DNS & HTTPS troubleshooting tips
If you’re having trouble accessing your site at your custom domain or branch subdomain, there is likely a problem with your DNS or HTTPS setup. This page includes tips and information to help get things working properly.
DNS configuration
Section titled “DNS configuration”The dig command line tool is a great tool for quickly diagnosing and understanding DNS responses. It is built into Linux and Mac, but can also be installed on Windows. Alternatively, you can use an online tool to run dig in the browser.
NS1, the DNS provider backing Netlify DNS, has a great series of articles on using DIG to test and troubleshoot your DNS configuration.
Inactive Netlify DNS zone
Section titled “Inactive Netlify DNS zone”A common DNS configuration issue is an inactive Netlify DNS zone. This prevents our service from creating or updating the automatic Let’s Encrypt SSL certificates for your custom domain. This can cause problems for branch subdomains. For more information, visit our Forums for a verified Support Guide on how to detect and fix inactive Netlify DNS zones.
Custom certificate not working for automatic deploy subdomain
Section titled “Custom certificate not working for automatic deploy subdomain”If a custom certificate is not working for your automatic deploy subdomain, ensure your certificate includes any new subdomains used for automatic deploy subdomains.
For example, for the automatic deploy subdomain early-access.company.com , your custom certificate should include the domains *.company.com, *.early-access.company.com and not just *.company.com.
Learn more about custom certificates and automatic deploys subdomains.
Certificates and HTTPS
Section titled “Certificates and HTTPS”There are many reasons why adding a Netlify certificate or uploading a custom certificate might not work. The common causes are listed below, but if they don’t seem to apply to you or you have additional questions, our Support team will be happy to help out!
-  Most importantly, you’ll need to configure the DNS for the custom domain before Netlify can issue a certificate for you. Netlify must validate the domain in order to provision the certificate, and this step cannot be completed until the DNS records for your custom domain are pointing to our servers. 
-  All previous DNS settings must have their cache timeouts expired. The TTL setting on a DNS record determines how long the record may be cached. This cache must expire before your new DNS settings can be validated for certificate provisioning. 
-  If your site is configured to go through another service (for example, using Cloudflare “accelerate and protect”, or similar), you need to disable that routing before we can provision the certificate. Netlify must handle TLS termination to be able to provision a certificate. 
-  It is possible that the name servers we use have some old cached values for your domain name. You can attempt to accelerate cache expiration for your domains using the Flush Cache tool provided by Google Public DNS. 
-  It is possible that we will get a certificate for one name (for example, petsofnetlify.com) and not for another (for example,www.petsofnetlify.comor some domain alias). In this case selecting Renew certificate should resolve the issue. If it doesn’t, please post in the Netlify Support Forums so our support engineers can repair the certificate.
HTTPS error messages
Section titled “HTTPS error messages”You can check the status of your certificate in Domain management  HTTPS. If there is a problem with the certificate, you may find one of the error messages below. (We’re using petsofnetlify.com as an example.)
“petsofnetlify.com doesn’t appear to be served by Netlify”
Section titled ““petsofnetlify.com doesn’t appear to be served by Netlify””In order to make sure that the site is served by Netlify, check the HTTP response headers.
-  Examine the HTTP response headers in your browser’s dev tools, using an online checker, or with the following terminal command: curl -s -v http://your-newly-configured-hostname.com 2>&1 | grep -i server
-  Check for a line that says server: Netlify.
-  Repeat this for each domain connected to your site. If your custom domain is the apex domain or wwwsubdomain (for example,petsofnetlify.comorwww.petsofnetlify.com), we automatically serve your site and provision a certificate for both domains, so be sure they both have records pointing to Netlify.
The next steps depend on what you find in the HTTP response headers.
-  If you do find server: Netlifyin all response headers, but still receive this error, it may be caused by incorrect A records. For information on setting a proper A record with Netlify, refer to our documentation on external DNS configuration.
-  If you don’t find server: Netlifyin all response headers, and you’ve eliminated the common problem sources listed above, please contact support.
“petsofnetlify.com is not resolvable with a resolver that validates DNSSEC”
Section titled ““petsofnetlify.com is not resolvable with a resolver that validates DNSSEC””Netlify DNS doesn’t support DNSSEC. To use Netlify DNS, disable DNSSEC with your domain registrar or previous DNS host. You can use tools like DNSViz to figure out where DNSSEC is currently enabled. To keep DNSSEC enabled, you can stop using Netlify DNS and use external DNS instead.
Did you find this doc useful?
Your feedback helps us improve our docs.