How to Set Up SSL for Custom Domains
Configure HTTPS for your custom domain on any platform
TL;DR
TL;DR (15 minutes):
Add your domain in the platform dashboard, configure DNS records (CNAME for subdomains, A record for root), wait for DNS propagation, and the platform auto-provisions your SSL certificate. Most issues are DNS-related - verify with dig before troubleshooting SSL.
Prerequisites
- A registered domain name with access to DNS settings
- Your app deployed on Vercel, Netlify, Cloudflare Pages, or similar platform
- Domain registrar login credentials
- About 15 minutes (plus DNS propagation time)
Vercel Custom Domain SSL
Add domain in Vercel dashboard
Go to your project > Settings > Domains > Add Domain
# Enter your domain:
yourdomain.com
# Vercel will show required DNS records
Configure DNS records
Add these records at your DNS provider:
# For root domain (yourdomain.com)
Type: A
Name: @
Value: 76.76.21.21
# For www subdomain
Type: CNAME
Name: www
Value: cname.vercel-dns.com
# Vercel also supports AAAA records for IPv6:
Type: AAAA
Name: @
Value: 2606:4700:4400::6812:2b21
Wait for verification
Vercel checks DNS automatically. The dashboard shows status:
- Pending Verification - DNS not yet detected, wait for propagation
- Valid Configuration - DNS correct, SSL provisioning
- Certificate Issued - HTTPS ready
Vercel Tip: Enable "Redirect to Primary Domain" in domain settings to automatically redirect www to non-www (or vice versa) with proper SSL.
Netlify Custom Domain SSL
Add domain in Netlify
Go to Site settings > Domain management > Add custom domain
# Add both:
yourdomain.com
www.yourdomain.com
Configure DNS records
# Option A: Use Netlify DNS (recommended)
# Transfer nameservers to Netlify for automatic configuration
# Option B: External DNS
# For root domain - use A record:
Type: A
Name: @
Value: 75.2.60.5
# For www - use CNAME:
Type: CNAME
Name: www
Value: your-site-name.netlify.app
# Netlify also provides load-balanced IPs - check dashboard for current values
Provision SSL certificate
After DNS verification:
- Go to Site settings > Domain management > HTTPS
- Click "Verify DNS configuration"
- Click "Provision certificate"
Netlify uses Let's Encrypt and handles renewal automatically.
Cloudflare Pages Custom Domain SSL
Add domain to Cloudflare (if not already)
Your domain should use Cloudflare nameservers for easiest setup.
Add custom domain to Pages project
Go to Pages > Your project > Custom domains > Set up a custom domain
# Enter your domain:
yourdomain.com
# Cloudflare automatically creates DNS records
Configure SSL/TLS mode
In your domain's SSL/TLS settings, set encryption mode to "Full (strict)"
# SSL/TLS encryption modes:
# - Off: No encryption (never use this)
# - Flexible: HTTPS to Cloudflare, HTTP to origin (security risk!)
# - Full: HTTPS everywhere, accepts self-signed certs
# - Full (strict): HTTPS everywhere, requires valid certificate (recommended)
Cloudflare SSL Mode Warning:
Never use "Flexible" mode - it creates a false sense of security. Users see HTTPS but data between Cloudflare and your origin is unencrypted. Always use "Full (strict)".
