You bound your custom domain on Vercel / Firebase / Netlify. The dashboard shows “SSL certificate pending” or the site loads via HTTP fine but HTTPS shows NET::ERR_CERT_AUTHORITY_INVALID. It’s been 30 minutes, then an hour. Certificate issuance via Let’s Encrypt (which most platforms use) requires two things to succeed: (1) DNS must point at the platform, (2) the platform must successfully serve the HTTP-01 or DNS-01 challenge. Most stuck SSL cases trace to one of these failing silently — DNS not fully propagated, a CAA record blocking the CA, or a CDN/proxy intercepting the challenge.
Common causes
Ordered by hit rate, highest first.
1. DNS isn’t propagated yet
The platform’s cert issuer needs to fetch https://yourdomain.com/.well-known/acme-challenge/.... If DNS hasn’t reached the issuer’s resolver yet, the challenge fails.
How to spot it:
dig yourdomain.com +shortIf it doesn’t yet show the platform’s IP/CNAME, DNS isn’t propagated.
2. CAA record blocks Let’s Encrypt
If your DNS has CAA records like 0 issue "digicert.com", only DigiCert can issue. Let’s Encrypt requests get rejected.
How to spot it:
dig CAA yourdomain.comIf you see CAA records and none allow letsencrypt.org, that’s it.
3. Cloudflare proxy (orange cloud) intercepts the challenge
When Cloudflare proxies DNS, the platform can’t reach origin to verify the HTTP-01 challenge. The challenge token returns Cloudflare’s response, not your platform’s, and fails.
How to spot it: In Cloudflare DNS, your A/CNAME for the apex domain has the orange cloud (proxied). For initial cert issuance, this must be off.
4. Wrong record type for platform requirement
Vercel for apex: requires A record. For www: CNAME. Firebase: similar. If you set CNAME where A is required, cert issuance can’t complete.
How to spot it: Compare your record types to your platform’s docs. Specifically Vercel: apex must be A 76.76.21.21; www must be CNAME cname.vercel-dns.com.
5. Domain isn’t yet verified on the platform
Some platforms require explicit domain ownership verification (TXT record) before issuing SSL. If you added the domain but skipped the verification step, the dashboard may say “pending” forever.
How to spot it: Platform dashboard → look for “Verify ownership” or “Domain not verified” prompts.
6. AAAA record points elsewhere
You have an A record pointing correctly but AAAA (IPv6) pointing to the old host. Cert issuer may prefer IPv6 and hit the wrong target.
How to spot it:
dig AAAA yourdomain.comIf you have AAAA pointing elsewhere, remove or update it.
7. HSTS preload from old setup
Browser sees old HSTS preload entry and refuses to fall back to HTTP even temporarily. Doesn’t affect cert issuance directly but masks the underlying status.
How to spot it: Browser shows NET::ERR_CERT_AUTHORITY_INVALID even after cert is issued elsewhere. Clear HSTS for the domain.
Shortest path to fix
Step 1: Verify DNS via dig
dig yourdomain.com +short # A record
dig CNAME www.yourdomain.com +short # CNAME for wwwBoth should return the platform’s expected values. If they show your old host’s IP, DNS isn’t fully there.
Step 2: Check CAA
dig CAA yourdomain.comIf you see something restrictive like 0 issue "digicert.com", either add 0 issue "letsencrypt.org" or remove the CAA record (which defaults to “any CA can issue”).
Step 3: Disable Cloudflare proxy temporarily
In Cloudflare DNS → for the domain root and www → click the orange cloud icon → turn grey (DNS only). Wait 1-2 minutes. Re-trigger cert issuance in platform dashboard.
Once cert is issued, you can re-enable proxy (orange cloud). Cert renewal uses different mechanism that works through Cloudflare.
Step 4: Confirm record types match platform docs
Vercel apex: A 76.76.21.21. Vercel www: CNAME cname.vercel-dns.com. Don’t try to use CNAME for apex (technically not allowed in DNS spec for root domains).
For Netlify, Firebase, etc., follow their docs exactly. Don’t improvise.
Step 5: Re-trigger cert issuance
After fixing DNS / CAA / proxy:
- Vercel: Domain settings → click “Refresh” or remove and re-add the domain.
- Netlify: Domain management → “Verify DNS configuration” → “Provision certificate.”
- Firebase: Hosting → Domains → wait for status to update (no manual trigger button).
Step 6: Wait 15min - 1h
Most platforms re-attempt issuance every 5-15 minutes. Don’t keep removing/re-adding the domain — that resets the queue position.
Step 7: If still stuck, contact platform support
After 4+ hours with verified DNS, CAA clear, and proxy off, file a support ticket. Include:
- Domain name
- DNS dig output
- CAA dig output
- Timestamp when you added the domain
Prevention
- Don’t set CAA records unless you have a specific reason; if you do, include all CAs your platform might use (Let’s Encrypt, Sectigo, etc.).
- Don’t enable Cloudflare proxy until after the initial cert is issued.
- Verify DNS via dig before checking platform dashboard — if DNS isn’t right, cert won’t issue.
- Use record types exactly as platform docs specify; don’t substitute CNAME for A.
- Keep a
domain-setup.mdrunbook for new domains with the exact steps for your platform.
Related
- Custom domain SSL delay
- What is SSL certificate
- CAA record blocks SSL certificate issuance
- DNS not propagated
Tags: #Troubleshooting #DNS #Debug #SSL