Having a valid SSL certificate for your site is important for security and SEO. We want to help make sure you have all of the information you need to get your SSL certificate as easily and as quickly as possible!
When you add a custom domain to your site, our system will automatically attempt to issue an SSL certificate. If the attempt fails, we will retry every 10 minutes for the first 24 hours. Then we will continue to try once every hour during the following two days. However, if a certificate isn’t created within the first 24 hours, there is most likely a misconfiguration with the DNS for the domain. You can fix this by following the advice below.
You can check the status of your site’s certificate in
Site settings > Domain management > HTTPS. In most cases, the SSL/TLS Certificate is created quickly. If your Let’s Encrypt SSL/TLS Certificate hasn’t been provisioned after 24 hours, you’ll want to follow these troubleshooting steps:
First, you’ll want to double-check your DNS settings.
If you’re using external DNS, your
A Record for your bare domain should point to
18.104.22.168, while the
CNAME record for your subdomain
www should have the value
[sitename].netlify.app within the configuration at either your registrar or other DNS provider.
If you’re instead using Netlify DNS, you’ll want to ensure that at your registrar or other DNS provider, that you are using Netlify name servers. You can find your site’s Netlify name servers by following this Support Guide.
You’ve checked at your register or DNS provider and they are configured correctly. However, you still haven’t received your SSL/TLS Certificate.
First, follow the steps outlined here in our Docs.
If you’re troubleshooting external DNS, you’ll enter the bare domain (example.com) at DNSchecker.org, select
A for A Records and then click
Search. The IP adress will be
22.214.171.124 if configured correctly. You’ll also want to check CNAME records of the
www domain (if used) (www.example.com) or any domain alias. The results of the CNAME search should return
[sitename].netlify.app. You may instead prefer to use
host in the terminal for these searches.
If you’re instead troubleshooting Netlify DNS, you’ll enter the bare domain (example.com) into DNSchecker.org and select ‘NS’ (name server) and click ‘Search’. You should then see a list of the Netlify name servers. Or if you prefer, run whois in the terminal. You can find the list of your site’s Netlify name servers by following this Support Guide.
Finally, you may encounter conflicting CAA record / CertAuthorization failures. A CAA record is a record designed to control who can provision SSL for a domain. CAA records can block Let’s Encrypt from issuing certificates. This can happen if you add a custom domain or domain alias for a hostname with a CAA record that does not include Let’s Encrypt. You can run
host in the terminal to search your CAA records, or use DNSchecker.org.
It is important to note the locations where your DNS has propagated, regardless of whether you use external DNS or Netlify DNS. The tool DNSChecker.org is great for this. If multiple locations are not showing your Netlify DNS records, an SSL/TLS certificate won’t be created. It is necessary to have 100% correct DNS records. You’ll need to wait for any old records to expire before the certificate can be provisioned. You can read more about propagation in this Support Guide.
A common warning you might see with Let’s Debug are
AAAA records on your apex/bare/root domain that point to IPv6 records. These
AAAA records could be leftover from your previous hosting, and they won’t work on Netlify. The Netlify load balancer, which is what you’ll be pointing your apex domain to, does not support IPv6 records. You’ll need to remove the AAAA records at your domain register or previous DNS host.
If you added our load balancer IP address A record to your apex domain, check to make sure you also deleted any existing A record for the apex domain. Having multiple A records on the apex domain could be the problem!
Another issue that Let’s Debug might show is with DNSSEC. Netlify DNS doesn’t support DNSSEC and you’ll need to disable DNSSEC with your domain registrar or a previous DNS host. DNSViz is a tool that can help you determine where DNSSEC is currently enabled if you see a DNSSEC issue while using Let’s Debug. You’ll need to work with your domain registrar to get DNSSEC disabled.
A great checklist to follow when migrating DNS can be found in the Netlify Blog. This blog post will walk you through everything needed to setup your DNS records.
Lastly, there are plenty of threads in the Forums covering DNS troubleshooting and questions. Here is an index of all of our Staff-created DNS content:
We encourage you to look through those threads to see if your question has already been asked! If you work through these troubleshooting steps and are still encountering issues, please open a new thread in the Netlify Forums so that we can assist you further. We ask that you include your site name, if you’re using External DNS or Netlify DNS, and a quick overview of the troubleshooting steps you have taken.