Diagnose SSL Pending on a New Subdomain

What You Will Learn

When you add a new subdomain to is-cool-me and configure it through your hosting provider (Vercel, Netlify, Cloudflare Pages, or a similar platform), the dashboard will typically show the SSL status as Pending while the certificate authority (CA) attempts to issue a certificate. This guide covers why certificates get stuck in this pending state, how to methodically diagnose the root cause, what fixes you can apply yourself, and when you should escalate to your provider or our support team.

By the end of this guide you will understand the full certificate issuance lifecycle, know the exact diagnostic commands to run, and be able to resolve the majority of pending SSL issues without waiting for support.

Requirements

• An is-cool-me subdomain with DNS records configured in your dashboard
• SSL status showing Pending in the is-cool-me dashboard
• Access to a terminal with dig and curl installed (Linux, macOS, or WSL)
• Access to your hosting provider's dashboard (Vercel, Netlify, Cloudflare, etc.)
• Basic familiarity with DNS concepts (A records, CNAME records, TTL)

Background

SSL certificate issuance follows a well-defined protocol: the CA must verify that the requester controls the domain for which the certificate is being requested. For is-cool-me subdomains, the issuing CA depends on your active platform configuration (often Let's Encrypt on many providers) and validation is typically done through HTTP-01 or DNS-01 challenges. When your dashboard shows Pending, it means the CA has initiated the issuance process but has not yet completed validation.

The most common reasons for a stuck pending state fall into four categories: DNS resolution problems, CAA record restrictions, hosting provider misconfiguration, and propagation delays. Understanding which category your issue falls into is the first step toward a fix.

Most automated certificates are short-lived (often around 90 days), and issuance typically completes within seconds once all prerequisites are met. If your certificate has been pending for more than 15 minutes, something in the chain is usually misconfigured.

Step-by-Step Diagnosis

Step 1: Check Authoritative DNS Resolution

The CA needs to resolve your subdomain to verify it points to the correct server. Start by checking what your authoritative DNS nameservers return for your subdomain:

dig yourname.is-pro.dev +short
dig yourname.is-pro.dev A +short
dig yourname.is-pro.dev CNAME +short

Compare the output against the expected target provided by your hosting provider. For Vercel, the CNAME should look like cname.vercel-dns.com. For Netlify, it should be something like your-site.netlify.app. If the record is missing or points to an old target, update it in the is-cool-me DNS dashboard and wait 5-10 minutes for propagation.

You should also check that the nameservers themselves are responding correctly:

dig NS is-pro.dev +short
dig yourname.is-pro.dev @<authoritative-ns> +short

This bypasses local caching and queries an authoritative nameserver directly. If this returns the correct record but a standard dig does not, you are likely seeing cached data. Wait for TTL expiry or flush your local DNS resolver.

Step 2: Check CAA Records

CAA (Certificate Authority Authorization) records tell the world which CAs are permitted to issue certificates for your domain. If a CAA record exists but does not include Let's Encrypt, issuance will be blocked:

dig CAA yourname.is-pro.dev +short

If you see output like 0 issue "digicert.com" without a corresponding 0 issue "letsencrypt.org", your CAA records are blocking Let's Encrypt. The fix is to add a CAA record that permits Let's Encrypt:

yourname.is-pro.dev.  IN  CAA  0  issue  "letsencrypt.org"

You can manage CAA records through the is-cool-me DNS dashboard. Note that CAA records are inherited by subdomains unless explicitly overridden, so a parent domain CAA restriction can block subdomain issuance even if the subdomain itself has no CAA records.

Step 3: Check Hosting Provider Configuration

Your hosting provider must be configured to respond to the domain validation challenge. Log into your hosting provider's dashboard and verify:

• The custom domain yourname.is-pro.dev is added to your project or site
• The provider's SSL/TLS settings are enabled (usually automatic)
• No firewall or proxy rules are blocking Let's Encrypt's validation IPs
• The provider is not in a "pending" state on their end (some providers have their own verification process)

Providers like Cloudflare may have a proxy (orange cloud) setting that can interfere with certificate issuance if the origin server is not configured correctly. If you use Cloudflare, try setting the DNS record to DNS-only (gray cloud) during issuance, then switch back to proxied after the certificate is active.

Step 4: Wait for Propagation

DNS changes are not instantaneous. Even after you update records, the change must propagate across the global DNS network. Typical propagation times:

• Default TTL of 3600 seconds (1 hour): full propagation can take up to 1 hour
• If you lowered TTL to 300 seconds (5 minutes): propagation takes 5-15 minutes
• Some ISPs and resolvers ignore TTL and cache for longer periods

You can check global propagation using online tools like whatsmydns.net or by querying multiple public resolvers:

dig @1.1.1.1 yourname.is-pro.dev +short
dig @8.8.8.8 yourname.is-pro.dev +short
dig @9.9.9.9 yourname.is-pro.dev +short

If Cloudflare's resolver (1.1.1.1) and Google's resolver (8.8.8.8) both return the correct record, the issue is not propagation.

Step 5: Force Re-issuance

If your DNS records are correct and the hosting provider is configured properly, you may need to force the CA to retry the issuance. In the is-cool-me dashboard, use the SSL retry/reissue action available in your environment to cancel the pending request and start a fresh one.

