Troubleshooting

SSL not issuing

DNS looks right but HTTPS isn't active yet? These are the usual causes.

Once DNS is correct, SSL issuance is automatic and usually takes under a minute. If the domain is stuck on Validating for longer, one of these is the reason.

1. DNS isn’t fully resolving yet

SSL validation needs every DNS resolver (not just yours) to see the new records. If you just saved DNS, give it 5–15 minutes before assuming something’s wrong. Click Refresh status periodically.

From a terminal, test from a public resolver:

dig @1.1.1.1 www.yourbrand.com +short
dig @8.8.8.8 www.yourbrand.com +short

Both should return PageFork hosts/IPs. If either doesn’t, DNS hasn’t propagated everywhere yet.

2. Proxy still enabled

A proxy (like Cloudflare’s orange cloud) intercepts the validation challenge. See Cloudflare and proxies — disable it for the PageFork records.

3. Restrictive CAA record

If your domain has CAA records that don’t include Let’s Encrypt, issuance fails. Check with:

dig yourbrand.com CAA +short

If you see CAA records that exclude letsencrypt.org, add one that allows it:

yourbrand.com.  IN  CAA  0 issue "letsencrypt.org"

Or remove the restrictive CAA entirely if you didn’t add it on purpose.

4. Both www and apex are connected, one isn’t configured

When you turn on Include apex, both yourbrand.com and www.yourbrand.com need correct DNS. SSL issuance for the pair won’t complete until both resolve. If you only added the www CNAME, add the apex record too — see DNS records reference.

5. Registrar auto-renewal / DNSSEC edge cases

Some registrars have safeguards that block new TLS certs briefly after DNS changes. If you suspect this, wait 15–30 minutes and try Refresh status again.

6. It’s been over an hour

Contact support with:

  • The domain.
  • A screenshot showing the Validating status.
  • The output of dig yourbrand.com CAA +short.
  • The output of dig www.yourbrand.com +short and dig yourbrand.com +short.

Support can see exactly what Let’s Encrypt returned and guide you from there.

Known transient issues

  • Let’s Encrypt rate limits. If a domain has failed to issue many times in a short window, the CA may rate-limit it for a few hours. You’ll see “rate limited” in the error details. Wait and retry.
  • Registrar outages. Rare, but they happen. Check your registrar’s status page.

Next

Previous Domain not verifying Next Forms not receiving