diff --git a/management/daemon.py b/management/daemon.py
index d223b040..6ba111d7 100755
--- a/management/daemon.py
+++ b/management/daemon.py
@@ -327,6 +327,19 @@ def dns_get_dump():
 
 # SSL
 
+@app.route('/ssl/status')
+@authorized_personnel_only
+def ssl_get_status():
+	from ssl_certificates import get_certificates_to_provision
+	from web_update import get_web_domains_info
+	provision, cant_provision = get_certificates_to_provision(env, ok_as_problem=False)
+	domains_status = get_web_domains_info(env)
+	return json_response({
+		"can_provision": list(provision),
+		"cant_provision": [{ "domain": domain, "problem": cant_provision[domain] } for domain in utils.sort_domains(cant_provision, env) ],
+		"status": [{ "domain": d["domain"], "status": d["ssl_certificate"][0], "text": d["ssl_certificate"][1] } for d in domains_status ],
+	})
+
 @app.route('/ssl/csr/<domain>', methods=['POST'])
 @authorized_personnel_only
 def ssl_get_csr(domain):
diff --git a/management/ssl_certificates.py b/management/ssl_certificates.py
index 0f019796..fd922ede 100755
--- a/management/ssl_certificates.py
+++ b/management/ssl_certificates.py
@@ -156,7 +156,7 @@ def get_domain_ssl_files(domain, ssl_certificates, env, allow_missing_cert=False
 
 # PROVISIONING CERTIFICATES FROM LETSENCRYPT
 
-def get_certificates_to_provision(env):
+def get_certificates_to_provision(env, ok_as_problem=True):
 	# Get a set of domain names that we should now provision certificates
 	# for. Provision if a domain name has no valid certificate or if any
 	# certificate is expiring in 14 days. If provisioning anything, also
@@ -196,8 +196,13 @@ def get_certificates_to_provision(env):
 			elif cert.not_valid_after-now < datetime.timedelta(days=30):
 				domains_if_any.add(domain)
 
-			# It's valid.
-			problems[domain] = "The certificate is valid for at least another 30 days --- no need to replace."
+			# It's valid. Should we report its validness?
+			if ok_as_problem:
+				problems[domain] = "The certificate is valid for at least another 30 days --- no need to replace."
+
+	# Warn the user about domains hosted elsewhere.
+	for domain in set(get_web_domains(env, exclude_dns_elsewhere=False)) - set(get_web_domains(env)):
+		problems[domain] = "The domain's DNS is pointed elsewhere, so a TLS certificate is not necessary here and cannot be provisioned automatically anyway."
 
 	# Filter out domains that we can't provision a certificate for.
 	def can_provision_for_domain(domain):
diff --git a/management/templates/ssl.html b/management/templates/ssl.html
index 48fc91c8..2f9a1cab 100644
--- a/management/templates/ssl.html
+++ b/management/templates/ssl.html
@@ -3,10 +3,30 @@
 
 <h2>TLS (SSL) Certificates</h2>
 
+<p>An SSL certificate is a cryptographic file that proves to anyone connecting to this machine (like you right now) that the connection is secure.</p>
+
+<p>You need an SSL certificate for this box&rsquo;s hostname ({{hostname}}), and although optional you should also get one for every domain name and subdomain managed by this box (unless you&rsquo;ve directed DNS for a domain elsewhere through custom or external DNS).</p>
+
+<h3>Provision a Certificate</h3>
+
+<p>We can provision an SSL certificate for you from <a href="https://letsencrypt.org/" target="_blank">Let&rsquo;s Encrypt</a>, a free SSL certificate provider.</p>
+
+<p id="ssl_provision_status"></p>
+
+<table id="ssl_provision_problems" style="display: none" class="table">
+  <thead>
+    <tr>
+      <th>Domain</th>
+      <th>Problem</th>
+    </tr>
+  </thead>
+  <tbody>
+  </tbody>
+</table>
+
 <h3>Certificate Status</h3>
 
