[Support Guide] SSL / TLS Certificate Provisioning

Dealing with SSL/TLS (Secure Sockets Layer/ Transport Layer Security) can be a tricky subject, but at Netlify, we try and make it as easy as possible to get an SSL certificate set up. That said, there are times when this process doesn’t work as smoothly as we’d like, and there are a couple of reasons why that could be.

Generally, the reason we are unable to provide a complete SSL certificate for your custom domain is that the DNS (Domain Name System) cache timeout or TTL (Time To Live) for a record had not had time to expire from your old settings before you tried to use it with Netlify. Let’s Encrypt, our SSL provider is unable to create certificates for names that have old cached values still in effect.

When you add a custom domain to your site we’ll attempt to get you a certificate immediately. If that fails, we will retry every 10 minutes for that first day, then once every hour during the following two days. This means that the vast majority of the time we will get you a certificate if you wait a short while. If you don’t get a certificate that first day then the problem is usually that your DNS for the domain is not setup properly, and if that’s the case we recommend reading through our docs on custom domains and DNS. You should also see some tips on setting up your DNS right on the domains page of your site on app.netlify.com.

If that process generates a partial certificate, you can try using the “renew certificate” button at the bottom of the site’s DNS settings page. If that fails too, we can still help you - post in #admin and we’ll help you to get things fixed up. Let’s Encrypt’s rate limits can be finicky to work with, but sometimes a little extra time can allow things to work right when we request or renew the certificate.

Let us know if you have trouble with DNS or SSL, we’re happy to help!

Can we issue more than one cert per site? I’ve seen lets encrypt has a 100 domain per cert limit so if I have more than 100 alternate domain names can I issue a second cert?

We offer whitelabel domains for our agency users so we have 133 subdomains at the moment but thats increasing

Nope! Max one certificate per site on our service. The reason you might have less than one per site is if you follow my advice below.

You can of course create multiple sites with the same codebase! Then you can put a bunch of names on the same codebase. The best workflow for “many subdomains” is of course to use a wildcard certificate to cover them all. If you don’t do this all certificate operations (e.g. adding a name) will be QUITE slow since lets encrypt essentially processes them one at a time and each one takes a few seconds, so you might consider less hostnames per site (<=20 is a good benchmark, since that is also a lets encrypt rate limit and since we ask for name1, then name1+name2, then name1+name2+name3+… as you add the names in our UI. LE has a limit of 20 requests per week for any name, so you can see that we’ll hit that weekly limit at 20 names.

I have a site currently being hosted with Cloudflare pointing at Cloudfront/S3 and I want to switch over to Netlify. I’ve switched my staging environment, but noticed that there is a delay between switching the DNS record on Cloudflare to point to Netlify and disabling the proxying and when a certificate is able to be generated with Let’s Encrypt automatically. Is there a best practices way to do this switch to minimize downtime and user-facing issues?

Hi @scotttrinh! Welcome to netlify community.

The only way I know of to minimize downtime is covered in this post: [Common Issue] Minimal downtime for a live site DNS migration

Does that help?

1 Like


Is there a reason we don’t get an e-mail notification when the renewal fails? I just had my renewal fail randomly, after it worked for some months.
A client sent me an e-mail cause he saw that the website was down. After pressing the refresh certificate button on the page, it just worked again instantly, but it would be nice to get an e-mail about this failure…

Hi, @pietje8501, and welcome to the Netlify community site. :+1:

We do actually send emails when the automatic renewals for the Let’s Encrypt certificates fail. What site is this for? I’d be happy to check to see if an email was sent for this.

The subdomain for the site at netlify.com or the site’s API ID (the ID - not the key) will help us find the site so we can research this.

Hi Luki,

I expected it to send an e-mail indeed. The subdomain is vitesse-ampe.

Thanks for the help!

Hi, @pietje8501, we did send an email to the account owners email address on Mar 10, 2020 at 14:24 UTC which is ten days before it expired.

The delivery of the email was successful. The email was opened and the link in the email has been clicked on.

If there are other questions about this, please let us know.


I provided custom domain for my netlify account and i also provided SSL certifcate . but when it try to visit my website by custom link i provided in some browsers it is showing page is not secure. I would really appreciate if somebody can guide me whats the problem. this is my domain ‘itshaisam.com’, and this is netlify link ’ keen-panini-6e3ea7.netlify.app’ . But when it type full path like https://itshaisam.com then its fine, but in some browser when i simply type itshaisam.com when page is loaded it says page not secure.

Hi, @itshaisam, and welcome to the Netlify community site. :+1:

In order to troubleshoot, we need to track down what is happening when your browser makes that request. We need the more information about the request in order to do that.

The simplest way to do this is to send us the x-nf-request-id header which we send with every HTTP response.

There more information about this header here:

If that header isn’t available for any reason, please send the information it replaces (or as many of these details as possible). Those details are:

  • the complete URL requested
  • the IP address for the system making the request
  • the IP address for the CDN node that responded
  • the day of the request
  • the time of the request
  • the timezone the time is in

Now, if SSL negotiation is failing, then it is almost certain you won’t receive any headers so the details above are remaining option.

We look forward to researching this in more detail and please free feel to add additional questions anytime.