Failed to renew TLS certificate (Unable to verify challenge)


I recently received an email from Netlify telling me that the TLS certificate has failed to be renewed for my main domain name “ (Netlify domain name :

In the details it says this :

“SniCertificate::CertificateNonvalidError: Unable to verify challenge for DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain”

It’s the first time it happens in 4 years, everything worked fine until now. The website and its subdomains can still be accessed correctly.

The domain name is registered using OVH.
In my OVH dashboard, it appears that there isn’t any DNS TXT field for “_acme-challenge”.
The problem is that I can’t find what value to put in this field. Where could I find what the value needs to be ?

I tried to follow these steps, and it seems like my DNS are not correctly set even for the A and CNAME records (it never shows but instead shows some other IPs.

I’m having trouble sorting this out, and I’m sadly not really skilled in the domain name management area.
Please note that if needed, I’m willing to transfer the domain name from OVH to Netlify in order to setup everything quickly without any trouble.

Any help would be highly appreciated ! :slight_smile:

Hi there! Looking into your DNS setup, I believe your DNS records are the issue here. When I query host in my terminal, I see that you have IPV6 records. If you have IPV6 records, you must use Netlify DNS on our system. You can follow these instructions here to set up Netlify DNS:

If you prefer to stay with external DNS, you’ll need to delete your IPV6 records and still follow the above guide using the external DNS instructions, as I don’t see records set up properly for that either. You will set up these records at your registrar.

If you have set up the proper DNS records and you are not seeing them propagate, you’ll want to contact your registrar for assistance! Let me know if you have any other questions.

Hi Charlotte,

Thank you for your answer !
I followed your recommendations and chose to stay with External DNS, I used the guides you sent me to set everything up correctly.
Everything seems to be working fine again. I managed to successfully renew the TLS certificate for my domain and the website is accessible.
I hope I followed the instructions correctly, could you check on your side if everything seems fine to you ? (As I made the modifications this morning, the changes to the DNS records may still be propagating until tomorrow)

I have one more question : I have a few other Netlify websites that were hosted on subdomains ( for example, that I want to redirect to
These subdomains are not accessible anymore as I removed every DNS record from Netlify and OVH in order to clean everything up.
When I try to re add my custom subdomain on the website’s Domain Management section, it says "Awaiting External DNS and asks me to use Netfly’s Domain Name Servers, which I don’t use anymore as I now use OVH Domain Name Servers correctly.

What do I have to do to make my subdomains available ? Do I only have to add a single DNS A record redirecting to Netlify’s IP address for every subdomain or is there other steps to follow to make it work ?

Hi @thiervoj,

Thanks for following up.

Checking your DNS Configuration, I do see you have the CNAME Record for setup correctly:

host is an alias for has address has address has IPv6 address 2600:1f18:16e:df00::64 has IPv6 address 2600:1f18:2489:8201::c8

However, for the apex domain,, you’re using the deprecated load balancer IP

host has address mail is handled by 1

You’ll instead want to change the A Record for to use

If you could make that change, I think you should be all set.

Hi @Melvin,

I do have a A Record pointing to for that I added this morning.
I think the deprecated IP you are seeing is the one that existed before my modifications, it either has not been fully propagated yet, or you may have some DNS cache in place on your end ?
When I check using DNS Checker (here) we can see that the correct IP is set and propagated !

Hi @thiervoj,

Thanks for following up. You are correct, now when I check I see the IP address:

host has address mail is handled by 1

Let us know if you have any issues.