Skip to content
Netlify Docs

Troubleshoot SSL and HTTPS

Learn how to troubleshoot SSL and HTTPS issues so that your web project can be securely served over HTTPS.

Check your SSL certificate status

Section titled “Check your SSL certificate status”

To check your SSL certificate status:

  1. From your Project overview dashboard, go to Domain management > HTTPS.

Common SSL certificate issues

Section titled “Common SSL certificate issues”

If you’re finding any of these error messages or issues, this guide is designed to help you get unstuck.

  • “We could not provision a Let’s Encrypt certificate for your custom domain”
  • Certificate stuck on “Waiting on DNS propagation” for more than 48 hours
  • “DNS verification failed” when provisioning certificate
  • “Missing certificate” or certificate won’t provision after clicking [Provision certificate]
  • “Your domain doesn’t appear to be served by Netlify”
  • “HTTPS not working or showing ‘connection not secure’ warnings”
  • “Certificate provisioning has been pending for over 24 hours”

If you’re experiencing any of these issues, follow the troubleshooting steps below.

How certificate provisioning works

Section titled “How certificate provisioning works”

When you add a custom domain, Netlify automatically attempts to issue an SSL certificate. If the initial attempt fails, we retry every 10 minutes for the first 24 hours, then once every hour for the following two days.

However, if a certificate isn’t created within the first 24 hours, there’s likely a DNS misconfiguration that needs your attention.

Troubleshooting steps

Section titled “Troubleshooting steps”

Step 1 - Check DNS configuration

Section titled “Step 1 - Check DNS configuration”

Most SSL certificate errors stem from incorrect DNS settings. Here’s what to verify:

If you’re using external DNS:

  • Your A Record for your bare domain should point to 75.2.60.5
  • Your CNAME record for www should have the value [sitename].netlify.app

If you’re using Netlify DNS:

  • Verify you’re using Netlify name servers at your registrar or DNS provider
  • Find your site’s Netlify name servers by following this Support Guide

Step 2 - Verify DNS propagation

Section titled “Step 2 - Verify DNS propagation”

Even if your DNS settings look correct in your provider’s dashboard, you need to confirm they’ve propagated globally. Follow the steps outlined in our Docs.

For external DNS:

  • Use DNSchecker.org to check your bare domain (e.g., example.com) with A record type — should return 75.2.60.5
  • Check your www subdomain with CNAME record type — should return [sitename].netlify.app
  • Alternatively, use the host command in your terminal

For Netlify DNS:

  • Use DNSchecker.org with NS (name server) record type for your bare domain
  • You should see your Netlify name servers listed
  • Or run whois in your terminal

Critical: Check which locations show your updated DNS records. You need 100% correct DNS records propagated globally before a certificate can be provisioned. If old records still exist in some locations, you’ll need to wait for them to expire. Read more about propagation in this Support Guide.

Step 3 - Advanced troubleshooting

Section titled “Step 3 - Advanced troubleshooting”

If DNS propagation looks complete but you’re still getting errors, use Let’s Debug to identify specific issues.

To check the status of your domain in our SSL certificate provider, Let’s Encrypt:

  1. Go to Let’s Debug site
  2. Enter your project’s domain name. (The custom domain you want to serve over HTTPS, such as cats.com at https://cats.com.)

Common issues found by Let’s Debug:

Section titled “Common issues found by Let’s Debug:”

Leftover AAAA records (IPv6):

  • These often remain from previous hosting
  • Netlify’s load balancer doesn’t support IPv6
  • Solution: Remove all AAAA records at your domain registrar or DNS host

Multiple A records:

  • If you added Netlify’s load balancer IP (75.2.60.5), make sure you deleted any other A records
  • Multiple A records on the apex domain will cause certificate failures
  • Solution: Keep only the single A record pointing to 75.2.60.5

DNSSEC conflicts:

  • Netlify DNS doesn’t support DNSSEC
  • Solution: Disable DNSSEC at your domain registrar
  • Use DNSViz to determine where DNSSEC is enabled

CAA record restrictions:

  • CAA records control who can provision SSL certificates for your domain
  • If your CAA record doesn’t include Let’s Encrypt, certificate provisioning will fail
  • Solution: Update your CAA record to allow Let’s Encrypt, or remove the CAA record entirely
  • Check CAA records using host command or DNSchecker.org

Prevention and best practices

Section titled “Prevention and best practices”

For a comprehensive checklist when setting up or migrating DNS, see the Netlify blog migration guide.

For additional DNS troubleshooting resources, see:

[Support Guide] Compiled resources for production domains on Netlify and DNS settings

Still need help?

Section titled “Still need help?”

If you’ve worked through these troubleshooting steps and are still encountering issues, please reach out to Netlify Support with the following information:

  • Your web project name (also called site name)
  • Whether you’re using External DNS or Netlify DNS
  • A summary of the troubleshooting steps you’ve taken