How can I fix/troubleshoot Let's Encrypt certification provisioning failure?

Greetings:

We launched a site last week, and everything seems to be resolving correctly, and to my knowledge we have set everything up using the recommended Netlify approach:

Primary Domain:
www.mtcrimevictimhelp.org
www CNAME mlsa.netlify.com

Apex Domain (Redirects automatically to primary domain)

mtcrimevictimhelp.org A 104.198.14.52

Both of those resolve correctly, and correctly auto directs everything to WWW.

In the Netlify dashboard, we see:

DNS verification was successful
We’re ready to provision a TLS certificate from Let’s Encrypt and install it on our CDN.

But then:

We could not provision a Let’s Encrypt certificate for your custom domain.

I’ve searched the forums but can’t figure out where to go from here, because everything seems set up correctly as far as I can see.

Any advice or other things I can try? Thank you!

Hi @broeker! Welcome to netlify community.

I believe the IPv6 record on your bare domain is creating a conflict when our system tries to issue the cert.

$ host mtcrimevictimhelp.org
mtcrimevictimhelp.org has address 104.198.14.52
mtcrimevictimhelp.org has IPv6 address 2620:12a:8000::4

If you remove that IPv6 address the cert should get issued. Please give that a try and let us know how it goes!

Thank you – sadly the DNS is not under my control so I’m not sure how that AAAA record ended up in there but I’ve sent a request to have their team remove this entry, hopefully then our cert will work. Thanks again.

1 Like

Hi @laura the DNS was updated to remove the IPv6 address but still having the same problem:

host mtcrimevictimhelp.org
mtcrimevictimhelp.org has address 104.198.14.52

Still seeing “DNS verification was successful” followed by the same error as above when attempting to generate the cert.

Any other ideas here? Thanks!

Hi, @broeker, I’m showing the SSL certificate was updated just around the time of the post above.

Is it working now?

Most delays in DNS record changes are caused by the time to live or TTL values in the DNS records themselves. If there are other questions about this, please let us know.

@luke ah, yes, it does in fact to have been installed and is now working like a charm. Thanks again for the help Team Netlify!