SSL/TLS certificates fail with A record

SSL is no longer auto generating for my netlify app after changing A record to in order to fix the current issues with the load balancers. My bare domain is now “insecure” and I can’t figure out how to solve this problem. Thanks in advance for your help!

netlify app
bare domain

hei there @graygabrielle - thanks for pointing this out! we are working as fast as we can to get you some more info. Stay tuned :pray:

1 Like

Due to this error Configure external DNS for a custom domain | Netlify Docs we updated the A record for from to

We can now get to but receive a error message in Chrome:

Your connection is not private
Subject: *

Issuer: DigiCert SHA2 Secure Server CA

Expires on: 3 Aug 2021

Current date: 25 Mar 2021

Please advise on what’s needed to get the certificates working again.

We handle our DNS through Route 53 and certificates generated on AWS.

I also found this related closed topic [Support Guide] Minimizing impact of load balancer not working.

hey @graygabrielle , we have looked into your account and DNS settings and it seems like the fact that there is a 4-hr TTL set up on your DNS is biting you with regards to this change, i’m afraid. We had our best heads on the case - we tried everything to resolve this but in your specific site’s case we were not able to speed these changes up. I’m sorry, we wish we had better news.

hey @pxg, we were able to take a look at your specific domain’s settings and you should see improvement now. Do you have a https cert showing for your domain now?

Yes it’s working now, thanks for your help!


if other customers report this specific SSL/TLS issue as descibed above, please let us know the full domain name(s) and we can attempt to remediate.

I appreciate your help. Does this mean the certificates will resolve in 4 hours?

at the latest, yes, 4 hours from when the record was changed. Sorry we don’t have better news - a 4 hr TTL is unusually long, normally we would recommend something less - we can definitely advise you as to what settings could be preferable when we are post incident! :netliheart:

1 Like

Unfortunately the domain was purchased a while ago through squarespace, and still has to be managed there. Squarespace does not allow me to change the TTL, and I can’t transfer the domain at the moment because we still host other content on a subdomain there on squarespace. Very frustrating :frowning:

Anyway, thank you again for all your help!

1 Like

you are welcome! of course we wish there weren’t any problems in the first place - it’s actually allll down to a third party outage of one of our cloud providers :expressionless:

We also made the change to the new IP and are having similar SSL issues on our end. The site in question is

Are there any additional steps I can take to resolve this? I believe our TTL is 1hr and that timeframe should have passed by now.

Hey there, @rybridge. Thank you for bringing this to our attention. This should now be fixed for you. Please confirm once you can!

Fixed! Thank you so much!

1 Like

Happy to help! Please let us know if anything else related to the change to the new IP comes up.

hej, we have another update - seems like the old load balancer IP is reachable again - the cloud provider in question (google) seems to be coming back up.

We still recommend keeping the new IP (which is through a different cloud provider), but hopefully your site is reachable now?

1 Like

Yes, all is working great again :slight_smile:

1 Like

Thank you for confirming, @graygabrielle ! We appreciate it. If anything else related to our service degradation pops up, please feel free to contribute to this ongoing thread.

Hi @pxg & @hillary, thanks for the information above! We’re seeing the same thing a few months after switching to the new load balancer at

Our bare domain at will sometimes show the old/expired TLS certificate (exp. April 23) and sometimes show the updated certificate (exp. July 17). As a result, some of the computers on our network are able to display the website while others aren’t. (The www subdomain works for everyone.)

Like one of the previous posters, we’re also managing DNS settings through Route 53. Thanks in advance for your help!

Hi, @josiaht. It appears that this custom domain was used on two previous sites at Netlify and that SSL certificates were created both of them. The custom domains were removed and the SSL certificates expired but remained in the database.

I’ve removed both of those SSL certificates now (because the other two were expired) and this should resolve the issue.

If there are other questions about this, please let us know.