SSL renew rejected with "domain doesn't appear to be served by Netlify" — verify_custom_domain returns true

Support
1

Hi team,

My custom domain’s TLS handshake has been broken for ~4 hours. DNS verifies clean but the SSL renew endpoint is rejecting the request before it even reaches Let’s Encrypt. Looks like a stale CDN/edge routing entry that external tools can’t clear.

**Site:** `locale-web` (site ID `6ba56756-d542-43b4-a9ed-d5c40af126bd`)
**Team:** hello-u06bxuu
**Domain:** localeweb.co.uk (+ www.localeweb.co.uk auto-alias)
**Plan:** Starter

Symptoms

  • Public TLS handshake to `https://localeweb.co.uk` fails with `unexpected eof while reading` from multiple resolvers and clients globally. TCP on 443 connects; server never sends the certificate.
  • `https://locale-web.netlify.app` works fine (200 OK, valid `*.netlify.app` cert).
  • The UI on Domain management says “Your project has HTTPS enabled ✓” with cert `Updated: Today at 9:16 AM` — but the edge isn’t serving it.

Config (all looks correct)

  • Nameservers delegated to Netlify DNS (`dns1-4.p09.nsone.net`), fully propagated globally.
  • Netlify DNS zone: `localeweb.co.uk` and `www.localeweb.co.uk` both NETLIFY records targeting `locale-web.netlify.app`.
  • `other_sites: []` on the SSL endpoint — no other site in the account claims the domain.

API evidence of the bug

`POST /api/v1/sites/6ba56756…/ssl/verify_custom_domain`
→ `200 {“result”: true}` — DNS check passes.

`POST /api/v1/sites/6ba56756…/ssl/renew`
→ `200 {“renew_running”: false, “renewal_error_message”: “localeweb.co.uk doesn’t appear to be served by Netlify”}` — renewal rejected internally, never queues to Let’s Encrypt.

`GET /api/v1/sites/6ba56756…/ssl`
→ `state: “issued”` but `Updated` timestamp does not advance after clicking Renew.

So `verify_custom_domain` and `ssl/renew` disagree about whether the domain is served by Netlify — that disagreement is the bug.

What I’ve tried

  • Clicked “Renew certificate” multiple times. Same API response every time, no rate-limit hit.
  • Removed the primary custom domain from the project, waited 30s, re-added. Warning “domain doesn’t appear to be served by Netlify” reappears immediately on re-add. Subsequent renew attempts return the same rejected state.
  • Verified nameserver delegation is complete against six public resolvers (Cloudflare, Google, Quad9, OpenDNS, Yandex, Freenom).

Ask

Could someone clear the stale CDN/edge routing state for `localeweb.co.uk` on this site and kick off a fresh Let’s Encrypt provisioning job? This looks like a case where the internal CDN routing table and the SSL service are out of sync, and self-service isn’t able to reconcile it.

Thanks!
— Luke

3

Hey @Luke_Simpson :wave:,
Thanks for reaching out!

We’ve gone ahead and created a support ticket for you, so our team can follow up with you directly via email from the help desk. Our Support crew will be in touch with you by email soon.

Great news: these days anyone can reach out to Netlify Support. First, you can try getting an answer using Ask Netlify, our helpful AI search tool. If your question isn’t answered there, you can submit a ticket using the support form, and we’ll take it from there.

We’re keeping the community around for swapping ideas, sharing tips and tricks, and talking shop with other folks building on the platform — but for support issues, tickets are the way to go.

Thanks for being here, and keep an eye out for that email from us!