By office546117
We are migrating a number of application instances from elsewhere to App Platform. As part of this, we have previously moved all related DNS records into Digital Ocean. They are all A records with TTL of 300 seconds (5 minutes).
When I migrate an instance to App Platform, I first remove the associated A record. The old instance goes offline (expected). I migrate the database, then spin up the new app and assign the domain to it, having DO manage it. DO creates the CNAME as expected and the domain status becomes “Pending”. This process takes at least 5 minutes, so the TTL on the old A record has expired, and this can be verified with dig.
However, invariably, the app fails to generate a certificate for the domain, reporting “Invalid configuration”. I have tried waiting idly, I have tried re-adding the domain to the app in an attempt to get it to try again, I have tried re-deploying the app. It consistently takes 30-60 minutes to resolve - remember, this is production downtime!
I assume App Platform uses a DNS challenge to generate the cert with Let’s Encrypt - why is it taking so long to do so when the DNS changes are quickly propagating according to all other sources? Is there anything about the above process I can change to speed things up?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Accepted Answer
Hi there,
If the first validation attempt fails (which often happens while the old A record is still cached somewhere upstream), App Platform backs off and retries on a fixed internal schedule. That retry window is usually on the order of tens of minutes, not seconds, and there’s currently no way to force it manually. Removing and re-adding the domain or redeploying the app does not reliably reset that timer.
Second, even though your authoritative DNS TTL is 300 seconds, Let’s Encrypt validation depends on global resolver consistency, not just what you see from one or two dig queries. Some resolvers will still cache the old record longer, and App Platform seems to be conservative about proceeding until it sees consistent results across its validation infrastructure.
Third, App Platform’s “Pending / Invalid configuration” state is misleading. In many cases, nothing is actually wrong anymore — the platform is simply waiting for the next internal certificate retry cycle. That’s why it suddenly “fixes itself” after 30–60 minutes without any further changes.
Regards
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and AI-native businesses
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.