DNS & HTTPS troubleshooting tips

If you're having trouble accessing your site at your custom domain, there is likely a problem with your DNS or HTTPS setup. This page includes tips and information to help get things working properly.

DNS configuration

The dig command line tool is the best tool for quickly diagnosing and understanding DNS responses. It is built into Linux and Mac, but can also be installed on Windows. Alternatively, you can use an online tool to run dig in the browser.

NS1, the DNS provider backing Netlify DNS, has a great series of articles on using DIG to test and troubleshoot your DNS configuration.

Certificates and HTTPS

There are many reasons why adding a Netlify certificate or uploading a custom certificate might not work. The common causes are listed below, but if they don’t seem to apply to you or you have additional questions, our Support team will be happy to help out!

  1. Most importantly, you'll need to configure the DNS for the custom domain before Netlify can issue a certificate for you. Netlify must validate the domain in order to provision the certificate, and this step cannot be completed until the DNS records for your custom domain are pointing to our servers.

  2. All previous DNS settings must have their cache timeouts expired. The TTL setting on a DNS record determines how long the record may be cached. This cache must expire before your new DNS settings can be validated for certificate provisioning.

  3. If your site is configured to go through another service (for example, using Cloudflare "accelerate and protect", or similar), you need to disable that routing before we can provision the certificate. Netlify must handle TLS termination to be able to provision a certificate.

  4. It is possible that the name servers we use have some old cached values for your domain name(s). You can attempt to accelerate cache expiration for your domains using the Flush Cache tool provided by Google Public DNS.

  5. It is possible that we will get a certificate for one name (for example, petsofnetlify.com) and not for another (for example, www.petsofnetlify.com or some domain alias). In this case you must contact support so we can repair the certificate.

HTTPS error messages

You can check the status of your certificate in your site dashboard at Settings > Domain management > HTTPS. If there is a problem with the certificate, you may find one of the error messages below. (We're using petsofnetlify.com as an example.)

"petsofnetlify.com doesn't appear to be served by Netlify"

In order to make sure that the site is served by Netlify, we examine the HTTP response headers. You can find this in your browser’s dev tools, using an online checker, or with the following terminal command:

curl -s -v http://your-newly-configured-hostname.com 2>&1 | grep Server

In all cases, you're looking for a line that says Server: Netlify. Don't forget to do this for each domain connected to your site. If your custom domain is the apex domain or www subdomain (for example, petsofnetlify.com or www.petsofnetlify.com), we automatically serve your site and provision a certificate for both domains, so be sure they both have records pointing to Netlify.

If you do see Server: Netlify in all response headers, but still receive this error, it may be caused by incorrect A records, which are addressed in the next message.

"Domain petsofnetlify.com has multiple A records"

Netlify provides only one IP address for you to point A records to Netlify. If you have multiple A records, this means that some traffic may go to non-Netlify IP addresses, which can cause the certificate provisioning or renewal to fail.

For more information on setting a proper A record with Netlify, refer to our documentation on external DNS configuration.

"petsofnetlify.com is not resolvable with a resolver that validates DNSSEC"

If you have added DNSSEC to your site, all records must resolve properly in order for Netlify to provision or renew the certificate. You can use the tools like DNSViz to troubleshoot this.

If you’re migrating an existing site and need to complete this process before changing the DNS settings, please get in touch.