Certificate is taking more than 24 hours

Provisioning certificate for site “amazing-goldstine-ca2496” is taking more than 24 hours

Also, you guys are awesome :slight_smile:

hi there, it seems to be working for me? also thanks for the kudos!

Hi Perry,

oh you’re right, I see on the netlify domain it works, but I actually meant on my domain - hoopsai.com which is under netlify DNS and works properly except for the SSL cert.

hey @amiram,

I’ve checked using DNS Propagation Test for hoopsai.com - Explore the results and I can see that the changes to your DNS haven’t yet propagated globally. Hang in there, buddy!

Hi, @amiram, it might look like that domain is using Netlify DNS but it isn’t.

You can see the authoritative name servers in the WHOIS data for the domain:

$ whois hoopsai.com | grep -i "name server"
   Name Server: NS-1405.AWSDNS-47.ORG
   Name Server: NS-2040.AWSDNS-63.CO.UK
   Name Server: NS-396.AWSDNS-49.COM
   Name Server: NS-792.AWSDNS-35.NET
Name Server: NS-792.AWSDNS-35.NET
Name Server: NS-396.AWSDNS-49.COM
Name Server: NS-1405.AWSDNS-47.ORG
Name Server: NS-2040.AWSDNS-63.CO.UK 

Another test is to use my favorite command-line tool for troubleshooting DNS, the dig command, and do a traced lookup for the domain:

$ dig hoopsai.com +trace

; <<>> DiG 9.10.6 <<>> hoopsai.com +trace
;; global options: +cmd
.			24237	IN	NS	a.root-servers.net.
.			24237	IN	NS	b.root-servers.net.
.			24237	IN	NS	c.root-servers.net.
.			24237	IN	NS	d.root-servers.net.
.			24237	IN	NS	e.root-servers.net.
.			24237	IN	NS	f.root-servers.net.
.			24237	IN	NS	g.root-servers.net.
.			24237	IN	NS	h.root-servers.net.
.			24237	IN	NS	i.root-servers.net.
.			24237	IN	NS	j.root-servers.net.
.			24237	IN	NS	k.root-servers.net.
.			24237	IN	NS	l.root-servers.net.
.			24237	IN	NS	m.root-servers.net.
.			24237	IN	RRSIG	NS 8 0 518400 20200722050000 20200709040000 46594 . MAQLWJwjqu+ShN599sxX76mVjhPOHn53NyqN5FkZz1eMWbfcsd0akvoT FuIDckjDh02zhis4jsEMzSjfapcy+nSKLHZKQRqz8LitLfNunqF3dun7 mTrIe5a5LtDJRKY6aI9A+8hQKsjEoZDN4++zTNLTXLbfJEzSgsB2F0bT OUGVwd/vn49ToYAXq1H3CBCMUTrOgHVTOdj3g+USAZYI5Q3dVo9+Ej7b 8qeZRErkIyOn+6EUfl0ZCTay67gHE/XkzjYHaKirFE796XXmmdj3wTaC 1CgShzg+qLQmhcucMbaRfbqAI8hhxQv1VW+VGf0YySmXspnG1jSkguDB bWlRBw==
;; Received 525 bytes from 8.8.8.8#53(8.8.8.8) in 19 ms

com.			172800	IN	NS	a.gtld-servers.net.
com.			172800	IN	NS	b.gtld-servers.net.
com.			172800	IN	NS	c.gtld-servers.net.
com.			172800	IN	NS	d.gtld-servers.net.
com.			172800	IN	NS	e.gtld-servers.net.
com.			172800	IN	NS	f.gtld-servers.net.
com.			172800	IN	NS	g.gtld-servers.net.
com.			172800	IN	NS	h.gtld-servers.net.
com.			172800	IN	NS	i.gtld-servers.net.
com.			172800	IN	NS	j.gtld-servers.net.
com.			172800	IN	NS	k.gtld-servers.net.
com.			172800	IN	NS	l.gtld-servers.net.
com.			172800	IN	NS	m.gtld-servers.net.
com.			86400	IN	DS	30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.			86400	IN	RRSIG	DS 8 1 86400 20200722170000 20200709160000 46594 . EO8WQVSXCJWWr/b/jRN3t0xxYBlj4WOGzPZK9naAOJhzMURGutaCz3SK AO0ahzkghni0BGdU46NTPw9SU93v1ym/ZNz8LRbuY4CX/JnCLtPOiayP Ci1uVQwe9M+6OFrs5naQEAz9diGZI2dUekskNMB7SJLH9UM2JFhN0vc1 aylyl8g0pk/zxvALPUpTUz7sAoDq+x3HWllGFYAT/Oq5ekUgn4akqCab 8KKEo9t0mH2MTpNRC5XAdpLsKv9XMNGVIeSN5nOOy6x2psWzepUJHcdA 1kat0M8eRIR+2ueA+XnkmKyHBuOnTupuhW4DuTXj34EIRNC47F5gDePB xM9xmA==
;; Received 1171 bytes from 199.7.83.42#53(l.root-servers.net) in 34 ms

