After migrating our HubSpot instance to cloud hosting, our custom domain SSL certificate renewal is failing. The certificate is set to auto-renew, but it’s now showing “SSL renewal pending” for over a week and our site is about to become inaccessible when the current cert expires in 3 days.
The SSL management dashboard shows:
Domain: portal.company.com
Status: Renewal Failed - DNS validation error
Error: CNAME record not found or invalid
Last attempt: 2025-05-07 22:15:03
Our DNS CNAME record points to our old on-premise HubSpot instance hostname. I’m guessing this needs to be updated to point to the new cloud hosting address, but I can’t find documentation on what the correct CNAME target should be for cloud-hosted custom domains in hs-2023. The migration guide didn’t mention updating DNS records. Has anyone dealt with SSL certificate validation issues after cloud migration? What should the CNAME record point to now?
Found the cloud hosting CNAME in the settings - it’s proxy.hubspotcloud.net. Updated our DNS record about 2 hours ago. Should I wait for full propagation before triggering another renewal attempt, or can I force it now?
I’ll walk you through the complete SSL renewal fix after cloud migration, addressing all the validation and configuration requirements.
Don’t forget to check your DNS propagation time. Even after updating the CNAME, it can take up to 48 hours for changes to propagate globally. The SSL validation might be checking from different geographic locations and still seeing the old record. You can use DNS checker tools to verify the CNAME is resolving correctly from multiple locations before retrying the SSL renewal.
You can trigger it now, but be aware that HubSpot’s SSL validation system caches DNS results for about 4 hours. If it fails again, wait at least 6 hours before the next attempt to ensure both DNS propagation and cache clearing. Also verify your CNAME points to the correct regional endpoint.
This is a common oversight during cloud migrations. When you migrate to cloud hosting, HubSpot’s SSL certificate validation system needs to verify domain ownership through DNS. Your CNAME should now point to something like cloud-proxy-us1.hubspot.com or similar depending on your region. But here’s the catch - you also need to ensure the SSL certificate authority can reach the validation endpoint at your domain. Sometimes firewall rules or CDN configurations block the validation requests.