HTTPS on Custom Domains

Netlify offers free HTTPS on all sites, and will enable it automatically on all Netlify-managed domains.

HTTPS brings a lot of advantages:

  • HTTP/2: Boost your sites’ performance — HTTP/2 requires HTTPS.
  • SEO: Google search results prioritize sites with HTTPS enabled.
  • Analytics: HTTPS-enabled sites will not send referral data to sites without HTTPS enabled.
  • Content Integrity: Without SSL, free Wi-Fi services can inject ads into your pages.
  • Security: If you have a login on a Single Page App or accept form submissions, HTTPS is essential for your users’ security and privacy.

Types of Service

Netlify offers three different ways of providing a certificate for HTTPS.

Managed SSL is offered to all Netlify sites for free. Find details for this in the Netlify Certificates section.

Custom SSL is a way for you to provide an SSL certificate that matches your specifications — things like a wildcard certificate or an Extended Validation (EV) certificate. If you’d like to provide your own custom certificate, see Custom Certificates below for more details.

Dedicated IP SSL is available on our enterprise plans for people who do not want to use SNI-based certificates. If you want your own unique certificate available to all browsers without requiring SNI and without a shared certificate as fallback, please contact us.

Netlify Certificates

When you create a new site on Netlify, it’s instantly secured at the Netlify-generated URL (for example, https://brave-curie-67195.netlify.com). If you add a custom domain, we will automatically provision a certificate with Let’s Encrypt, enabling HTTPS on your domain. Certificates are generated and renewed automatically as needed.

In rare circumstances, there can be problems when provisioning an SSL certificate for some domains. You can check the status of your site’s SSL certificates from the site dashboard, at Settings > Domain management > HTTPS.

If you’re having trouble with the automatic provisioning, try the troubleshooting steps and error message guide at the end of this page.

Domain Aliases

Your certificate will include all your domain aliases when it’s issued, but note that DNS also needs to be configured IN ADVANCE for all aliases for us to include them on your certificate. See the troubleshooting section below for more information on confirming the new configuration.

Note: If you have more than 5 aliases that are subdomains of the same domain, you might run into rate-limits with our SSL provider. In that case we recommend you provide your own wildcard certificate using Netlify Managed DNS or contact support for our assistance for getting them setup with our SSL provider. Please do this before adding any aliases for best results!

Custom Certificates

If you already have a certificate for your domain and prefer that to Netlify’s domain-validated certificate, you can install your own.

To install a certificate, you’ll need:

  • the certificate itself, in X.509 PEM format (usually a .crt file)
  • the private key you used to request the certificate
  • a chain of intermediary certificates from your Certificate Authority (CA)

In your site dashboard, under Settings > Domain management > HTTPS, select Set Custom Certificate, then enter the information above.

Note: When the time comes to renew your custom certificate, Netlify cannot do this automatically. You will need to renew it at your Certificate Authority, then follow the steps above to install it on your Netlify site. For automatic renewal, you can switch to a Netlify certificate.

Netlify validates that the certificate matches the custom domain for your site and that the DNS record for the domain is pointed at Netlify, then installs your certificate. If your certificate covers several of your sites (in other words, if it’s a wildcard certificate or uses Subject Alternative Names), you can install it on one site, and it will apply to all other sites covered by the certificate..

HTTP/2

When HTTPS is enabled for your site, Netlify supports HTTP/2, a new internet protocol engineered for faster web performance. You can read more about it on our blog.

HSTS Preload

Most major browsers use a list of predefined domains to automatically connect to websites using HTTPS. This list is called the HTTP Strict Transport Security (HSTS) preload list. Your site can be included in this list if you follow the requirements in hstspreload.org:

  • Your custom domain must be accessible in the www subdomain. For example: www.petsofnetlify.com.
  • You must include this header in your _headers file or netlify.toml file:

    Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
    

When this is set, the browser assumes that your site, along with all subdomains, can be accessed using HTTPS, and it will force those connections. Please be aware that this action is effectively irreversible, as described at hstspreload.org.

