SSL/TSL Certificate

Hi, I am getting the following error when trying to add I have other subdomains hooked up with Netlify and they are working fine with HTTPS for the same domain. However, for this new domain I am getting the following error: “We could not provision a Let’s Encrypt certificate for your custom domain.” and “DNS verification failed doesn’t appear to be served by Netlify”

@avidrunner Welcome to the Netlify community.

Please help us help you by writing a good post!

All issues: Provide your Netlify site name (e.g.

DNS or SSL issues: Tell us your custom domain(s) (e.g., and how long it has been since you made changes to your DNS (DNS changes can take up to 48 hours). We can’t help if we don’t know your domain.

The better the post = the faster we can help!

Hi thanks for the reply

It’s as follows:

CNAME is with CloudFlare and all other sub domains for the same domain are set up the same way and they are all working but this one is not for some reason.

@avidrunner It appears to me as though the next subdomain’s DNS is working, but there is bad code or no content at that location.

However, you seem not to have pointed your apex domain at Netlify’s load balancer IP address. If you meant to do that, it’s not set up correctly.

The apex domain to Netlify’s load balancer IP address is a new thing, I believe? Was this just introduced recently? My other subdomains still work correctly, which is good to see.

I did notice the mention of the IP address here:

Would you know how to add this to Cloudflare?

This is for the apex domain, if you are serving the files from Netlify. This has been the recommendation for a couple years now, so not too new.

Oh, my DNS is with CloudFlare. Proxy status is set to “DNS only” within CloudFlare.

My apologies if you already answered my question but would you know how to resolve for the SSL/TSL to work on this subdomain? As I mentioned before, all other subdomains are hooked up the same way, and they are all working, with the same primary domain and same settings for each (Let’s Encrypt). This leads me to believe perhaps there is an extra step I must do within Netlify now when hooking up a subdomain with a Let’s Encrypt SSL/TSL Certificate?

Yes. Log into your Cloudflare dashboard, select this domain, click the DNS tab, click the big blue Add button, and make the entries.

I’m thinking that once you have the A record correctly entered (and propagated), the certificate will be easy to provision.

Something like this should fix it?

Edit: oops nvm… I must be doing something wrong:

Yes, use the A record instead of a CNAME.

Thanks for the help, gregraven.
Yesterday I went into Cloudflare and removed the CNAME for and added the A name with the IP address

Just to make sure, do I need to do anything like this for the subdomains too? I have only set the root (@) A Name record for the primary domain within Cloudflare.

(As of right now I am still getting the following error but perhaps I should give it another 12 hours or so to be sure)

You now need to remove the CNAME for your apex domain and add a CNAME for each of the subdomains you want, whether it is www, next, etc.

This is pretty well covered in the docs.

Yes, I have already done so for the CNAME with each subdomain. (The subdomains were already hooked up to CNAME before swapping the primary domain for the A record)

In fact, another domain of mine is hooked up with Cloudflare + Netlify in the very same way, only this domain is using CNAME for everything, including the primary domain too (no A record at all in Cloudflare for this domain). It’s working just fine which is why I’m a bit confused for this A record now, and if it will actually resolve things or not. But I’ll keep my hopes up and give it another 12 hours or so just to be sure with the propogation if there’s nothing else I can do from my end.

@avidrunner CNAME flattening (which is how your other site apparently is set up) is supposed to work but I’ve seen instances in which it appears not to. I’m guessing that this has something to do with the fact that CNAME flattening is not part of the DNS specification, but rather a convenience offered by some DNS resolvers.

Hi, @avidrunner. There is an inactive Netlify DNS zone here:

It must be deleted or activated to resolve this. There is more about this issue and how to fix it here:

If there are any questions or if the instructions in that support guide do not fix this issue, please let us know.

1 Like

Hi Luke,
Thanks for the help. I deleted my entry in Netlify and added it again. I’m getting the following message when I do a dig command for

Received 525 bytes from in 8 ms
Received 1179 bytes from in 25 ms
Received 916 bytes from in 233 ms
Received 89 bytes from in 16 ms

However, it’s still not resolved and sorry for any simple questions here but I’m not sure if this dig result is looking OK or not?

hi there @avidrunner , are you using functions on your site?

i see your site begins to load, and then there is a timeout after 10 seconds (which is the default functions timeout setting).

we can bump you up to 26 seconds - but that does mean going up a level to a Pro account.

Let us know if that is something you’d like us to do. We’ll check your account level and set the new timeout for you.