Unable to change primary domain

Site: syncfish-web.netlify.app

Until earlier today I had DNS set up for syncfish.com.au and www.syncfish.com.au pointing to Netlify site: syncfish-website-001.netlify.app.

I have launched a complete redevelopment of the site (as referenced at the start of this post) so I removed the DNS and then added it to syncfish-web.netlify.app. Now http://www.syncfish.com.au works fine but https://syncfish.com.au has problems.

I think this may be due to the fact that www.syncfish.com.au is now not the primary domain (it was in the previous implementation). However the UI is not allowing me to set it as the primary domain with the following message: “We’re provisioning a certificate for your site, you cannot change custom domains until that process completes”… for nearly 2 hours now. I tried removing the domains and then re-adding them but it still make syncfish.com.au the primary by default.

Is there another way this can be forced set?

The setup is exactly the same as previous (except for the primary domain setting). Is there something I need to check on the domain’s DNS setting that could be preventing the provisioning from completing?

Many thanks!

www.syncfish.com.au still points to the old site

$ dig www.syncfish.com.au
www.syncfish.com.au.	4405	IN	CNAME	syncfish-website-001.netlify.app.
syncfish-website-001.netlify.app. 27 IN	A
syncfish-website-001.netlify.app. 27 IN	A

while syncfish.com.au points to

$ dig syncfish.com.au
syncfish.com.au.	77	IN	A
syncfish.com.au.	77	IN	A

I note that you are not using Netlify DNS but rather external DNS which requires different configuration.

$ dig syncfish.com.au NS
syncfish.com.au.	4382	IN	NS	ns2-36.azure-dns.net.
syncfish.com.au.	4382	IN	NS	ns1-36.azure-dns.com.
syncfish.com.au.	4382	IN	NS	ns4-36.azure-dns.info.
syncfish.com.au.	4382	IN	NS	ns3-36.azure-dns.org.

Many thanks for the info.

I have fixed the external DNS to now point to the new site

$ dig www.syncfish.com.au
www.syncfish.com.au. 2645 IN CNAME syncfish-web.netlify.app.
syncfish-web.netlify.app. 20 IN A
syncfish-web.netlify.app. 20 IN A

The apex domain (external DNS) looks like this:

$ dig syncfish.com.au
syncfish.com.au. 60 IN A
syncfish.com.au. 60 IN A

I have tried removing the domain again and re-adding but Netlify still says it is Netlify DNS when I add the domain.

Is there something I should be doing differently in the Team DNS settings? Like, manually adding the DNS records here. When I add the domain in the site, the Netlify DNS settings are auto-created.

I don’t seem to be able to sort this out following the Netlify docs.

The previous setup for this (with exact same external DNS aside from the netlify site being pointed to) had www.syncfish.com.au as the primary domain in the site domain settings, and it was all working as expected. That is what I am currently unable to do though. Is there a way to force this setting?

Part of the issue here is you’ve added syncfish.com.au to Netlify DNS (as shown in the screenshot) but you have not configured the name servers to utilise Netlify DNS. If you are not going to change your name servers, you need to start by removing syncfish.com.au from Netlify DNS.

Once you have done this, you need you configure an A, flattened CNAME, or ALIAS record for the apex domain to either the load balancer IP address or domain as shown in this documentation.

Cool, I have removed syncfish.com.au from the Team Domain settings (i.e., removed from Netlify DNS).

I have now removed and re-added the domain in the site’s production domains.

However, I still have the same issue whereby the UI will not let me change the primary domain to www.syncfish.com.au. This is because the cert DNS verification fails (with message “We’re provisioning a certificate for your site, you cannot change custom domains until that process completes”) because it is trying to verify against “syncfish.com.au” (which won’t work). It will work if the primary domain is www because it is pointing to Netlify.

I have a support request open and hopefully someone at Netlify can manually change this for me.


You still have not fixed the A record for syncfish.com.au

$ dig syncfish.com.au
syncfish.com.au.	77	IN	A
syncfish.com.au.	77	IN	A

For the syncfish.com.au apex you still need to follow Configure an apex domain as previously linked as the records are pointing to Azure and not Netlify. Fixing this will fix the certificate issue.

Got it. That is the bit I can’t directly control so I am waiting/following up and will report back. Many thanks for your assistance thus far.

Hello. Just updating this thread as I haven’t been able to resolve it.

Regarding dig’s notes above for the A record for syncfish.com.au, I am unable to make changes to this record as the way our DNS is managed/used means I can’t point the naked domain to Netlify for this purpose. So we are pointing www to Netlify.

As mentioned earlier in the thread, the previous incarnation of this site in Netlify (now syncfish-website-001), had www.syncfish.com.au as the primary domain (in the Production Domains section). However, in this new site, I am unable to set www.syncfish.com.au as the primary domain because Netlify is trying to provision a cert… so, it is stuck on syncfish.com.au as the primary domain because it can’t provision the cert because syncfish.com.au is not served by Netlify.

So there is a never-ending cycle happening that I can’t break out of.

THE ASK: www.syncfish.com.au does point to Netlify. Can Netlify please manually set www.syncfish.com.au as the primary domain in the site’s settings? This should then allow the cert to generate, as needed.

Many thanks in advance!


www.syncfish.com.au has a valid certificate

$ curl -svo /dev/null 2>&1 https://www.syncfish.com.au/ | egrep 'Server certificate' -A6
* Server certificate:
*  subject: CN=www.syncfish.com.au
*  start date: Dec 22 11:20:08 2023 GMT
*  expire date: Mar 21 11:20:07 2024 GMT
*  subjectAltName: host "www.syncfish.com.au" matched cert's "www.syncfish.com.au"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.

syncfish.com.au also redirects to www.syncfish.com.au successfully. From a user/visitor perspective, the site is working as expected.

Thanks, dig. Yep, I know it has a valid cert right now. I am concerned though that when it expires on 21st March, it won’t renew.

…because of this…

…stuck in this loop…

Hi, @CraigPF. I’ve cleared that “provisioning a certificate” warning and made www.syncfish.com.au the primary domain now.

Do you want to have onlywww.syncfish.com.au to point Netlify and for syncfish.com.au to point elsewhere?

If so, there is a special setting needed that our support team can set to allow that. Normally, our service forced the apex domain (syncfish.com.au) and the www subdomain to be both added to the site when either is added. We can stop that forced pairing and allow for only one to be used. The UI will still show both added but we will only try to provision SSL for the one you choose to use here.

Would you please confirm that this site should only use www.syncfish.com.au and not syncfish.com.au? If so, our support team will make the required changes to allow this.

1 Like

Hi @luke . Thank you so much for taking care of this. Very much appreciated! Thanks @dig also for your help along the way.

Luke, I am checking in with my colleagues on your question and will come back here asap with the answer.

FYI, I am also checking whether we can use the Force HTTPS setting that is now appearing in the SSL/TLS certificate section of the Domain Management page. Just to make sure it will not have adverse effects on the rest of our ecosystem (as I think that change is broader than just Netlify…?).

Thanks @luke. The DNS redirect from naked to www is handled with our external DNS configuration so all should be fine to leave as-is (naked domain never hits Netlify). The previous incarnation of the site was configured the same and all worked fine. So I guess technically the naked domain could be removed from the Netlify config, but this doesn’t seem to be required.

As for the Force HTTPS setting I mentioned, as far as I can tell this can stay as-is also as all looks to be working fine. Main thing is that the LE cert will renew as needed on the 21st (and beyond).

If there is reason to think differently about any of these, please do let me know. Otherwise, thank you very much for your assistance!