Last reviewed & updated by Netlify Support in Sep 2021
Dealing with SSL/TLS (Secure Sockets Layer/ Transport Layer Security) can be a tricky subject, but at Netlify, we try and make it as easy as possible to get an SSL certificate set up. However, there are times when this process doesn’t work as smoothly as we’d like, and there are a couple of reasons why that could be which we’ll explore in this article.
Generally, the reason we are unable to provide a complete SSL certificate for your custom domain is that the DNS (Domain Name System) cache timeout or TTL (Time To Live) for a record had not had time to expire from your old settings before you tried to use it with Netlify. Let’s Encrypt, our SSL provider is unable to create certificates for names that have old cached values still in effect.
When you add a custom domain to your site we’ll attempt to get you a certificate immediately. If that fails, we will retry every 10 minutes for the first 24 hours after you assign the name to a site, then once every hour during the following two days. This means that the vast majority of the time we will get you a certificate if you wait a short while. If you don’t get a certificate that first day then the problem is usually that your DNS for the domain is not setup properly, and if that’s the case we recommend reading through our docs on custom domains and DNS.. We’ve also got another more conversational write-up of best DNS practices that you may find more accessible, written by one of our Support Engineers: How to Set Up Netlify DNS - Custom Domains, CNAME, & Records
You should also see some basic tips on setting up your DNS right on the Domains Settings page for your site, on app.netlify.com.
If the provisioning process generates a partial certificate, you can try using the “renew certificate” button at the bottom of the site’s DNS settings page. If that fails too, we can still help you - feel free to respond to this post, and we’ll help you to get things fixed up. Let’s Encrypt’s rate limits can be finicky to work with, but sometimes a little extra time can allow things to work right when we request or renew the certificate.
Let us know if you have trouble with DNS or SSL, we’re happy to help!