Why is my domain not automatically generating an SSL certificate?

If your DNS resolves to Vercel, then one of the common reasons for Vercel not automatically generating an SSL certificate for your domain is a missing CAA record.

Since we use Let's Encrypt for our automatic SSL certificates, you must add a CAA record with the value 0 issue "letsencrypt.org" if other CAA records already exist on your domain. Commonly, you may have multiple CAA records to allow different certification authorities.

Please also note that subdomains inherit CAA records. For example, a CAA record set on example.com will also apply to foo.example.com and any other subdomains, unless it's explicitly overridden on each subdomain level.

For issuing custom certificates, certificates via a Proxy or dual-purpose certificates, see How do I change CAA records when using the Vercel CNAME record?.

Verifying the CAA Record

You can check if your domain currently has any CAA records by running the dig -t CAA +noall +ans example.com command on your terminal, or checking with Google Public DNS (change the RR Type to CAA and resolve).

Using an External Proxy

If your website is proxied via a third party service, then this can also block our access to provision certificates. Please see our Proxy Guide for more information.

Vercel Support

For any further questions or concerns, please contact Vercel Support using the support form available from the Vercel dashboard.

Couldn't find the guide you need?