Let's Encrypt SSL stuck on provisioning for over 12 hours

Site Name: jonathang.me, jongia132.netlify.app
I’m having an issue where my Let’s Encrypt SSL is stuck on provisioning. There is currently a custom SSL from Sectigo installed but I wish to switch it to Let’s Encrypt. It has been over 12 hours and I am not sure what to do. All my DNS records are fine and the Domain panel detects all the domains correctly pointed to the Netlify CDN.

Hi, @jongia132, I think you might be actively working on this because things keep changing.

First, the site currently works when I test. But it didn’t for the apex/bare/root domain when I first checked:

I did a DNS look for the apex/bare/root domain and got nothing, just the SOA record:

$ dig jonathang.me A

; <<>> DiG 9.10.6 <<>> jonathang.me A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59166
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 512
;jonathang.me.			IN	A

jonathang.me.		1799	IN	SOA	dns1.registrar-servers.com. hostmaster.registrar-servers.com. 1595834521 43200 3600 604800 3601

;; Query time: 97 msec
;; WHEN: Mon Jul 27 00:25:36 PDT 2020
;; MSG SIZE  rcvd: 114

However, it is working now just a few minutes later:

$ dig jonathang.me A +noall +answer

; <<>> DiG 9.10.6 <<>> jonathang.me A +noall +answer
;; global options: +cmd
jonathang.me.		299	IN	A
jonathang.me.		299	IN	A

Our external DNS documentation recommends two DNS records. If an ALIAS type record for the apex domain isn’t supported we recommend an A record for the apex domain and a CNAME for the www subdomain, similar to the records below:

jonathang.me.		    1800	IN	A
www.jonathang.me.		1800	IN	CNAME	jongia132.netlify.app

I find the CNAME record:

$ dig www.jonathang.me +noall +answer

; <<>> DiG 9.10.6 <<>> www.jonathang.me +noall +answer
;; global options: +cmd
www.jonathang.me.	1798	IN	CNAME	jongia132.netlify.app.
jongia132.netlify.app.	19	IN	A
jongia132.netlify.app.	19	IN	A

For the apex/bare/root domain I see the what appears to be an ALIAS record working (because it returns two IP address and both of them are for our CDN nodes).

Note, this keeps flapping (changing from working to non-working). The DNS record are now gone again just in the time it took me to write this:

$ dig jonathang.me A +noall +answer

; <<>> DiG 9.10.6 <<>> jonathang.me A +noall +answer
;; global options: +cmd

Are you actively making changes? Please consider that time to live values (TTLs) will potentially cause delays to changes.

If there are any questions for us, please let us know.

Yes, I was recently making changes to see if I can get the SSL to issue. I have now stopped making changes to the DNS and the records should work now. As for the Apex domain, I am indeed using an ALIAS record.

Would you be able to reset the SSL status so I can manage my custom SSL?

Hi, @jongia132, done! ​Please let us know if there is more we can do to assist with this or if there are any questions.

Nope, that would be all.

Thank you!

1 Like