[Netlify] Failed attempt to renew your TLS certificate

Hi Netlify Community,

I have some questions about renewing the TLS certificate.

I got an email from the Netlify which said…

The TLS certificate for will expire on Jun 17, 2020. We tried to renew it, but got this error message:

SniCertificate::CertificateInvalidError: Unable to verify challenge for <my website>
  1. When I checked the certificate on the Netlify, it seems like it was updated on May 29 (the day after I got the email). Do I still need to renew the certificate manually?
    (please see the screenshot below.)

  2. Could you explain how the TLS certificate works on Netlify?

Thank you.

Hi, @david7, I’m showing the SSL certificate was renewed the day after the email was sent also.

We renew the SSL certificates ten days in advance. (Let’s Encrypt recommends 30 days in advance but we don’t do so yet.) If you try to renew a certificate sooner than the ten days before, unless there has been a new domain named added to the site, our systems won’t even attempt the renewal.

However, after any renewal which isn’t successful - even if it is because it is too soon to renew the certificate, our systems will display the last known error message for the SSL certificate renewal for this site. With “too soon” failures, this means an old error message is show because there is no error for “too soon” - it does nothing but isn’t an error itself.

This is why you saw the error with “SniCertificate::CertificateInvalidError: Unable to verify challenge for”. That wasn’t a current message but the last known error.

The later SSL renewal was successful and you don’t need to do anything at this time. This certificate will continue to auto-renew.

​Please let us know if there are other questions.

Hi @luke,

Thank you so much for your help!
That makes sense now : )