Cert Rejected: Certificate Transparency Log Mismatch
Chrome rejects an otherwise valid cert with NET::ERR_CERTIFICATE_TRANSPARENCY_REQUIRED. The cert was issued but never logged to CT, or its SCTs are bad.
🌐 Domain, DNS & SSL Issues
DNS propagation, SSL delays, www vs root, CNAME mix-ups, canonical / sitemap / RSS still on old domain, duplicate domains indexed, platform differences.
"I changed DNS, but the site still won`t load" is the most-yelled help in indie hosting. This hub focuses on domain / DNS / SSL: A vs CNAME mix-ups, root vs www inconsistency, SSL cert delays, DNS propagation, hosting platform domain binding failures, MX overwrites, HTTPS not forced, Search Console property mismatch, canonical / sitemap / RSS / OG still pointing to the old domain, Vercel vs Firebase custom-domain quirks, and old deployment URLs still in search. Cross-linked with the Indie Dev / Domains DNS SSL, Firebase Hosting and Vercel Hosting hubs. Every article ships a 5-minute checklist.
Common problems
- DNS not propagated TTL / cache / multi-resolver check.
- SSL certificate pending CNAME / CAA / platform verification.
- Root domain vs www confusion Pick one canonical and 301 the other.
- CNAME record set incorrectly Root can`t use CNAME; use A or ALIAS.
- Domain points to wrong hosting provider Check Name Server / A record ownership.
- Redirects broken after domain change 301 must map URL patterns, not just root.
- HTTPS not forced HSTS + platform force + canonical https.
- Search Console property mismatch after new domain Create Domain property, migrate old.
- Canonical still uses old domain Site URL constant in template still old.
- Duplicate domain versions indexed http / https / www / non-www all indexed.
- Site opens intermittently after domain connect Multiple DNS records / CDN cache / platform propagation.
- Custom domain works on Vercel but not Firebase Both need verification; cert issuance differs.
- www and non-www both open separately No 301 + canonical not unified.
- Sitemap still references old domain Astro / Next config `site` still old.
- RSS / OG URLs still use placeholder domain Common on starter templates.
- Old deployment URL appears in search Vercel preview / Firebase web.app URL got indexed.
- CAA record blocks SSL certificate issuance dig caa to check; add/remove CAA so the target CA can sign.
- Wildcard DNS doesn't match deep subdomain Wildcards cover one level only; deep subs need their own.
In-depth articles in this hub
Cloudflare Orange Cloud vs Grey Cloud: Wrong Toggle Breaks Site
Toggling Cloudflare's proxy on or off changes whether traffic hits the edge or the origin. The wrong state breaks SSL, WebSockets, or apex CNAMEs subtly.
DNSSEC Validation Fails After Enabling at Registrar
You turned on DNSSEC and resolvers now return SERVFAIL. The DS at the registrar does not match the DNSKEY at your nameservers, breaking the chain.
HSTS Preload Stuck: Can't Roll Back HTTPS Even After Removal
You enabled HSTS preload then needed to roll back. Browsers still force HTTPS for years. Understand why, and what limited recovery actually exists.
IPv6 Users Can't Reach Site: AAAA Record Missing or Broken
IPv4 users reach the site fine but IPv6 users get timeouts. Either AAAA is absent, points to a dead address, or your firewall blocks v6. Fix dual-stack.
Subdomain NS Delegation Fails: Missing Glue Records
You delegated a subdomain to its own nameservers but resolution fails. The parent zone needs glue A/AAAA when NS targets live inside the subzone.
SSL Cert Auto-Renewal Failed Silently, Site Now Untrusted
Certbot or platform renewal stopped months ago. You only noticed when the browser flashed NET::ERR_CERT_DATE_INVALID. Find why and restore the cron.
Name Server vs DNS Records — Where Do I Actually Change Things (2026)
Beginners confuse name servers (NS) and individual DNS records (A, CNAME). Changing one without understanding the other causes hours of debugging.
SSL Mixed Content Warning in Browser
Site is on HTTPS but browser shows a "Not fully secure" warning. Caused by HTTP assets loaded on HTTPS pages.
TTL Too High Makes DNS Changes Slow
You changed DNS but it takes 24+ hours to propagate. Lowering TTL before changes makes propagation predictable.
MX Records Got Overwritten — Email Broken
You changed something at the DNS provider and now email stopped working.
Subdomain Not Resolving — blog.example.com Won't Load
You configured a subdomain but it doesn't resolve to your site.