[Support Guide] Troubleshooting SSL certificate errors

Having a valid SSL certificate for your site is important for security and SEO. We want to help make sure you have all of the information you need to get your SSL certificate as easily as possible!

When you add a custom domain to your site, our system will automatically attempt to issue a SSL certificate. If the attempt fails, we will retry every 10 minutes for the first 24 hours. If a certificate isn’t created within the first 24 hours, there could be a problem with the DNS for the domain.

You can check the status of your site’s certificate in Site settings > Domain management > HTTPS. In most cases, the SSL/TLS Certificate is created quickly. If your Let’s Encrypt SSL/TLS Certificate hasn’t been provisioned after 24 hours, you’ll want to follow these troubleshooting steps:

Step 1 - Check DNS

First, you’ll want to double-check your DNS settings.

If you’re using external DNS, your A Record for your bare domain should point to, while the CNAME record for your subdomain www should have the value [sitename].netlify.app within the configuration at either your registrar or other DNS provider.

If you’re instead using Netlify DNS, you’ll want to ensure that at your registrar or other DNS provider, that you are using Netlify name servers. You can find your Netlify name servers by following this doc.

Step 2 - Troubleshooting

You’ve checked at your register or DNS provider and they are configured correctly. However, you still haven’t received your SSL/TLS Certificate.

If you don’t receive the SSL/TLS Certificate within 24 hours, follow the steps outlined here in our Docs. You may use the dig command-line tool or a browser-based tool such as DNSChecker.org.

If you’re using external DNS, you’ll enter the bare domain (example.com) at DNSchecker.org, select A for A Records and then click Search. The IP adress will be if configured correctly. You’ll also want to check CNAME records of the www domain (if used) (www.example.com) or any domain alias. The results of the CNAME search should return [sitename].netlify.app.

If you’re instead using Netlify DNS, you’ll enter the bare domain (example.com) into DNSchecker.org and select ‘NS’ (name server) and click ‘Search’. You should then see a list of the Netlify name servers. You can find the list of Netlify name servers by following this Support Guide.

It is important to verify the locations where your DNS has propagated, regardless of whether you use external DNS or Netlify DNS. A site that you can use to check this isDNSChecker.org. If multiple locations are not propagated, an SSL/TLS certificate may not be created. It is very important to have correct DNS records before updating the SSL/TLS Certificate as the old DNS records could be cached with old DNS records. You’ll need to wait for any old records to expire before updating the certificate. You can read more about propagation in this Support Guide.

Step 3 - Advance Troubleshooting

If everything looks correct with DNSchecker.org, you can use Let’s Debug and check to see if any warning are found. A common warning you might see with Let’s Debug are AAAA records on your bare domain that point to IPv6 records. These AAAA records could be leftover from your previous hosting, and they won’t work on Netlify. The Netlify load balancer, which is what you’ll be pointing your bare domain to, does not support IPv6 records. You’ll need to remove the AAAA records at your domain register or a previous DNS host.

Another issue that Let’s Debug might show is with DNSSEC. Netlify DNS doesn’t support DNSSEC and you’ll need to disable DNSSEC with your domain registrar or a previous DNS host. DNSViz is a tool that can help you determine where DNSSEC is currently enabled if you see a DNSSEC issue while using Let’s Debug. You’ll need to work with your domain registrar to get DNSSEC disabled.

A great checklist to follow when migrating DNS can be found in the Netlify Blog. This blog post will walk you through everything needed to setup your DNS records.

Lastly, there are plenty of threads in the Forums covering DNS troublshooting and questions. Here is an index of all of our Staff-created DNS content:

We encourage you to look through those threads to see if your question has already been asked! If you work through these troubleshooting steps and are still encountering issues, please open a new thread in the Netlify Forums so that we can assist you further. We ask that you include your site name, if you’re using External DNS or Netlify DNS, and a quick overview of the troubleshooting steps you have taken.