When you set up a custom domain for your Notion workspace, SSL certificate renewal happens automatically behind the scenes. Sometimes this renewal fails, causing your custom domain to show a security warning or become unreachable. This article explains why the automatic SSL certificate renewal can break and provides step-by-step fixes to resolve the failure. You will learn how to check your DNS configuration, force a manual renewal, and prevent future SSL errors.
Key Takeaways: Fixing SSL Certificate Renewal for Your Notion Custom Domain
- Settings & Members > Settings > Custom Domain: The central location to manage your custom domain and view SSL status.
- DNS CNAME record validation: A missing or incorrect CNAME record is the most common cause of renewal failure.
- Notion support ticket for manual renewal: If DNS is correct, a support request can trigger a manual revalidation of your certificate.
Why Notion Custom Domain SSL Renewal Fails
Notion uses Let’s Encrypt to issue and automatically renew SSL certificates for custom domains. The renewal process requires that your domain’s DNS configuration remains valid and reachable. Specifically, Notion checks for a CNAME record that points your custom domain to cname.notion.so or a similar Notion-managed endpoint. If this record is missing, incorrect, or has a wrong TTL value, Let’s Encrypt cannot verify domain ownership and the certificate renewal fails.
Another common cause is a change in your DNS hosting provider or nameserver. When you move your domain to a new DNS provider, the CNAME record may not carry over correctly. Notion’s renewal server runs on a scheduled interval, so even a temporary DNS outage during that window can cause a missed renewal. The result is an expired certificate, and visitors see a browser security warning when accessing your Notion site.
Steps to Diagnose and Fix the SSL Renewal Failure
- Check your custom domain status in Notion
Go to Settings & Members > Settings > Custom Domain. Look for the status column next to your domain. If it shows “SSL Pending” or “Certificate Error,” renewal has failed. - Verify the CNAME record with your DNS provider
Log in to your DNS provider (Cloudflare, GoDaddy, Namecheap, etc.). Find the DNS records for your domain. Confirm there is a CNAME record for your custom domain (e.g.,docs.yourcompany.com) pointing tocname.notion.so. The record type must be CNAME, not A or AAAA. - Fix a missing or incorrect CNAME record
If the CNAME record is missing, add a new record: type CNAME, name your subdomain (e.g.,docs), targetcname.notion.so, and set TTL to 300 seconds (5 minutes) or the lowest value your provider allows. Save the record. - Wait for DNS propagation
DNS changes can take up to 48 hours, but typically propagate within 10 to 30 minutes. Use a tool likedigor an online DNS checker to confirm that your CNAME resolves tocname.notion.so. - Force a manual SSL renewal request to Notion
After confirming the DNS is correct, contact Notion support. Go to Settings & Members > Help & Support > Contact us. Explain that your custom domain SSL certificate renewal failed and that you have verified the CNAME record. Ask the support team to trigger a manual certificate revalidation. Notion’s team can initiate a fresh Let’s Encrypt challenge. - Check for proxy or CDN interference
If you use Cloudflare, make sure the orange cloud (proxy) is turned off for the CNAME record. Notion’s SSL renewal requires direct DNS resolution. When Cloudflare proxies the record, it may interfere with the Let’s Encrypt validation. Set the record to DNS only (gray cloud).
If Notion Still Has Issues After the Main Fix
Custom Domain Shows “Not Verified” After DNS Correction
Sometimes the status in Notion does not update immediately even after you fix the DNS. This is because Notion caches the verification result for up to 24 hours. Wait at least one hour, then refresh the Custom Domain page in Notion. If it still shows “Not Verified,” remove the custom domain from Notion and re-add it. Go to Settings & Members > Settings > Custom Domain, click the three dots next to the domain, select Remove, then add the domain again. This forces a fresh verification cycle.
SSL Certificate Renews but Browser Still Shows Warning
Your browser may cache the old certificate. Clear your browser cache and restart the browser. Alternatively, open the site in an incognito or private window. If the warning disappears, the issue was browser-side. If the warning persists, the certificate renewal may still be in progress. Wait 15 minutes and check again.
Multiple Custom Domains on One Workspace
Notion allows up to 10 custom domains per workspace. Each domain requires its own CNAME record. If you have multiple domains, verify each one individually. A single misconfigured domain does not affect the others, but all must have valid records for their own SSL renewal.
Notion Custom Domain DNS Requirements vs Common Mistakes
| Item | Correct Configuration | Common Mistake |
|---|---|---|
| Record type | CNAME | A or AAAA record pointing to an IP address |
| Target | cname.notion.so |
Using notion.so or a custom IP |
| Proxy status (Cloudflare) | DNS only (gray cloud) | Proxied (orange cloud) interfering with validation |
| TTL | 300 seconds or lower | 86400 seconds (24 hours) causing slow propagation |
This table shows the three most frequent DNS mistakes that cause SSL renewal to fail. Double-check each field against the correct column. Even one incorrect setting can prevent Let’s Encrypt from completing the challenge.
After you fix the DNS, you can monitor the renewal status in Notion’s Custom Domain settings. The status should change from “Certificate Error” to “Active” within a few hours. If it does not, contact Notion support with the exact error message you see.