Before triggering re-issuance, confirm that:

• DNS resolution returns the correct target from all major resolvers
• CAA records permit your issuing CA (for example, Let's Encrypt if that is what your setup uses)
• Your hosting provider accepts requests for your subdomain
• Your subdomain returns a valid HTTP response (not a 404 or redirect loop)

You can test the HTTP challenge path commonly used during HTTP-01 validation:

curl -I http://yourname.is-pro.dev/.well-known/acme-challenge/

If this returns anything other than a 200 or 404 (such as a 301/302 redirect or a 5xx error), the validation challenge may fail. The key requirement is that the provider serves the challenge file correctly at the path expected by the CA flow in your environment.

Verification

Once you have resolved the issue and the certificate is issued, verify the following:

• SSL Active: The is-cool-me dashboard shows "Active" instead of "Pending"
• Browser Padlock: Visiting https://yourname.is-pro.dev shows a secure padlock icon in the address bar
• SSL Labs Rating: Run an SSL Labs test at ssllabs.com/ssltest and confirm an A or A+ rating
• Certificate Details: The certificate should be issued by your configured CA and list your subdomain in the Subject Alternative Name (SAN) field

Troubleshooting

CAA Blocking Let's Encrypt

If you have existing CAA records that do not include Let's Encrypt, add 0 issue "letsencrypt.org" alongside your existing CAA records. Multiple CAA records are OR'd together so each permitted CA needs its own record.

Apex CNAME Conflicts

CNAME records cannot coexist with other record types at the same name. If your subdomain has an A record and a CNAME record simultaneously, DNS resolution may be unpredictable. Ensure you have only the record type recommended by your hosting provider.

Proxy Interference

If you use Cloudflare or another reverse proxy, the proxy may intercept the HTTP validation challenge before it reaches your origin server. During issuance, set the record to DNS-only (gray cloud). Re-enable proxy after the certificate is active.

Rate Limits

Certificate authorities enforce issuance and failed-validation rate limits. If you trigger re-issuance repeatedly without fixing the underlying issue, you may hit those limits and get temporarily blocked. Check your CA/provider rate-limit documentation before retrying repeatedly.

Mixed Content Warnings

After SSL is active, if your page loads resources (images, scripts, stylesheets) over HTTP, browsers will show mixed content warnings. Use a tool like whynopadlock.com to identify insecure resources. Update all asset URLs to use HTTPS or protocol-relative URLs.

Best Practices

• Add CAA records proactively before you need a certificate. This prevents unexpected CAA-related delays when you first set up a subdomain. See our guide on locking down CAA for details.
• Lower TTL during initial setup to 300 seconds so that DNS changes propagate quickly. Once the certificate is active and everything is stable, increase the TTL back to 3600 or higher to reduce DNS query load.
• Test before adding DNS records. Configure your hosting provider first, verify it works with a test domain or their preview URL, then add the DNS record pointing to it.
• Monitor certificate expiry. Set up calendar reminders or use monitoring tools to alert you when certificates are approaching their 90-day expiry. Let's Encrypt auto-renewal usually works, but configuration drift can break it.
• Document your DNS configuration including all records, their targets, and the purpose of each. This makes future debugging dramatically faster.

FAQ

How long should a certificate stay in "Pending" status?

Normally no more than 5-15 minutes. If it has been longer than 30 minutes and propagation is confirmed, there is likely a configuration issue rather than a delay.

Can I use my own certificate instead of Let's Encrypt?

Yes, if custom certificate upload is enabled in your environment, you can provide your own certificate and private key through the dashboard. The pending status applies to automatically issued certificates managed by your platform's CA flow.

Does the subdomain need to be publicly accessible for issuance?

Yes. The CA validation flow must be able to reach your subdomain over the public internet for HTTP-01-style checks. If your server is behind a firewall or VPN, validation will fail.

What does "CAA record preventing issuance" mean?

It means your domain's CAA DNS records specify a set of permitted certificate authorities, and your issuing CA is not in that set. You need to add a CAA record that explicitly allows the CA used by your setup.

What if my hosting provider does not support custom domains?

Most major hosting platforms (Vercel, Netlify, Railway, Render, Fly.io, Cloudflare Pages) support custom domains. If yours does not, you may need to use a reverse proxy like Cloudflare in front of it.

Why does the dashboard show "Pending" after a successful re-issuance?

The dashboard may cache the SSL status for a few minutes. Try refreshing the page after 5 minutes. If it still shows pending, the new issuance attempt may have encountered the same issue as the first one.

Can DNSSEC affect certificate issuance?

Yes. If DNSSEC is enabled for your domain but the signatures are misconfigured or expired, resolvers may return SERVFAIL, which can block CA validation. Check DNSSEC status with dig yourname.is-pro.dev +dnssec.

What should I do if none of these steps work?

If you have verified DNS resolution, CAA records, hosting configuration, propagation, and re-issued the certificate, and it is still pending, contact is-cool-me support through Discord or email. Include the output of the dig commands from Step 1 and Step 2 to speed up diagnosis.

Related Guides

• Lock Down CAA for Better Certificate Control — Learn how to configure CAA records to restrict which CAs can issue certificates for your domains.
• Connect Vercel to is-cool-me — Step-by-step guide for connecting a Vercel deployment to your is-cool-me subdomain.
• Connect Netlify to is-cool-me — Step-by-step guide for connecting a Netlify site to your is-cool-me subdomain.