DNS issues: SniCertificate::CertificateInvalidError: Unable to verify challenge for *.ansperformance.eu

Dear Netlify Support,
the renewal of the LetsEncypt certificates is failing since a while now.
It looks to me that the DNS setting are fine, still the renewal fails, see details here:

  • netlify site name: pru-portal.netlify.app
  • custom domains:
    • ansperformance.eu
    • www.ansperformance.eu
  • DNS issues:

    SniCertificate::CertificateInvalidError: Unable to verify challenge for *.ansperformance.eu
    We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved.
    Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

Could you please have a look on your side and advise?
Thank you very much in advance for considering my request
Yours sincerely

Hey @espinielli,

I believe that this may be due to the CAA record which you have configured. We do encourage that you deploy best security practices however you will need to ensure that your CAA record doesn’t cause Let’s Encrypt to error/fail. Unfortunately, we don’t have any more information beyond the error message which they provide us with!

Hello, I’m working with Enrico to try to solve this. I don’t expect the single remaining CAA record to really matter as it is only the reporting one and nothing in RFC-6844 prevents this. We will try again without any record though to check. What method are you using for the LE challenge? tls-alpn-01or http-01?

So removing that last CAA unblocked the certificate renewal.

It remains to be understood why it was a blocking issue before…

Hey @OllivierRobert, @espinielli,

Unfortunately, this isn’t very extensively documented (or managed) by us. I believe we’re using the HTTP-01 challenge type. However, I’m glad that we’ve managed to home in on the issue and we have something to focus on!