Branch Subdomain and SSL Certificate

I have a Netlify site here:

I am using Netlify DNS and I enabled branch deploys and am using a different git branch to deploy on the subdomain here:

The SSL certificate works great for the sf-goso domain, but it doesn’t work for the offline-master.sf-goso subdomain and I can’t determine why not.

I did some Googling and think I might need to add a wildcard or new specific DNS record, but I can’t seem to get it to work. Here is a screenshot of the dns records:

Any help is greatly appreciated!

Hi @t9e-syd! Welcome to our Community!

Your DNS set up is perfect. Our system should have issued you a wildcard SSL certificate since you are using Netlify DNS but that had not yet happened. I went it and got that working for you and now is covered by the certificate. And any new subdomains you add should also be covered by that cert automatically.

Please let us know how things are looking on your end now.

Hi @laura,

I’m having a similar issue, where my top level domain ( ssl is working, but not on my subdomain ( Would you mind taking a look?


As far as I can tell, no DNS is configured for that hostname, nor is it applied to a Netlify site, both of which are required for us to get a certificate for it. What site of ours do you intend to show at that hostname, and have you configured it both in DNS and by adding that name to the list of sitenames in your site’s custom domains settings page?

I have a branch subdomain staging and I’ve configured the DNS by following this post.

Is there any way to have that subdomain with https automatically?
I’ve tried adding it to the Custom domains and renewed the certificate but then it seems it sometimes points to the production branch instead of the staging.

The only way, currently, to get the SSL certificate automatically updated to cover the branch subdomain is to use our Managed DNS.

The reason adding the branch subdomain as a “custom domain” isn’t working reliably is because the subdomain becomes an alias for the production version of the site, not the branch version.

If you are using the manual configuration instructions (meaning any DNS service other than Netlify’s), a support ticket is required to extend the SSL certificate.

1 Like

Thanks! Makes sense and I’ll try to use Netlify’s DNS service the next time.

@luke assuming you (as I am) are using the manual configuration, and need to create a support ticket, can that only be done on a paid plan? Or can someone on a free tier do that (if so, how?)

@joewoodhouse, please create a new “topic” (aka post) in the Admin category. If you want to keep the domain name secret (because it is preview/testing or otherwise not ready for the public) then ask for a direct message (DM) in the topic and we’ll exchange information privately that way.

Awesome thanks @luke

@joewoodhouse, I’m running into issues updating the SSL certificate and we’ll have another update here as soon as we know more.

I’m also having issues with my subdomain :confused:
Would you mind helping please?

Hi, @jahirfiquitiva, there is an inactive Netlify DNS zone for this domain ( here:

This domain is not using Netlify DNS:		21600	IN	NS		21600	IN	NS		21600	IN	NS		21600	IN	NS

This means the Netlify DNS zone above must be deleted. This can be done using the “Delete DNS zone” button at the bottom of the page linked to above.

Inactive DNS zones do prevent SSL certificate renewals.

Once the inactive zone has been deleted, please let us know and we can get the SSL certificate updated to include The instructions for domains not using Netlify DNS (like this domain) can be found here:

You don’t need to do anything (except delete the inactive DNS zone).

All the required steps listed in the “[common issue]” topic above are complete already. The only thing blocking our support team from updating the SSL certificate is the inactive DNS zone. Once it is deleted, we can complete the setup of the certificate.

@luke @fool hi folks! Could you add SSL for Branch subdomain please?
Thank you!

Hi, @html5cat. We’d be happy to do so. There are a series of requirements that must be met before this is possible as listed in the support guide linked to above.

The second step is: “2. Create the DNS record with your current DNS provider.”

However, the required DNS record doesn’t exist yet:

$ dig  +noall +answer

; <<>> DiG 9.10.6 <<>> +noall +answer
;; global options: +cmd

There is no answer when the DNS lookup is made. Before we can extend the SSL certificate to cover this domain, the DNS record must be created.

​Please let us know when the record has been created and/or if there are any questions.

Ops, deleted too many things. Added the CNAME back, thank you! Should propagate soon.

You probably heard it a million times, but here’s my favourite haiku:

It’s not DNS
There’s no way it’s DNS
It was DNS

1 Like

Hi, @html5cat, I also see the DNS record now and the SSL certificate has been extended to cover If there is more we can do to assist, please let us know.

1 Like

Thank you so much! :paw_prints:

1 Like

Hi @html5cat . I’ve setup a new site with a custom domain of and also a branch subdomain on Would it be possible to fix the SSL certificate for Appreciate it.

hi there, we took care of that for you!