Persistent "doesn't appear to be served by Netlify" banner blocking cert renewal - external DNS verified correct

Support
1

Hi team,

I have a production site stuck with a “doesn’t appear to be served by Netlify”
banner that is blocking automatic Let’s Encrypt renewal, even though every
piece of external evidence confirms the domain IS being served by Netlify
right now. Requesting manual intervention to clear the cached probe state.

Site details

  • Project (site) name: cielroitechnosoft
  • Project ID / Site ID: will share privately with support staff on request
  • Team: CielRoi Technosoft
  • Netlify subdomain: cielroitechnosoft[dot]netlify[dot]app
  • Custom domain: cielroitechnosoft[dot]com (plus www alias)
  • Registrar / authoritative DNS: Wix (nameservers ns14[dot]wixdns[dot]net,
    ns15[dot]wixdns[dot]net). Site is NOT using Netlify DNS.
  • Deploy source: Netlify Drop (no Git integration)
  • Cert expired: 2026-04-18. Site has been HTTPS-broken for 4+ days.

Exact UI error

Banner on Domain management, HTTPS panel:

“cielroitechnosoft[dot]com doesn’t appear to be served by Netlify.
We can’t renew your Let’s Encrypt certificate automatically until the
issue is resolved. Check our troubleshooting guide for more information
on how to fix the problem, and then renew the certificate.”

Cert record (stale):
Certificate: Let’s Encrypt
Domains: cielroitechnosoft[dot]com, www[dot]cielroitechnosoft[dot]com
Created: Nov 19, 2025 at 4:32 PM
Updated: Jan 18 at 3:42 PM
Expired: Apr 18 (4 days ago)

Evidence the domain IS being served by Netlify right now

  1. DNS resolution is correct from every public resolver (Google 8.8.8.8,
    Cloudflare 1.1.1.1, Quad9 9.9.9.9) AND from direct queries to the
    authoritative Wix nameservers (ns14[dot]wixdns[dot]net, ns15[dot]wixdns[dot]net):

    Apex A records returned:
    75.2.60.5
    99.83.229.126

    These IPs reverse-resolve to awsglobalaccelerator[dot]com, which is
    Netlify’s load-balancer backend.

  2. www[dot]cielroitechnosoft[dot]com is a CNAME to
    cielroitechnosoft[dot]netlify[dot]app (correct).

  3. No AAAA records. No CAA records blocking Let’s Encrypt.

  4. HTTP probe to the apex confirms Netlify’s edge is serving the domain:

    Request: curl -I http to apex
    Response: HTTP/1.1 301 Moved Permanently
    location header: points to https apex
    server header: Netlify
    x-nf-request-id header: present (redacted)

  5. The /.well-known/acme-challenge/ path is reachable via HTTP through
    Netlify Edge (returns 404 as expected when no challenge is active,
    confirming the path is routable for HTTP-01 validation if Netlify
    were to request one).

Troubleshooting already attempted (all failed)

  1. Deleted a ghost Netlify DNS zone for this domain. The zone was present
    in the Netlify DNS panel despite the domain actually being served by
    external Wix DNS, which looked like legacy state from an earlier
    configuration. Deletion completed cleanly. The banner did not clear.

  2. Clicked “Renew certificate”. The button disappeared for roughly
    30 seconds (indicating an in-flight attempt), then reappeared. No modal,
    no toast, no inline success/failure message was shown. Cert Created,
    Updated, and Expired dates did not change. This is the classic signature
    of the renewal aborting at Netlify’s internal probe gate before
    Let’s Encrypt is contacted. No LE rate limit was burned.

  3. Removed the custom domain entirely and re-added it as external
    (“Add a domain you already own”). The verify step returned
    “cielroitechnosoft[dot]com found! To connect it to your site, update
    your DNS records at your registrar.” On re-add, Netlify immediately
    restored the old cert record verbatim (same Nov 19 2025, Jan 18,
    Apr 18 dates) and the same “doesn’t appear to be served by Netlify”
    banner. A background provisioning attempt fired about 5 minutes
    after re-add (Renew button disappeared then reappeared) with the
    same silent failure pattern. No state change after 30 minutes of
    monitoring.

What I’m asking for

Please either:

(a) Manually clear the cached “not served by Netlify” flag on this site
and trigger a fresh probe plus LE renewal, OR

(b) Tell me exactly what hostname, path, header, or response the internal
validator is checking so I can reproduce the check externally and
figure out what’s differing between what your probe sees and what
every other probe on the public internet sees.

Confirming again: no Let’s Encrypt rate limits have been burned by any of
the above attempts. Every failure happened at Netlify’s internal
pre-check gate, before LE was contacted.

Thank you.