Not able to renew SSL Certificate from Netlify - SniCertificate::CertificateNonvalidError: Unable to verify challenge for molecules.om: Incorrect TXT record "3245" found at _acme-challenge

Admin
1

I am not able to renew the SSL certificate from Let’s Encrypt that is provided from Netlify for one of my websites (www.molecules.om) which is associated with the email ID that I am sending the mail request from.

Its Showing me the following error:-

* SniCertificate::CertificateNonvalidError: Unable to verify challenge for molecules.om: Incorrect TXT record “3245” found at _acme-challenge.molecules.om We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

Please let me know where I can get the _acme-challenge token from in order to add a TXT record under the domain records.

2

hi @Audai, it appears your domain molecules.om has an inactive DNS zone:

whois molecules.om | grep -i "name server"
Name Server:                     ns1.dns-parking.com
Name Server:                     ns2.dns-parking.com

I’d recommend checking out this support guide for solutions to this issue:

3

Actually the Netlify DNS are already connected and verified with a green tick on both the apex domains (molecules.om and www.molecules.om)

I had followed the above doc and both below mentioned are added as mentioned:-

Netlify’s load balancer IP address: 75.2.60.5…add an A RECORD.
Netlify’s load balancer at: apex-loadbalancer.netlify.com…added an ALIAS RECORD.

4

Hi @Audai,

Thanks for the follow-up.

Since you want to use External DNS, you’ll want to remove the Netlify DNS Zone here, as it can cause issues with renewing SSL certificates. This is mentioned in the Inactive DNS Zone Support Guide:

Under Are inactive DNS zones a problem?

Actually, yes, inactive DNS zones with our DNS service do cause problems. The most common issue they cause is that our service will be unable to create or update the automatic Let’s Encrypt SSL certificates for this production domain. This can affect any updates for the Let’s Encrypt SSL certificates our service provisions, including updates for branch subdomains .

For your External DNS configuration, I do see you are pointing an A Record for molecules.om to 75.2.60.5. For www.molecules.om, you’ll want to point a CNAME Record to glowing-pavlova-5eb0db.netlify.app.

Once the DNS change has propagated, please try clicking Renew certificate here:

Let us know if you have any questions.

5

The issue is still there…Actually it was working all fine before…all of a sudden around a week back it went down.

Netlify’s load balancer IP address: 75.2.60.5 …add an A RECORD.
Netlify’s load balancer at: apex-loadbalancer.netlify.com …added an ALIAS RECORD.

6

Hi, @Audai. Two different people have both given you the same correct answer. You must delete this DNS zone to resolve this issue:

https://app.netlify.com/account/dns/molecules.om

Once you delete that DNS zone, two things will change:

  • Netlify will no longer attempt to use DNS to authorize the SSL certificate provisioning.
  • The SSL provisioning will succeed using the HTTP authorization method.

However, you must delete the DNS zone for that to happen.

1 Like
7

Thanks its resolved now…