-
-<table id="ssl_domains" class="table" style="margin-bottom: 2em; width: auto;">
+<table id="ssl_domains" class="table" style="margin-bottom: 2em; width: auto; display: none">
   <thead>
     <tr>
       <th>Domain</th>
@@ -60,24 +80,47 @@
 <script>
 function show_tls() {
  api(
-    "/web/domains",
+    "/ssl/status",
     "GET",
     {
     },
-    function(domains) {
+    function(res) {
+      // provisioning status
+      if (res.can_provision.length > 0) {
+          $('#ssl_provision_status').removeClass("text-warning").removeClass("text-success")
+             .text("Domains: " + res.can_provision.join(", "));
+      } else if (res.cant_provision.length == 0) {
+          $('#ssl_provision_status').addClass("text-success").text("No domains hosted on this box need a new TLS certificate at this time.");
+      } else {
+          $('#ssl_provision_status').addClass("text-warning").text("No TLS certificates can be provisoned at this time:");
+      }
+      $('#ssl_provision_problems').toggle(res.cant_provision.length > 0);
+      $('#ssl_provision_problems tbody').text("");
+      for (var i = 0; i < res.cant_provision.length; i++) {
+        var domain = res.cant_provision[i];
+        var row = $("<tr><th class='domain'><a href=''></a></th><td class='status'></td></tr>");
+        $('#ssl_provision_problems tbody').append(row);
+        row.attr('data-domain', domain.domain);
+        row.find('.domain a').text(domain.domain);
+        row.find('.domain a').attr('href', 'https://' + domain.domain);
+        row.find('.status').text(domain.problem);
+      }
+
+      // certificate status
+      var domains = res.status;
       var tb = $('#ssl_domains tbody');
       tb.text('');
       $('#ssldomain').html('<option value="">(select)</option>');
-
+      $('#ssl_domains').show();
       for (var i = 0; i < domains.length; i++) {
         var row = $("<tr><th class='domain'><a href=''></a></th><td class='status'></td> <td class='actions'><a href='#' onclick='return ssl_install(this);' class='btn btn-xs'>Install Certificate</a></td></tr>");
         tb.append(row);
         row.attr('data-domain', domains[i].domain);
         row.find('.domain a').text(domains[i].domain);
         row.find('.domain a').attr('href', 'https://' + domains[i].domain);
-        row.addClass("text-" + domains[i].ssl_certificate[0]);
-        row.find('.status').text(domains[i].ssl_certificate[1]);
-        if (domains[i].ssl_certificate[0] == "success") {
+        row.addClass("text-" + domains[i].status);
+        row.find('.status').text(domains[i].text);
+        if (domains[i].status == "success") {
           row.find('.actions a').addClass('btn-default').text('Replace Certificate');
         } else {
           row.find('.actions a').addClass('btn-primary').text('Install Certificate');
diff --git a/management/web_update.py b/management/web_update.py
index 5f5b6170..ffd1cff9 100644
--- a/management/web_update.py
+++ b/management/web_update.py
@@ -9,7 +9,7 @@ from dns_update import get_custom_dns_config, get_dns_zones
 from ssl_certificates import get_ssl_certificates, get_domain_ssl_files, check_certificate
 from utils import shell, safe_domain_name, sort_domains
 
-def get_web_domains(env, include_www_redirects=True):
+def get_web_domains(env, include_www_redirects=True, exclude_dns_elsewhere=True):
 	# What domains should we serve HTTP(S) for?
 	domains = set()
 
@@ -24,9 +24,10 @@ def get_web_domains(env, include_www_redirects=True):
 		# the topmost of each domain we serve.
 		domains |= set('www.' + zone for zone, zonefile in get_dns_zones(env))
 	 
-	# ...Unless the domain has an A/AAAA record that maps it to a different
-	# IP address than this box. Remove those domains from our list.
-	domains -= get_domains_with_a_records(env)
+	if exclude_dns_elsewhere:
+		# ...Unless the domain has an A/AAAA record that maps it to a different
+		# IP address than this box. Remove those domains from our list.
+		domains -= get_domains_with_a_records(env)
 
 	# Ensure the PRIMARY_HOSTNAME is in the list so we can serve webmail
 	# as well as Z-Push for Exchange ActiveSync. This can't be removed
@@ -216,4 +217,4 @@ def get_web_domains_info(env):
 			"static_enabled": domain not in (www_redirects | has_root_proxy_or_redirect),
 		}
 		for domain in get_web_domains(env)
-	]
\ No newline at end of file
+	]