hoopsai.com.		172800	IN	NS	ns-396.awsdns-49.com.
hoopsai.com.		172800	IN	NS	ns-792.awsdns-35.net.
hoopsai.com.		172800	IN	NS	ns-1405.awsdns-47.org.
hoopsai.com.		172800	IN	NS	ns-2040.awsdns-63.co.uk.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A  NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200716044215 20200709033215 39844 com. Zvm3tKpn83ZaKuC3Q1VM+i159Fcb3rxk2T2fhfvpsLXPwmk7mfjvhLiX XgUPCDts3QmvpVktPiIJSO8a/BGTnP9dmnwR3YipJPICUV417dxSyXhQ vR4qlK9pCHiCou1F800mx3EoM258aWh+skeR3A3R56fvPYIoc58JdZBC I+c4y+j2U3sp9lm5c0GNmfW1rxiDYQTv8tABCGAVuy3GrA==
8G58BL80FDELAU6LFKS79HEDUTEGQ9IT.com. 86400 IN NSEC3 1 1 0 - 8G58P51S8LJG99GFILOJ6TDDB1T1H388  NS DS RRSIG
8G58BL80FDELAU6LFKS79HEDUTEGQ9IT.com. 86400 IN RRSIG NSEC3 8 2 86400 20200713044708 20200706033708 39844 com. itw/vlx7aesHQ1lkucQ8i/AawgQdkW1vPyAtTSFAe5/jQFmhlK1uIS2T NQl9RSCWR9FBSQz90xGKMMu3zl4bBIFP4bxpXNkNWavUsx2yzy4A8wom jDzlwqTHsrV5VR4ZIpEQOWVV5YYFmHtMhAXITpLFYKELoZ7mGlqMPG+2 Bzch75AoM6udbefarMrKlqMhlrPd6U6I+vZFe/XE0fQ5xQ==
;; Received 742 bytes from 192.35.51.30#53(f.gtld-servers.net) in 42 ms

hoopsai.com.		300	IN	A	104.198.14.52
hoopsai.com.		172800	IN	NS	dns1.p02.nsone.net.
hoopsai.com.		172800	IN	NS	dns2.p02.nsone.net.
hoopsai.com.		172800	IN	NS	dns3.p02.nsone.net.
hoopsai.com.		172800	IN	NS	dns4.p02.nsone.net.
;; Received 145 bytes from 205.251.193.140#53(ns-396.awsdns-49.com) in 21 ms

Those last lines are the important ones, the lines below:

hoopsai.com.		300	IN	A	104.198.14.52
hoopsai.com.		172800	IN	NS	dns1.p02.nsone.net.
hoopsai.com.		172800	IN	NS	dns2.p02.nsone.net.
hoopsai.com.		172800	IN	NS	dns3.p02.nsone.net.
hoopsai.com.		172800	IN	NS	dns4.p02.nsone.net.
;; Received 145 bytes from 205.251.193.140#53(ns-396.awsdns-49.com) in 21 ms

Yes, this lists the Netlify DNS name servers, but look which server actually answered the query:

;; Received 145 bytes from 205.251.193.140#53(ns-396.awsdns-49.com) in 21 ms

The answer didn’t come from Netlify DNS, it came from AWS Route 53. Why? Because while the NS records for Netlify were added, but the authoritative names servers were not changed or replaced.

This is shown by an earlier block in the dig +trace output:

hoopsai.com.		172800	IN	NS	ns-396.awsdns-49.com.
hoopsai.com.		172800	IN	NS	ns-792.awsdns-35.net.
hoopsai.com.		172800	IN	NS	ns-1405.awsdns-47.org.
hoopsai.com.		172800	IN	NS	ns-2040.awsdns-63.co.uk.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A  NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200716044215 20200709033215 39844 com. Zvm3tKpn83ZaKuC3Q1VM+i159Fcb3rxk2T2fhfvpsLXPwmk7mfjvhLiX XgUPCDts3QmvpVktPiIJSO8a/BGTnP9dmnwR3YipJPICUV417dxSyXhQ vR4qlK9pCHiCou1F800mx3EoM258aWh+skeR3A3R56fvPYIoc58JdZBC I+c4y+j2U3sp9lm5c0GNmfW1rxiDYQTv8tABCGAVuy3GrA==
8G58BL80FDELAU6LFKS79HEDUTEGQ9IT.com. 86400 IN NSEC3 1 1 0 - 8G58P51S8LJG99GFILOJ6TDDB1T1H388  NS DS RRSIG
8G58BL80FDELAU6LFKS79HEDUTEGQ9IT.com. 86400 IN RRSIG NSEC3 8 2 86400 20200713044708 20200706033708 39844 com. itw/vlx7aesHQ1lkucQ8i/AawgQdkW1vPyAtTSFAe5/jQFmhlK1uIS2T NQl9RSCWR9FBSQz90xGKMMu3zl4bBIFP4bxpXNkNWavUsx2yzy4A8wom jDzlwqTHsrV5VR4ZIpEQOWVV5YYFmHtMhAXITpLFYKELoZ7mGlqMPG+2 Bzch75AoM6udbefarMrKlqMhlrPd6U6I+vZFe/XE0fQ5xQ==
;; Received 742 bytes from 192.35.51.30#53(f.gtld-servers.net) in 42 ms

These are the authoritative name servers for the domain as answered by f.gtld-servers.net (and the same ones as shown in the WHOIS data).

So, how do you fix it? :+1:

The solution here is to replace the existing authoritative name servers at the domain registrar with the NS records for the Netlify DNS zone.

For AWS Route 53, I believe the instructions for doing this can be found here:

If that doesn’t work, please let us know.

Thanks @luke and everyone, all sorted out! had a bit of a mess since the domain registrar originally was GoDaddy, then I updated the DNS way back to Route 53 (but didn’t move the domain) and now updating to Netlify.

Hey @luke, ran into a new issue that’s more urgent - netlify added api.hoopsai.com as a a system record that cannot be managed directly, don’t know why but it overrides a different record. How can it be removed?

Hi, @amiram, all the NETLIFY type DNS records have been unlocked and you can delete them now in the web app.

Note, we can only do this for existing records so if you need to delete a different (meaning new) NETLIFY type record in the future, please reply here to let us know (or make a new topic under #admin) and we’ll unlock those new records as well.

As always, if there are other questions we’re happy to answer.

Perfect! much appreciated!

1 Like