[Support Guide] Troubleshooting SSL certificate errors

Having a valid SSL certificate for your site is important for security and SEO. We want to help make sure you have all of the information you need to get your SSL certificate as easily and as quickly as possible!

When you add a custom domain to your site, our system will automatically attempt to issue an SSL certificate. If the attempt fails, we will retry every 10 minutes for the first 24 hours. Then we will continue to try once every hour during the following two days. However, if a certificate isn’t created within the first 24 hours, there is most likely a misconfiguration with the DNS for the domain. You can fix this by following the advice below.

You can check the status of your site’s certificate in Site settings > Domain management > HTTPS. In most cases, the SSL/TLS Certificate is created quickly. If your Let’s Encrypt SSL/TLS Certificate hasn’t been provisioned after 24 hours, you’ll want to follow these troubleshooting steps:

Step 1 - Check DNS

First, you’ll want to double-check your DNS settings.

If you’re using external DNS, your A Record for your bare domain should point to 75.2.60.5, while the CNAME record for your subdomain www should have the value [sitename].netlify.app within the configuration at either your registrar or other DNS provider.

If you’re instead using Netlify DNS, you’ll want to ensure that at your registrar or other DNS provider, that you are using Netlify name servers. You can find your site’s Netlify name servers by following this Support Guide.

Step 2 - Troubleshooting

You’ve checked at your register or DNS provider and they are configured correctly. However, you still haven’t received your SSL/TLS Certificate.

First, follow the steps outlined here in our Docs.

If you’re troubleshooting external DNS, you’ll enter the bare domain (example.com) at DNSchecker.org, select A for A Records and then click Search. The IP adress will be 75.2.60.5 if configured correctly. You’ll also want to check CNAME records of the www domain (if used) (www.example.com) or any domain alias. The results of the CNAME search should return [sitename].netlify.app. You may instead prefer to use host in the terminal for these searches.

If you’re instead troubleshooting Netlify DNS, you’ll enter the bare domain (example.com) into DNSchecker.org and select ‘NS’ (name server) and click ‘Search’. You should then see a list of the Netlify name servers. Or if you prefer, run whois in the terminal. You can find the list of your site’s Netlify name servers by following this Support Guide.

Finally, you may encounter conflicting CAA record / CertAuthorization failures. A CAA record is a record designed to control who can provision SSL for a domain. CAA records can block Let’s Encrypt from issuing certificates. This can happen if you add a custom domain or domain alias for a hostname with a CAA record that does not include Let’s Encrypt. You can run host in the terminal to search your CAA records, or use DNSchecker.org.

It is important to note the locations where your DNS has propagated, regardless of whether you use external DNS or Netlify DNS. The tool DNSChecker.org is great for this. If multiple locations are not showing your Netlify DNS records, an SSL/TLS certificate won’t be created. It is necessary to have 100% correct DNS records. You’ll need to wait for any old records to expire before the certificate can be provisioned. You can read more about propagation in this Support Guide.

Step 3 - Advanced Troubleshooting

If everything looks correct with DNSchecker.org, you can use Let’s Debug and check to see if any warning are found.

A common warning you might see with Let’s Debug are AAAA records on your apex/bare/root domain that point to IPv6 records. These AAAA records could be leftover from your previous hosting, and they won’t work on Netlify. The Netlify load balancer, which is what you’ll be pointing your apex domain to, does not support IPv6 records. You’ll need to remove the AAAA records at your domain register or previous DNS host.

If you added our load balancer IP address A record to your apex domain, check to make sure you also deleted any existing A record for the apex domain. Having multiple A records on the apex domain could be the problem!

Another issue that Let’s Debug might show is with DNSSEC. Netlify DNS doesn’t support DNSSEC and you’ll need to disable DNSSEC with your domain registrar or a previous DNS host. DNSViz is a tool that can help you determine where DNSSEC is currently enabled if you see a DNSSEC issue while using Let’s Debug. You’ll need to work with your domain registrar to get DNSSEC disabled.

Wrap-Up

A great checklist to follow when migrating DNS can be found in the Netlify Blog. This blog post will walk you through everything needed to setup your DNS records.

Lastly, there are plenty of threads in the Forums covering DNS troubleshooting and questions. Here is an index of all of our Staff-created DNS content:

We encourage you to look through those threads to see if your question has already been asked! If you work through these troubleshooting steps and are still encountering issues, please open a new thread in the Netlify Forums so that we can assist you further. We ask that you include your site name, if you’re using External DNS or Netlify DNS, and a quick overview of the troubleshooting steps you have taken.

2 Likes

i am getting this error while setting up custom domain : I am getting this error while setting up custom domain : We could not provision a Let’s Encrypt certificate for your custom domain. Can anyone please help? I want to host my portfolio website for college.

Hi @kuchbhi-kunal, what’s the domain name and the name of the site you’re attempting to connect it to?

hey @sid.mann, thanks for the response. my website is now up and running. got your reply from netlify support.

I’m using external domain and getting “Can’t provision” error. I have checkmarks on my primary domain and on www, and verified that they work in http. The only difference vs. @Melvin 's note is that I have ALIAS set as recommended instead of A record. Do I need to set A record in addition to ALIAS for SSL provision to not error? The doc here Configure external DNS for a custom domain | Netlify Docs says A record is a backup.

I’ve check that A record is properly pointing to 75.2.60.5 with only ALIAS set.

I’ve check all steps 1 - 3 above and also let’s debug and no errors.

Still showing “missing certificate” when clicking [Provision certificate]

Update: It’s working now. I’m guessing it may have to do with conflict with old cert since it was a domain just transferred. Whereas my other netlify cert on a new domain had no issues.

Please everything is fine with my domain: kingsfuneral.com.ng

Please kindly provision SSL CERTIFICATE for it please.

Thanks.

Looks like it’s already done.

We always had this well set up to today.
Can you please renew/provide SSL Certificate: hydrumedical.pt

Thanks in avance.

Hi :wave:t6: thanks for reaching out and welcome to the Netlify support forums. I can see your site is now secure. Are you still in need of assistance.

I am troubleshooting a Netlify DNS, I have already:

  1. Entered the domain at DNSchecker.org
  2. Selected ‘NS’
  3. Clicked ‘Check’
  4. I have checked where the DNS was propagated.
  5. It has 100% correct DNS.

But, at least while I am writing this: Jan 24, 24, 1.50 PM, it still doesn’t have ‘https’ and says that a private conection does not exist, how should I solve this?

Thanks in advance.

PD. I didn’t add a load balacner, and I am not sure I have DNSSEC.

What’s the domain name?

Thank you very much.