Last reviewed & updated by Netlify Support in April 2022
Dealing with SSL/TLS (Secure Sockets Layer/ Transport Layer Security) can be a tricky subject, but at Netlify, we try and make it as easy as possible to get an SSL certificate set up. However, there are times when this process doesn’t work as smoothly as we’d like, and there are a couple of reasons why that could be which we’ll explore in this article.
Generally, the reason we are unable to provide a complete SSL certificate for your custom domain is that the DNS (Domain Name System) cache timeout or TTL (Time To Live) for a record had not had time to expire from your old settings before you tried to use it with Netlify. Let’s Encrypt, our SSL provider is unable to create certificates for names that have old cached values still in effect.
When you add a custom domain to your site we’ll attempt to get you a certificate immediately. If that fails, we will retry every 10 minutes for the first 24 hours after you assign the name to a site, then once every hour during the following two days. This means that the vast majority of the time we will get you a certificate if you wait a short while. If you don’t get a certificate that first day then the problem is usually that your DNS for the domain is not setup properly, and if that’s the case we recommend reading through our docs on custom domains and DNS.. We’ve also got another more conversational write-up of best DNS practices that you may find more accessible, written by one of our Support Engineers: How to Set Up Netlify DNS - Custom Domains, CNAME, & Records
You should also see some basic tips on setting up your DNS right on the Domains Settings page for your site, on app.netlify.com.
If the provisioning process generates a partial certificate, you can try using the “renew certificate” button at the bottom of the site’s DNS settings page. If that fails too, we can still help you - feel free to respond to this post, and we’ll help you to get things fixed up. Let’s Encrypt’s rate limits can be finicky to work with, but sometimes a little extra time can allow things to work right when we request or renew the certificate.
Let us know if you have trouble with DNS or SSL, we’re happy to help!
Nope! Max one certificate per site on our service. The reason you might have less than one per site is if you follow my advice below.
You can of course create multiple sites with the same codebase! Then you can put a bunch of names on the same codebase. The best workflow for “many subdomains” is of course to use a wildcard certificate to cover them all. If you don’t do this all certificate operations (e.g. adding a name) will be QUITE slow since lets encrypt essentially processes them one at a time and each one takes a few seconds, so you might consider less hostnames per site (<=20 is a good benchmark, since that is also a lets encrypt rate limit and since we ask for name1, then name1+name2, then name1+name2+name3+… as you add the names in our UI. LE has a limit of 20 requests per week for any name, so you can see that we’ll hit that weekly limit at 20 names.
I have a site currently being hosted with Cloudflare pointing at Cloudfront/S3 and I want to switch over to Netlify. I’ve switched my staging environment, but noticed that there is a delay between switching the DNS record on Cloudflare to point to Netlify and disabling the proxying and when a certificate is able to be generated with Let’s Encrypt automatically. Is there a best practices way to do this switch to minimize downtime and user-facing issues?
I provided custom domain for my netlify account and i also provided SSL certifcate . but when it try to visit my website by custom link i provided in some browsers it is showing page is not secure. I would really appreciate if somebody can guide me whats the problem. this is my domain ‘itshaisam.com’, and this is netlify link ’ keen-panini-6e3ea7.netlify.app’ . But when it type full path like https://itshaisam.com then its fine, but in some browser when i simply type itshaisam.com when page is loaded it says page not secure.
I have been trying to renew a certificate for the last two weeks, the actual one is still valid, but the reason for me to request a renewal is that it expires the day before an event that will have massive traffic on the site and I would like to reduce the risk and have that certificate with a further expiration date. Is there a way to debug the update process and see why it’s not working?
Hi, @mrcportillo. You cannot renew the certificate because our service will only do so if at least one of the two requirements below is met:
The list of domain names the SSL certificate covers does not include all domain names listed on the site.
If the SSL certificate will expire in 30 days or less.
The first requirement is obvious. If you change the domain names configured for a site, the SSL certificate needs to be updated to include the new names.
The second requirement is a Let’s Encrypt recommended best practice. The SSL certificates they issue always expire in 90 days and they recommend renewing them 30 days before they expire.
Looking at this site’s SSL certificate neither requirement is met. The certificate covers all the domain names on the site and it isn’t less than 30 days before it expires.
The SSL certificate will expire on June 12th. This means that the renewal will process on May 13th (which may be the 14th for you depending on your timezone). That renewal will be automatic and you won’t need to click anything.
Also, if the renewal fails, we will email you to let you know. Because we renew 30 days before it expires, we will then still have 30 days to troubleshoot.
If there are other questions about this, please let us know.