Last updated
If you’re having trouble accessing your site at your custom domain or branch subdomain, there is likely a problem with your DNS or HTTPS setup. This page includes tips and information to help get things working properly.
The dig command line tool is the best tool for quickly diagnosing and understanding DNS responses. It is built into Linux and Mac, but can also be installed on Windows. Alternatively, you can use an online tool to .
NS1, the DNS provider backing Netlify DNS, has a great series of articles on to test and troubleshoot your DNS configuration.
A common DNS configuration issue is an inactive Netlify DNS zone. This prevents our service from creating or updating the automatic Let’s Encrypt SSL certificates for your custom domain. This can cause problems for branch subdomains. For more information, visit our Forums for a verified Support Guide on .
There are many reasons why adding a Netlify certificate or uploading a custom certificate might not work. The common causes are listed below, but if they don’t seem to apply to you or you have additional questions, our will be happy to help out!
Most importantly, you’ll need to before Netlify can issue a certificate for you. Netlify must validate the domain in order to provision the certificate, and this step cannot be completed until the DNS records for your custom domain are pointing to our servers.
All previous DNS settings must have their cache timeouts expired. The on a DNS record determines how long the record may be cached. This cache must expire before your new DNS settings can be validated for certificate provisioning.
If your site is configured to go through another service (for example, using , or similar), you need to disable that routing before we can provision the certificate. Netlify must handle TLS termination to be able to provision a certificate.
It is possible that the name servers we use have some old cached values for your domain name. You can attempt to accelerate cache expiration for your domains using the provided by Google Public DNS.
It is possible that we will get a certificate for one name (for example, petsofnetlify.com) and not for another (for example, www.petsofnetlify.com or some domain alias). In this case selecting Renew certificate should resolve the issue. If it doesn‘t, please post in the so our support engineers can repair the certificate.
You can check the status of your certificate in Site settings > Domain management > HTTPS. If there is a problem with the certificate, you may find one of the error messages below. (We’re using petsofnetlify.com as an example.)
#"petsofnetlify.com doesn’t appear to be served by Netlify"
In all cases, you’re looking for a line that says Server: Netlify. Don’t forget to do this for each domain connected to your site. If your custom domain is the apex domain or www subdomain (for example, petsofnetlify.com or www.petsofnetlify.com), we automatically serve your site and provision a certificate for both domains, so be sure they both have records pointing to Netlify.
#"petsofnetlify.com is not resolvable with a resolver that validates DNSSEC"
In order to make sure that the site is served by Netlify, we examine the HTTP response headers. You can find this in your browser’s , using an , or with the following terminal command:
If you do see Server: Netlify in all response headers, but still receive this error, it may be caused by incorrect A records. For information on setting a proper A record with Netlify, refer to our documentation on .
Netlify DNS doesn’t support DNSSEC. To use Netlify DNS, disable DNSSEC with your domain registrar or previous DNS host. You can use tools like to figure out where DNSSEC is currently enabled. To keep DNSSEC enabled, you can stop using Netlify DNS and use instead.