AWS/Route 53 + CloudFront
Request certificate in ACM
# AWS Certificate Manager (ACM) - must use us-east-1 for CloudFront
aws acm request-certificate \
--domain-name yourdomain.com \
--subject-alternative-names www.yourdomain.com \
--validation-method DNS \
--region us-east-1
Validate domain ownership
Add the CNAME records ACM provides to your DNS:
# ACM provides records like:
Type: CNAME
Name: _abc123.yourdomain.com
Value: _xyz789.acm-validations.aws
Configure CloudFront distribution
# In CloudFront distribution settings:
# - Alternate domain names (CNAMEs): yourdomain.com, www.yourdomain.com
# - Custom SSL certificate: Select your ACM certificate
# - SSL/TLS protocol: TLSv1.2_2021 (minimum)
# - HTTPS redirect: Yes
DNS Records Reference
| Platform | Root Domain (A Record) | Subdomain (CNAME) |
|---|---|---|
| Vercel | 76.76.21.21 | cname.vercel-dns.com |
| Netlify | 75.2.60.5 | your-site.netlify.app |
| Cloudflare Pages | (automatic via Cloudflare DNS) | your-project.pages.dev |
| GitHub Pages | 185.199.108.153 | username.github.io |
| Render | (varies by service) | your-service.onrender.com |
Security Checklist
Custom Domain SSL Checklist
- Domain added to hosting platform
- DNS records configured correctly (A and/or CNAME)
- DNS propagation complete (verified with dig)
- SSL certificate provisioned and valid
- HTTPS redirect enabled (HTTP to HTTPS)
- Both www and non-www domains configured
- Primary domain redirect configured
- HSTS header added for security
- Old certificates revoked if migrating
- CAA record set (optional but recommended)
How to Verify It Worked
Check DNS propagation
# Check A record
dig yourdomain.com A +short
# Check CNAME record
dig www.yourdomain.com CNAME +short
# Use online tool for global propagation:
# https://www.whatsmydns.net/
Verify certificate
# Check certificate details
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -subject -issuer -dates
# Check certificate chain
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -text | grep -A1 "Issuer"
Test HTTPS redirect
# Should redirect to HTTPS
curl -I http://yourdomain.com
# Expected response:
# HTTP/1.1 301 Moved Permanently
# Location: https://yourdomain.com/
Common Errors and Troubleshooting
Certificate pending for too long
# DNS not configured correctly - verify records:
dig yourdomain.com A +short
# Should return the platform's IP
dig www.yourdomain.com CNAME +short
# Should return the platform's CNAME target
# If wrong, update DNS and wait for propagation (can take up to 48h)
# Check propagation status:
# https://www.whatsmydns.net/
ERR_CERT_COMMON_NAME_INVALID
# Certificate doesn't match the domain you're visiting
# Causes:
# 1. Domain not added to platform's custom domains
# 2. Certificate not yet provisioned
# 3. Visiting wrong domain variant (www vs non-www)
# Solution: Ensure domain is added and certificate is issued in platform dashboard
SSL certificate not trusted
# Check certificate chain is complete:
openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | grep -i verify
# If you see "Verify return code: 21 (unable to verify the first certificate)"
# The intermediate certificates are missing - usually a platform issue
# Contact support or re-provision the certificate
Mixed www and non-www redirect issues
# Both domains should work and redirect to one primary
# In Vercel: Settings > Domains > Redirect to primary domain
# In Netlify: Domain management > Primary domain
# Test both:
curl -I http://yourdomain.com
curl -I http://www.yourdomain.com
curl -I https://yourdomain.com
curl -I https://www.yourdomain.com
# All should eventually redirect to your primary HTTPS domain
CAA record blocking certificate issuance
# Check for CAA records:
dig yourdomain.com CAA
# If CAA records exist, they must allow your certificate authority
# For Let's Encrypt (used by Vercel, Netlify):
Type: CAA
Name: @
Value: 0 issue "letsencrypt.org"
# To allow any CA (remove restrictions):
# Delete all CAA records
How long does SSL certificate provisioning take?
After DNS is properly configured, SSL certificates typically provision within 1-10 minutes on most platforms. If DNS was recently changed, wait for propagation (up to 48 hours, usually much faster - often within 15 minutes to an hour).
Should I use CNAME or A records?
Use CNAME for subdomains (www.domain.com) and A/AAAA records for root domains (domain.com). Root domains cannot use standard CNAME records. Some DNS providers support CNAME flattening or ALIAS records for root domains which can be used instead.
Can I use my own SSL certificate instead of the platform's?
Most platforms allow custom certificates on paid plans. However, using the platform's automatic SSL is recommended as it handles renewal automatically and is properly configured. Custom certificates are useful for EV certificates or specific compliance requirements.
Do I need to configure SSL for both www and non-www?
Yes, add both domains to your platform. Configure one as the primary and set up redirects from the other. Both need valid SSL certificates to properly redirect HTTPS requests.
Why is my custom domain showing the wrong site?
DNS might be cached or still pointing to an old server. Clear your local DNS cache (ipconfig /flushdns on Windows, sudo dscacheutil -flushcache on Mac) and verify DNS with dig or an online tool.
Run a free security scan to check your custom domain's SSL configuration.
Start Free Scan