Waiting on DNS propagation for a few days

Hi we have the netlify site name: preview-prod-openday-deakin.netlify.app
I have had CNAMED and configured the custom DNS pointing to this: preview-openday.deakin.edu.au

Waiting for the lets encrypt cert but it says: Waiting on DNS propagation
Hitting the Verify DNS button comes back with: DNS verification was successful
But on return its gone back to waiting on dns propogation. Ive already gone round in circles at least 3 times over a few days.

Thanks, Please help.
Luciano.

aha, I spotted the problem. That domain (deakin.edu.au) has settings that will prevent us from provisioning an SSL certificate for ANY host in the domain:

$ host -t CAA deakin.edu.au
deakin.edu.au has CAA record 0 issue "quovadisglobal.com"
deakin.edu.au has CAA record 0 issuewild "digicert.com"
deakin.edu.au has CAA record 0 issue "amazon.com"
deakin.edu.au has CAA record 0 issue "digicert.com"
deakin.edu.au has CAA record 0 issuewild "quovadisglobal.com"
deakin.edu.au has CAA record 0 iodef "mailto:its-systems@deakin.edu.au"

Your IT admins should be able to let you know if they are either:

  • willing to change this policy to include let’s encrypt, our SSL provider (details here on what they’d add: https://letsencrypt.org/docs/caa/
  • or willing to set up a special setting for your specific domain, which they can do by adding a CAA record just for it, rather than changing the one for the whole school’s domain.
  • finally they could provide you with an SSL certificate to use that their vendor has generated for them.

Regardless, until that is resolved, we cannot provide SSL for you. I have a bug report on this information not turning up in the UI - sorry to hear you wasted so much time on it!

Thanks. Yes an error message in the UI would have made this quicker to diagnose :slight_smile:

For the second scenario, if we did go with that option, can i clarify that in principal to keep this domain we would do the following:
We would remove the existing CNAME on the sub-domain “preview-openday.deakin.edu.au”
Add a CAA record directly on that sub-domain to allow lets-encrypt to issue cert
Then add an A record for the sub-domain “preview-openday.deakin.edu.au” pointing to netlify (instead of a CNAME)

Being that if a domain has a CNAME it cant have any other records?

Thanks, Luch.

Yup, I think you are correct since CNAME cannot coexist with other records. You don’t get the full benefits of our CDN with that configuration, but the A record you would use would be for our load balancer: 104.198.14.52.