Why am I unable to activate the free SSL?

Jordan Graves
Published: 16 October 2023Last updated: 17 October 2023

Every 20i hosting package includes a free wildcard SSL certificate. 

To utilise the free SSL certificate, the domain name must use our nameservers (read here to find out why our nameservers are required).

These are: 

  • ns1.stackdns.com 
  • ns2.stackdns.com 
  • ns3.stackdns.com 
  • ns4.stackdns.com 

If the Activate Free SSL button does not show within the SSL/TLS section, under the Security header or you get an error message upon attempting to click the Activate Free SSL button, please check the following: 

Does the domain name have DNSSEC enabled?

DNSSEC can block the platform from verifying the domain name is using 20i’s nameservers. 

This can be checked from a Whois lookup. If DNSSEC is Signed, this will need to be disabled at your domain registrar. 

Nameserver propagation

 If you have recently changed your nameservers to 20i’s, there is often a propagation delay until the domain name switches from the previous nameservers to 20i’s. 

It can take up to 48 hours for nameserver changes to propagate across the web, but in most cases, it will be completed much faster. 

20i utilises Google’s Public DNS and so you can flush the DNS cache to clear the resolvers. 

Does the domain name have any ‘acme-challenge’ CNAME records within the DNS zone?

Acme-challenge CNAME records are used to validate Let’s Encrypt SSL certificates. 

Due to the 20i free wildcard SSL certificates being issues from Let’s Encrypt, this can block the platform from issuing the SSL certificate. 

The acme-challenge CNAME records look like this: _acme-challenge.example-domain.com. Once the DNS record has been removed, and the DNS propagated, the Activate Free SSL button should appear. 

Nameserver sub-delegation

 Sub-delegation of Nameservers is where the nameservers are pointing to 20i (StackDNS) through another provider but at the registry the nameservers are pointing to another provider. 

This is actioned by the 20i nameservers being added as a NS record in the DNS rather than a nameserver. If this is the case, please contact your domain provider.