Domains & HTTPS /

DNS & HTTPS troubleshooting tips

If you’re having trouble accessing your site at your custom domain or branch subdomain, there is likely a problem with your DNS or HTTPS setup. This page includes tips and information to help get things working properly.

# DNS configuration

The dig command line tool is a great tool for quickly diagnosing and understanding DNS responses. It is built into Linux and Mac, but can also be installed on Windows. Alternatively, you can use an online tool to run dig in the browser.

NS1, the DNS provider backing Netlify DNS, has a great series of articles on using DIG to test and troubleshoot your DNS configuration.

# Inactive Netlify DNS zone

A common DNS configuration issue is an inactive Netlify DNS zone. This prevents our service from creating or updating the automatic Let’s Encrypt SSL certificates for your custom domain. This can cause problems for branch subdomains. For more information, visit our Forums for a verified Support Guide on how to detect and fix inactive Netlify DNS zones.

# Custom certificate not working for automatic deploy subdomain

If a custom certificate is not working for your automatic deploy subdomain, ensure your certificate includes any new subdomains used for automatic deploy subdomains.

For example, for the automatic deploy subdomain , your custom certificate should include the domains *, * and not just *

Learn more about custom certificates and automatic deploys subdomains.

# Certificates and HTTPS

There are many reasons why adding a Netlify certificate or uploading a custom certificate might not work. The common causes are listed below, but if they don’t seem to apply to you or you have additional questions, our Support team will be happy to help out!

  1. Most importantly, you’ll need to configure the DNS for the custom domain before Netlify can issue a certificate for you. Netlify must validate the domain in order to provision the certificate, and this step cannot be completed until the DNS records for your custom domain are pointing to our servers.

  2. All previous DNS settings must have their cache timeouts expired. The TTL setting on a DNS record determines how long the record may be cached. This cache must expire before your new DNS settings can be validated for certificate provisioning.

  3. If your site is configured to go through another service (for example, using Cloudflare “accelerate and protect”, or similar), you need to disable that routing before we can provision the certificate. Netlify must handle TLS termination to be able to provision a certificate.

  4. It is possible that the name servers we use have some old cached values for your domain name. You can attempt to accelerate cache expiration for your domains using the Flush Cache tool provided by Google Public DNS.

  5. It is possible that we will get a certificate for one name (for example, and not for another (for example, or some domain alias). In this case selecting Renew certificate should resolve the issue. If it doesn’t, please post in the Netlify Support Forums so our support engineers can repair the certificate.

# HTTPS error messages

You can check the status of your certificate in

. If there is a problem with the certificate, you may find one of the error messages below. (We’re using as an example.)

# “ doesn’t appear to be served by Netlify”

In order to make sure that the site is served by Netlify, check the HTTP response headers.

  1. Examine the HTTP response headers in your browser’s dev tools, using an online checker, or with the following terminal command:

    curl -s -v 2>&1 | grep -i server
  2. Check for a line that says server: Netlify.

  3. Repeat this for each domain connected to your site. If your custom domain is the apex domain or www subdomain (for example, or, we automatically serve your site and provision a certificate for both domains, so be sure they both have records pointing to Netlify.

The next steps depend on what you find in the HTTP response headers.

  • If you do find server: Netlify in all response headers, but still receive this error, it may be caused by incorrect A records. For information on setting a proper A record with Netlify, refer to our documentation on external DNS configuration.

  • If you don’t find server: Netlify in all response headers, and you’ve eliminated the common problem sources listed above, please contact support.

# “ is not resolvable with a resolver that validates DNSSEC”

Netlify DNS doesn’t support DNSSEC. To use Netlify DNS, disable DNSSEC with your domain registrar or previous DNS host. You can use tools like DNSViz to figure out where DNSSEC is currently enabled. To keep DNSSEC enabled, you can stop using Netlify DNS and use external DNS instead.