Why is my domain not automatically generating an SSL certificate?

Information on why a domain may not be automatically generating an SSL certificate.
Last updated on November 7, 2024
Domains & DNS

If your DNS resolves to Vercel, then one of the common reasons for Vercel not automatically generating an SSL certificate for your domain is a missing CAA record.

Since we use Let's Encrypt for our automatic SSL certificates, you must add a CAA record with the value 0 issue "letsencrypt.org" if other CAA records already exist on your domain. Commonly, you may have multiple CAA records to allow different certification authorities.

Please also note that subdomains inherit CAA records. For example, a CAA record set on example.com will also apply to foo.example.com and any other subdomains, unless it's explicitly overridden on each subdomain level.

For issuing custom certificates, certificates via a Proxy or dual-purpose certificates, see How do I change CAA records when using the Vercel CNAME record?.

If the _acme-challenge.<YOUR_DOMAIN> record resolves to a provider other than Vercel, we will not be able to issue a certificate.

You can check if your domain currently has any CAA records by running the dig -t CAA +noall +ans example.com command on your terminal, or checking with Google Public DNS (change the RR Type to CAA and resolve).

If your website is proxied via a third party service, then this can also block our access to provision certificates. Please see our Proxy Guide for more information.

For any further questions or concerns, please contact Vercel Support using the support form available from the Vercel dashboard.

Couldn't find the guide you need?