Issue while renewing SSL certificate

Getting following error while renewing the SSL certificate:

This is my AWS Route53 config:

I don’t know what value it is expecting in the TXT DNS record so I have set a default value as ‘key=value’

Error

*SniCertificate::CertificateInvalidError: Unable to verify challenge for .bhaveshfuria.com: Incorrect TXT record "key=value" found at _acme-challenge.bhaveshfuria.com. 

We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

@furiabhavesh Did you recently make changes to your DNS settings? I ask because you seem to have two different DNS set-ups currently active – one of which will NOT allow Netlify to issue an SSL certificate. For example:

|===================== whois name server for ====================
| ---------------------- bhaveshfuria.com ----------------------
Updated Date: 2020-08-22T16:34:06.710Z
Name Server: ns-11.awsdns-01.com
Name Server: ns-1488.awsdns-58.org
Name Server: ns-1556.awsdns-02.co.uk
Name Server: ns-612.awsdns-12.net
|================================================================

vs.

|===================== dig name server(s) for ===================
| ---------------------- bhaveshfuria.com ----------------------
| ------------------- should agree with whois -------------------
dns1.p02.nsone.net.
dns2.p02.nsone.net.
dns3.p02.nsone.net.
dns4.p02.nsone.net.
|================================================================

As a result, you are showing an inactive DNS zone:

|================== check for inactive DNS zone =================
| --------------- last line should show nsone.net ---------------
| ----------------- for sites using Netlify DNS -----------------
| ---------------- otherwise will show DNS source ---------------
| ---------------------- bhaveshfuria.com ----------------------
bhaveshfuria.com.	172800	IN	NS	dns1.p02.nsone.net.
bhaveshfuria.com.	172800	IN	NS	dns2.p02.nsone.net.
bhaveshfuria.com.	172800	IN	NS	dns3.p02.nsone.net.
bhaveshfuria.com.	172800	IN	NS	dns4.p02.nsone.net.
;; Received 134 bytes from 205.251.194.100#53(ns-612.awsdns-12.net) in 25 ms

See the documentation here:
https://answers.netlify.com/t/support-guide-how-to-detect-and-fix-inactive-netlify-dns-zones/21742
|================================================================

Once you get your DNS straightened out and fully propagated, your certificate should be renewed or at least renewable.

1 Like

I don’t know from where the following values are coming from ? I had them previously but I removed them long time back.

Name Server: ns-11.awsdns-01.com
Name Server: ns-1488.awsdns-58.org
Name Server: ns-1556.awsdns-02.co.uk
Name Server: ns-612.awsdns-12.net

That’s why I also posted my Route53 Config.

Is it possible that these are cached somewhere ?

@furiabhavesh If you haven’t made a change since August 2020, they are almost certain still live entries. DNS changes typically take 48 hours or less to propagate.

@gregraven

So what do you recommend I should do now ?

Delete the existing hosted zone in Route53 and create a fresh one ?

@furiabhavesh The first thing to do is re-read the docs about this.

You have made “name server” entries in AWS instead of delegating DNS to Netlify. You have to pick one or the other – either use AWS as external DNS or delegate to Netlify. Your mixed set-up is never going to work.