Skip to content
HubSpot Knowledge Base

Troubleshoot SSL certificate errors

Last updated: March 18, 2026

Available with any of the following subscriptions, except where noted:

When connecting a domain to HubSpot, an SSL certificate is provisioned automatically. Usually, provisioning completes within four hours. If an error appears in your domain settings, use the information below to identify and resolve the issue. 

Before you get started

Before troubleshooting SSL certificate error, review the requirements and considerations.

Permissions required Domain settings permission is required to troubleshoot SSL certificate errors in domain settings.


Understand limitations & considerations

  • If the SSL certificate can’t be issued due to DNS configuration, confirm the following before troubleshooting a specific error:

    • Confirm there are no AAAA records for HubSpot-connected hostnames.
    • Confirm the root domain has two A records set to the exact IP addresses shown in HubSpot.
    • In your domain settings, click the Actions dropdown menu and select Verify SSL certificate to re-run SSL verification.

Identify an SSL certificate error

  1. In your HubSpot account, click the settings settings icon in the top navigation bar.
  2. In the left sidebar menu, navigate to Content > Domains & URLs.
  3. At the top of the page, identify the SSL error message for the domain. For example, you may see a message like this:

  1. Follow the corresponding troubleshooting steps.

There was a problem issuing the SSL certificate for www.yourdomain.com

This error occurs when the domain or its parent domain has a Certificate Authority Authorization (CAA) record that doesn't include Google Trust Services.

HubSpot is unable to issue the SSL for the subdomain because it, or its parent domain, has a Certificate Authority Authorization (CAA) record which doesn’t include Google Trust Services. To resolve this, you'll need to edit your CAA record or add a CAA record for your root domain.

To resolve this error:

  1. Sign in to your DNS provider.
  2. In your DNS provider, access your CAA record for the root domain.
  3. Edit the record to include Google Trust Services with the following values:
    • flag: 0
    • tag: issue
    • value: pki.goog

  4. The record should read: 0 issue ‘pki.goog’

  5. After updating the CAA record, SSL provisioning will be retried automatically within four hours.

Please note: if this error has been present for more than 30 days, SSL will not automatically provision after updating the CAA record. Contact HubSpot support for assistance.

The SSL certificate for www.yourdomain.com couldn't be validated

HubSpot couldn't validate the SSL certification for your domain. There are three possible causes, which will be visible in the error message details:

The domain doesn't have a Whois email

The domain isn't associated with an email address in the Whois registry, and HubSpot is unable to send the SSL validation email. To resolve this error:

  1. Sign in to your DNS provider and navigate to the records for the domain.
  2. Edit your Whois email.
  3. In HubSpot, click Click here to confirm you own this domain. This will send a validation email to your updated email address.
  4. Open the email in your inbox to confirm that you own the domain.
  5. After confirmation, SSL provisioning will resume automatically.

Please note: if you're unable to update your Whois email, contact HubSpot support for other validation options.

The domain requested for validation isn't valid

HubSpot is unable to reach the subdomain. To resolve this error:

  1. Sign in to your DNS provider.

  2. Confirm your CNAME record is entered correctly.

  3. Allow time for DNS propagation if changes were recently made.

If DNS records are correct and the error persists, contact HubSpot support.

Please update your CNAME record for this domain

The subdomain doesn't have a CNAME record pointing to HubSpot. To resolve this error:

  1. Sign in to your DNS provider.
  2. Locate the CNAME record for the domain.
  3. Update the record so it points to the HubSpot value provided during domain connection.

After updating the CNAME record, allow time for DNS propagation. If the error persists, contact HubSpot support.

www.yourdomain.com has been marked as potentially unsafe by Google

Google maintains a list of URLs that contain malware or phishing. If the domain you're connecting matches any domain in this list, HubSpot can't provision SSL. If you have Google Search Console, an alert will appear in the domain’s security issues report.

To resolve this, submit a request to Google for a review of your affected page, or contact HubSpot support for further assistance.

www.yourdomain.com has been marked as potentially unsafe by PhishTank

PhishTank is an anti-phishing site that maintains a list of URLs with potential malware or phishing scams. If the domain you're connecting matches any domain in this list, HubSpot can't provision SSL for your domain. If your domain doesn't include malware or phishing scams, report a false positive to PhishTank.

We were unable to validate the domain

There's an unknown issue when trying to provision SSL for your subdomain. Please contact HubSpot support.

The SSL certificate for www.yourdomain.com couldn't be activated with Cloudflare

The domain has been blocked by Cloudflare. To resolve this, click Contact Us in the banner, which will open a pre-filled email to abusereply@cloudflare.com. Communicate with the team to resolve the error. 
Was this article helpful?
This form is used for documentation feedback only. Learn how to get help with HubSpot.

Related content

Related content

New to HubSpot? Use these guides to get started.