SNI and Legacy Browsers

Netlify’s standard HTTPS handling relies on a browser standard called Server Name Indication, or SNI. It makes provisioning and verifying certificates more efficient, but it’s not supported on very old browsers, like Internet Explorer 7 on Windows XP, or Android 4. Site visitors using these browsers will encounter a security message on your site before they can access it over HTTPS. You might also experience issues with certain automated tools, like PhantomJS below 2.0 (early 2015).

If you don’t want to use an SNI-based certificate for your site, Netlify’s enterprise plans offer the option for a traditional dedicated IP SSL. Please contact us for more information.

Troubleshooting

There are many reasons why adding a Netlify certificate or uploading a custom certificate might not work. The common causes are listed below, but if they don’t seem to apply to you or you have additional questions, our Support team will be happy to help out!

  1. Most importantly, you’ll need to configure the DNS for the custom domain before Netlify can issue a certificate for you. Netlify must validate the domain in order to provision the certificate, and this step cannot be completed until the DNS records for your custom domain are pointing to our servers.

  2. All previous DNS settings must have their cache timeouts expired. The TTL setting on a DNS record determines how long the record may be cached. This cache must expire before your new DNS settings can be validated for certificate provisioning.

  3. If your site is configured to go through another service (for example, using CloudFlare “acceleration and protection”, or similar). Netlify must handle SSL termination to be able to provision a certificate. You need to disable that routing before we can provision the certificate.

  4. It is possible that the name servers we use have some old cached values for your domain name(s). You can attempt to accelerate cache expiration for your domains using this tool: https://developers.google.com/speed/public-dns/cache.

  5. It is possible that we will get a certificate for one name (for example, petsofnetlify.com) and not for another (for example, www.petsofnetlify.com or some domain alias). In this case you must contact support so we can repair the certificate.

Troubleshooting with error messages

You can check the status of your certificate in your site dashboard at Settings > Domain management > HTTPS. If there is a problem with the certificate, you may find one of the error messages below. (We’re using petsofnetlify.com as an example.)

  • petsofnetlify.com doesn’t appear to be served by Netlify

    In order to make sure that the site is served by Netlify, we examine the HTTP response headers. You can find this in your browser’s dev tools, using an online checker, or with the following terminal command:

    curl -s -v http://your-newly-configured-hostname.com 2>&1 | grep Server
    

    In all cases, you’re looking for a line that says Server: Netlify. Don’t forget to do this for each domain connected to your site. If your custom domain is the root domain or www subdomain (for example, petsofnetlify.com or www.petsofnetlify.com), we automatically serve your site and provision a certificate for both domains, so be sure they both have records pointing to Netlify.

    If you do see Server: Netlify in all response headers, but still receive this error, it may be caused by incorrect A/AAAA records, which are addressed in the next two messages.

  • Domain petsofnetlify.com has multiple A records

    Netlify provides only one IP address for you to point A records to Netlify. If you have multiple A records, this means that some traffic may go to non-Netlify IP addresses, which can cause the certificate provisioning or renewal to fail.

    For more information on setting a proper A record with Netlify, refer to our custom domains documentation.

  • Domain petsofnetlify.com has an AAAA (IPv6) record

    Netlify does not provide IPv6 records, so if the domain has an AAAA (IPv6) record, it is pointing to another destination. All traffic for the domain must point to Netlify, or the certificate provisioning will fail. Refer to the custom domains documentation for proper configuration options.

  • petsofnetlify.com is not resolvable with a resolver that validates DNSSEC

    If you have added DNSSEC to your site, all records must resolve properly in order for Netlify to to provision or renew the certificate. You can use the tools like DNSViz to troubleshoot this.

    If you’re migrating an existing site and need to complete this process before changing the DNS settings, please get in touch.


Notice something is incorrect or outdated?

First off, great eye! We appreciate your discovery and want to ensure it gets addressed immediately. Please let us know here.

Want to get started quick?