Is your SSL/TLS certificate not generating? Vercel can only issue SSL/TLS certificates for domains added to your project. If the domain is added but SSL/TLS isn’t working, it’s usually due to a misconfiguration. To help you resolve this quickly, we’ve created a checklist for troubleshooting.
Let’s Encrypt uses the HTTP‑01 challenge to issue SSL/TLS certificates for domains (except for wildcards, which we will talk about more in section 3). To complete this process, Let’s Encrypt needs to be able to access this path:
http://YOUR-DOMAIN/.well-known/acme-challenge/*
If Let’s Encrypt can’t reach this path, the certificate can’t be issued.
- Redirects or rewrites that affect
/.well-known/acme-challenge/* - A proxy, CDN, or firewall is blocking the request
We don’t recommend placing a proxy in front of Vercel (learn more about why). If you have to use one, please read our guide on how to configure it correctly.
One of the most common issues is DNS misconfiguration. When your domain is hosted on Vercel or uses Vercel’s DNS, we automatically create the necessary records for you. However, if you use a third-party DNS provider, you will need to manually add the DNS records shown on your Project Domain page.
If DNS isn’t set up correctly, the SSL/TLS generation process won’t start. Below, we will list some examples of the most common issues with DNS. We will be using dig commands, but if you don’t have access to dig, you can use Google DNS, MXToolbox or similar.
- The domain is configured with different nameservers than those of your DNS provider. To verify, check your nameservers settings with registrar, in the ICANN Registration Lookup, or by running
dig NS +short example.com. - The DNS records are not matching those in your Project Settings. Use
dig A +short example.com(for apex domains) ordig CNAME +short www.example.com(for subdomains) to confirm. If the records aren’t visible, it may be due to propagation delays (usually resolved within a few hours) or zone file issues - in which case, contact your DNS provider. - The CAA record is not allowing Let's Encrypt to generate a certificate. Your domain’s CAA record must allow Let’s Encrypt to issue certificates. Check its value with
dig CAA +short example.com. For authorization, the CAA record should look like this:0 issue "letsencrypt.org"
If you’re requesting a wildcard SSL/TLS certificate (like *.subdomain.yourdomain.com), Let's Encrypt uses a DNS TXT record instead of HTTP validation. It's important to follow this guide if you are not using Vercel's nameservers: Can I use wildcard domains without switching to Vercel Nameservers?
Keep in mind: Even if your SSL/TLS certificate was generated successfully before, any changes to the domain, DNS or proxy since then can prevent it from generating now.