SSL Certificate for branch subdomain

Hi, after some change in the infra we moved our DNS to Aws and we’d like to have a certificate for Thanks team :slight_smile:

Hey @Sceat,
We’d be happy to do this, but it does look like you’re still using Netlify DNS for that site. You can see the “Netlify DNS” badge here:

And here’s the DNS zone in the Netlify UI:

If you’ve moved to AWS, you should create DNS records there that point to Netlify… and then delete the DNS zone in the Netlify UI. Here are more detailed instructions:

Let us know when that’s done and we’ll move forward with the SSL certificate for

Nameservers are not on netlify so any record here should not have any effect i guess, my records seems well pointed, it’s just that the branch deploy give an invalid certificate name error


Hi, @Sceat. There are two methods for doing verification of domains to issue SSL certificates using the APIs from the Let’s Encrypt service we use.

There is an HTTP based verification and a DNS based verification. If you create a DNS zone at Netlify for a domain, even if it isn’t active, this causes our APIs to use the DNS based verification which will always fail because our DNS isn’t being used.

To summarize, for the reasons described above the inactive DNS zone must be deleted before the SSL certificate can be updated to include this branch subdomain.

1 Like

Yup i deleted all records i could manually delete

You can delete the whole zone at the bottom of the DNS page :wink:!

It’s done, but now i can’t enable branch subdomains anymore

Hi, @Sceat, for any custom domain not using Netlify DNS this can be done using the following process:

In other words, there are two options:

  • use Netlify DNS for the domain
  • use any third-party DNS service and use the manual process described above

Technically, a third option is to acquire a wildcard SSL certificate from a third-party and then upload that certificate to the site settings at Netlify (Site Name > Settings > Domain management > HTTPS). The downsides of this are either cost and/or a manual process to update the certificate before it is scheduled to expire.

We’ve extended the SSL certificate to include If there are other branch subdomains to add, please let us know.

1 Like