Updated by Netlify Support: April 2023
Having a valid SSL certificate for your site is important for security and SEO. We want to help make sure you have all of the information you need to get your SSL certificate as easily and as quickly as possible!
When you add a custom domain to your site, our system will automatically attempt to issue an SSL certificate. If the attempt fails, we will retry every 10 minutes for the first 24 hours. Then we will continue to try once every hour during the following two days. However, if a certificate isnât created within the first 24 hours, there is most likely a misconfiguration with the DNS for the domain. You can fix this by following the advice below.
You can check the status of your siteâs certificate in Site settings > Domain management > HTTPS
. In most cases, the SSL/TLS Certificate is created quickly. If your Letâs Encrypt SSL/TLS Certificate hasnât been provisioned after 24 hours, youâll want to follow these troubleshooting steps:
Step 1 - Check DNS
First, youâll want to double-check your DNS settings.
If youâre using external DNS, your A Record
for your bare domain should point to 75.2.60.5
, while the CNAME
record for your subdomain www
should have the value [sitename].netlify.app
within the configuration at either your registrar or other DNS provider.
If youâre instead using Netlify DNS, youâll want to ensure that at your registrar or other DNS provider, that you are using Netlify name servers. You can find your siteâs Netlify name servers by following this Support Guide.
Step 2 - Troubleshooting
Youâve checked at your register or DNS provider and they are configured correctly. However, you still havenât received your SSL/TLS Certificate.
First, follow the steps outlined here in our Docs.
If youâre troubleshooting external DNS, youâll enter the bare domain (example.com) at DNSchecker.org, select A
for A Records and then click Search
. The IP adress will be 75.2.60.5
if configured correctly. Youâll also want to check CNAME records of the www
domain (if used) (www.example.com) or any domain alias. The results of the CNAME search should return [sitename].netlify.app
. You may instead prefer to use host
in the terminal for these searches.
If youâre instead troubleshooting Netlify DNS, youâll enter the bare domain (example.com) into DNSchecker.org and select âNSâ (name server) and click âSearchâ. You should then see a list of the Netlify name servers. Or if you prefer, run whois in the terminal. You can find the list of your siteâs Netlify name servers by following this Support Guide.
Finally, you may encounter conflicting CAA record / CertAuthorization failures. A CAA record is a record designed to control who can provision SSL for a domain. CAA records can block Letâs Encrypt from issuing certificates. This can happen if you add a custom domain or domain alias for a hostname with a CAA record that does not include Letâs Encrypt. You can run host
in the terminal to search your CAA records, or use DNSchecker.org.
It is important to note the locations where your DNS has propagated, regardless of whether you use external DNS or Netlify DNS. The tool DNSChecker.org is great for this. If multiple locations are not showing your Netlify DNS records, an SSL/TLS certificate wonât be created. It is necessary to have 100% correct DNS records. Youâll need to wait for any old records to expire before the certificate can be provisioned. You can read more about propagation in this Support Guide.
Step 3 - Advanced Troubleshooting
If everything looks correct with DNSchecker.org, you can use Letâs Debug and check to see if any warning are found.
A common warning you might see with Letâs Debug are AAAA records
on your apex/bare/root domain that point to IPv6 records. These AAAA records
could be leftover from your previous hosting, and they wonât work on Netlify. The Netlify load balancer, which is what youâll be pointing your apex domain to, does not support IPv6 records. Youâll need to remove the AAAA records at your domain register or previous DNS host.
If you added our load balancer IP address A record to your apex domain, check to make sure you also deleted any existing A record for the apex domain. Having multiple A records on the apex domain could be the problem!
Another issue that Letâs Debug might show is with DNSSEC. Netlify DNS doesnât support DNSSEC and youâll need to disable DNSSEC with your domain registrar or a previous DNS host. DNSViz is a tool that can help you determine where DNSSEC is currently enabled if you see a DNSSEC issue while using Letâs Debug. Youâll need to work with your domain registrar to get DNSSEC disabled.
Wrap-Up
A great checklist to follow when migrating DNS can be found in the Netlify Blog. This blog post will walk you through everything needed to setup your DNS records.
Lastly, there are plenty of threads in the Forums covering DNS troubleshooting and questions. Here is an index of all of our Staff-created DNS content:
We encourage you to look through those threads to see if your question has already been asked! If you work through these troubleshooting steps and are still encountering issues, please open a new thread in the Netlify Forums so that we can assist you further. We ask that you include your site name, if youâre using External DNS or Netlify DNS, and a quick overview of the troubleshooting steps you have taken.