CMS-General

Troubleshoot SSL certificate errors

Last updated: October 11, 2019

Applies to:

Marketing Hub  Professional, Enterprise
Legacy Marketing Hub Basic
HubSpot CMS

When provisioning SSL for your domain through HubSpot, you may encounter errors during the process. If there is an error during SSL provisioning, you’ll see one of the following messages at the top of your domain manager. 

There was a problem issuing the SSL certificate for <www.yourdomain.com>

Detail: please update your existing CAA records and make sure "0 issue 'digicert.com'" is listed.

Cause: the subdomain you’re connecting, or its parent domain, has a CAA (Certification Authority Authorization) record which doesn’t include Digicert.

Resolution: edit your CAA record to include Digicert with a flag, a tag, and a value:

  • flag: 0
  • tag: issue
  • value: digicert.com

All together, your edit will look like: 0 issue ‘digicert.com’

After you add Digicert to this record, HubSpot will provision SSL within 4 hours. If it does not, please contact HubSpot support. 

The SSL certificate for www.yourdomain.com couldn't be validated

There are three possible causes and resolutions for this error, depending on the error detail:

  • The domain does not have a WHOIS email
    • Cause: no email address is associated with the WHOIS email registry to send the email to.
    • Resolution: edit your WHOIS email and click Click here to confirm you own this domain so you can continue the setup process within the domain manager. This will re-send the validation email to your updated address. Or, contact support for an alternative SSL pre-provisioning method.
  • The domain requested for validation is not valid
    • Cause: requests for the subdomain aren’t reaching HubSpot’s servers or there was a technical issue when provisioning SSL.
    • Resolution: if you’ve created the HubSpot provided CNAME record correctly, please contact HubSpot support.
  • Please update your CNAME record for this domain
    • Cause: the subdomain doesn’t have the HubSpot CNAME record. It has a different DNS record which is pointing to a different location.
    • Resolution: create the HubSpot provided CNAME record in your DNS records. If believe you’ve done this correctly, please contact HubSpot support. 

www.yourdomain.com has been marked as potentially unsafe by Google

Details: Google maintains a list of URLs that contain malware or phishing. If the domain you are connecting matches any domain in this list, HubSpot cannot provision SSL. If you have Google Search Console, an alert will appear in the domain’s security issues report.

Cause: the subdomain you’re connecting has been flagged for containing malware or phishing.

Resolution: Submit a request to Google for a review of your affected page. Or, contact HubSpot support for further assistance.

www.yourdomain.com has been marked as potentially unsafe by Phishtank

Details: Phishtank maintains a list of URLs that contain malware or phishing. If the domain you are connecting matches any domain in this list, we cannot provision SSL. 

Cause: The subdomain you’re connecting has been flagged for matching a blacklisted domain in Phishtank’s database. 

Resolution: report a false positive to PhishTank. Or, contact HubSpot support for further assistance.

We were unable to validate www.yourdomain.com

Details: There is an unknown issue when attempting to provision SSL for your subdomain. 

Resolution: To determine the root cause of this error, please contact HubSpot support.