> For the complete documentation index, see [llms.txt](https://docs.tryterra.co/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.tryterra.co/faq/help-topics/something-else/custom-subdomains-ssl-and-security/cname-validation-ssl-issuance-troubleshooting.md). # Why won't my custom subdomain CNAME or SSL validate? If a custom subdomain CNAME won't authorise, or the cert won't validate or parse, work through these: {% stepper %} {% step %} **Both CNAME records must be present and correct**: the ACM validation record and the load balancer record. On some DNS providers, omit the domain suffix from the record name since they auto-append it. Verify with a DNS lookup tool that the record resolves before SSL can be issued. {% endstep %} {% step %} **The CNAME must be DNS only** (grey cloud, proxy off), not proxied through Cloudflare. Otherwise SSL terminates at Cloudflare's edge and Terra's cert can't be served. {% endstep %} {% step %} **Keep the certificate-validation CNAME from support permanently in DNS.** It is used for ongoing SSL renewal, and removing it breaks long-term connectivity. {% endstep %} {% step %} If the subdomain serves a cert whose CN is an unrelated domain, **it is still valid as long as your subdomain is in the Subject Alternative Names**. Modern TLS matches against SAN, not CN, so a portal `parse` error then points to the URL string (trailing slash, whitespace), not the cert. {% endstep %} {% endstepper %} Also confirm all required scopes are selected, the redirect points to the auth path, and the webhook is set correctly. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.tryterra.co/faq/help-topics/something-else/custom-subdomains-ssl-and-security/cname-validation-ssl-issuance-troubleshooting.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.