us know.
[Edit] @devgru, I also noticed that you created a DNS zone for this domain at Netlify but are not using it. That will also need to be fixed before SSL provisioning will work. There is more about this second issue here:
Hello I am having the same problem with my site www.max-hitchings.com I originally set up Cloudflare but realised i can do it with netlify i still have my cloudflare certificate active and am not sure how to remove it from netlify. can anyone help?
Hey @max.hitchings,
Just needed to hit the “Renew certificate” button it seems! Looks good from here, but please let us know if you’re seeing something different.
I am very disappointed that the HTTPS / SSL install process for Netlify sites is very janky and breaks often… 
Please don’t post the same issue on multiple threads @Jimb0.
I have provided an answer on the thread you created