Shopify SSL pending: Activate domain certificate and establish HTTPS access

Direct solution coming soon

• Set DNS correctly: A (Root/@) → 23.227.38.65 and CNAME ( www ) → shops.myshopify.com .
• Remove conflicts: additional A/AAAA records (IPv6), incorrect CNAMEs, redirects at the DNS provider.
• If Cloudflare/Proxy is used: Set DNS entries for root and www to DNS only (not proxyed).
• Wait and check: DNS propagation + certificate issuance (typically minutes to several hours), then check again in Einstellungen → Domains .

When does this occur?

• In the Shopify admin under Einstellungen → Domains , the domain shows SSL pending .
• Accessing https://deinedomain.tld shows certificate errors (e.g., "invalid certificate" / "common name mismatch").
• The domain works via HTTP or points to another website/platform, but HTTPS does not show a "green" result.
• After domain transfer, DNS provider change, or Cloudflare activation, SSL remains permanently pending.

Technical background: Why does this happen?

Shopify automatically issues SSL certificates for custom domains. For this to work, the domain must uniquely point to Shopify (DNS routing). If DNS entries are conflicting (e.g., multiple A records, AAAA record for IPv6, incorrect CNAME) or a proxy/CDN intercepts the request, Shopify cannot reliably verify the domain or complete the certificate process. Additionally, DNS caching/propagation can cause Shopify (and certificate authorities) to temporarily see outdated target servers.

Step-by-step: Here's how to implement it

1. Check status in admin

   • Open Shopify Admin → Einstellungen → Domains .
   • Check the affected domain: its status (connected / SSL pending) and whether it is set as the primary domain .

2. Set DNS target values ​​(desired state)

   • Root domain (Apex, @ ): A record on 23.227.38.65
   • www subdomain : CNAME pointing to shops.myshopify.com

3. Correct DNS at the provider

   • Open the DNS management at your domain provider (or at Cloudflare, if that's where the nameservers are located).
   • Set/check the records exactly as in step 2.
   • Remove all conflicting entries (details in "Common Errors"), especially:
   • more A-records for @
   • AAAA records for @ or www
   • CNAME for @ (if the provider allows it, it's usually wrong for Shopify)

4. If using Cloudflare: Disable proxy

   • In Cloudflare, under DNS, set the cloud status for @ and www to DNS only (grey cloud).
   • Important: The goal is for domain requests to go directly to Shopify until SSL is active.

5. Technically verify that DNS is actually pointing to Shopify

   Check from a system that doesn't use your local DNS caches (or use a public resolver):

    # A-Record (Root)
    dig +short A deinedomain.tld @1.1.1.1
   
    # CNAME (www)
    dig +short CNAME www.deinedomain.tld @1.1.1.1
   
    # Prüfen, ob IPv6 (AAAA) unerwartet vorhanden ist
    dig +short AAAA deinedomain.tld @1.1.1.1
   
    ausgabe-soll:
    23.227.38.65
    shops.myshopify.com.
    (keine AAAA-ausgabe)

6. Check SSL certificate status

   Once the DNS is correct, the certificate issuance can start/complete. Verify the certificate via TLS handshake:

    openssl s_client -servername deinedomain.tld -connect deinedomain.tld:443 < /dev/null 2>/dev/null | openssl x509 -noout -issuer -subject

   • If a correct certificate is not yet delivered: Wait longer (propagation) or check for DNS conflicts.

7. Properly setting up the primary domain and redirects

   • In Einstellungen → Domains set the desired domain as the primary domain .
   • Check if www ↔ Root is redirecting correctly (Shopify manages this via the primary domain configuration).

Common mistakes

• Multiple A records for @ (cause: old hosting/landing page entries). Fix: Use only one A record for @ : 23.227.38.65 .

• AAAA record (IPv6) present (cause: provider automatically creates IPv6; Shopify usually doesn't expect IPv6 routing here). Fix: Remove the AAAA record for @ and possibly www , then check again.

• www is set as an A record (cause: created manually instead of using a CNAME). Fix: Delete the A record for www and set the CNAME www → shops.myshopify.com .

• Cloudflare "Proxied" is active (cause: Shopify isn't seeing the actual DNS target or the certificate process is stuck). Fix: Set the DNS records for @ and www to DNS only until SSL is active.

• DNS is still pointing to the old platform (propagation/caching) (cause: high TTL or resolver caches). Fix: Temporarily lower the TTL to 300 seconds, wait a few hours, and check against public resolvers using dig .

• Incorrect domain set as primary (cause: root instead of www or vice versa, redirect appears broken). Fix: In Einstellungen → Domains set the desired target domain as primary and then test both versions.

Best Practices

• Keep DNS to a minimum: For Shopify, A (@) and CNAME (www) are usually sufficient. Anything else is only necessary if required for technical reasons.
• Lower the TTL before making changes (e.g., to 300 seconds), then increase it again afterwards.
• Measure changes first, then modify further: Check with dig after each DNS adjustment before making the next correction.
• Use Cloudflare deliberately: First, properly activate SSL on Shopify, then reactivate proxy/CDN functions and test again.
• Test both hostnames: https://deinedomain.tld and https://www.deinedomain.tld should predictably lead to the same storefront.

Brief summary

• SSL pending is almost always a DNS/proxy problem, not a theme problem.
• Set @ as an A record to 23.227.38.65 and www as a CNAME to shops.myshopify.com .
• Remove extra A/AAAA records and incorrect CNAMEs.
• Disable proxies (e.g., Cloudflare "Proxied") until SSL is active.
• Check DNS and certificate with dig and openssl , and then set the primary domain correctly.