domains-urlsaccount-settings domains-urlsbilling domains-urlsconnected-email domains-urlsgdpr domains-urlsgetting-started domains-urlshelp-resources domains-urlsintegrations domains-urlstracking-code domains-urlsactivity-feed domains-urlscompanies domains-urlscontacts domains-urlscrm-setup domains-urlsdeals domains-urlstasks domains-urlsads domains-urlscampaigns domains-urlsctas domains-urlsemail domains-urlsfiles domains-urlsforms domains-urlslists domains-urlssocial domains-urlsblog domains-urlsdesign-manager domains-urlsdomains-urls
domains-urlslanding-pages domains-urlsseo domains-urlswebsite-pages domains-urlscalling domains-urlsdocuments domains-urlsmeetings domains-urlsplaybooks domains-urlsproducts-quotes domains-urlssequences domains-urlssnippets domains-urlstemplates domains-urlsknowledge-base domains-urlstickets domains-urlschatflows domains-urlsfeedback-surveys domains-urlsinbox domains-urlsworkflows domains-urlsanalytics-tools domains-urlsdashboards domains-urlsreports domains-urlsmarketplace domains-urlspartner-tools
Domains & URLs

Troubleshoot SSL certificate errors

Last updated: September 2, 2020

Applies to:

Marketing Hub  Professional, Enterprise
CMS Hub  Professional, Enterprise
Legacy Marketing Hub Basic

When connecting your domain to HubSpot, SSL for your domain will be provisioned automatically. However, in some cases, an error may occur.

To troubleshoot your SSL:

  • In your HubSpot account, click the settings icon settings in the main navigation bar.
  • In the left sidebar menu, navigate to Domains & URLs.
  • At the top, identify the error. Then, follow the respective troubleshooting steps below.

There was a problem issuing the SSL certificate for <www.yourdomain.com>

ssl-caa-record

HubSpot is unable to issue the SSL for the subdomain because it, or its parent domain, has a Certificate Authority Authorization (CAA) record which doesn’t include Digicert. To resolve this, you'll need to edit your CAA record or add a CAA record for your root domain.

To troubleshoot this issue:

  • In your DNS provider, access your CAA record.
  • Edit the CAA record to include Digicert with a flag, a tag, and a value:
    • flag: 0
    • tag: issue
    • value: digicert.com

The record should read: 0 issue ‘digicert.com’

Once you add Digicert to the CAA record for the root domain, HubSpot will attempt to provision SSL within four hours. If this error has been present for more than 30 days, HubSpot will not automatically provision SSL after the CAA record is updated. Please contact HubSpot support if it's been more than 30 days since the error appeared.

The SSL certificate for www.yourdomain.com couldn't be validated

HubSpot couldn't validate the SSL certification for your domain. There are three possible causes, which will be indicated in the error message details:

The domain does not have a Whois email

ssl-whois

The domain is not currently associated with an email address in the Whois email registry, and HubSpot is unable to send the SSL validation email. To troubleshoot this:

  • Log in to your DNS provider and navigate to the records for the domain.
  • Edit your Whois email.
  • In HubSpot, click Click here to confirm you own this domain. This will send a validation email to your updated email address.
  • Open the email in your inbox to confirm that you own the domain. HubSpot will then provision the SSL certification for this domain.

If you're unable to update your Whois email, contact support for an alternative SSL pre-provisioning method.

The domain requested for validation is not valid

ssl-domain-request-not-valid

HubSpot is unable to reach the subdomain. Ensure your CNAME record is entered correctly in your DNS provider. If this has been done correctly, please contact HubSpot support.

Please update your CNAME record for this domain

ssl-update-cname

The subdomain does not have a CNAME record pointing to HubSpot. If believe you’ve set up your CNAME record correctly, please contact HubSpot support. 

www.yourdomain.com has been marked as potentially unsafe by Google

ssl-google-unsafe

Google maintains a list of URLs that contain malware or phishing. If the domain you are connecting matches any domain in this list, HubSpot cannot provision SSL. If you have Google Search Console, an alert will appear in the domain’s security issues report.

To resolve this, submit a request to Google for a review of your affected page, or contact HubSpot support for further assistance.

www.yourdomain.com has been marked as potentially unsafe by PhishTank

ssl-phishtank

PhishTank is an anti-phishing site that maintains a list of URLs with potential malware or phishing scams. If the domain you are connecting matches any domain in this list, HubSpot cannot provision SSL for your domain. If your domain does not include malware or phishing scams, report a false positive to PhishTank.

We were unable to validate www.yourdomain.com

ssl-unable-to-validate

There is an unknown issue when attempting to provision SSL for your subdomain. Please contact HubSpot support.

Related content

/cos-general/troubleshoot-ssl-certificate-errors