Hello. I am having issues with certificate renewal.
Netlify site name:- youthful-yalow-cc9cb3.netlify.app
Custom domain:- www.djunicode.in

Error message:-

SniCertificate::CertificateNonvalidError: Unable to verify challenge for djunicode.in: Invalid response from http://djunicode.in/.well-known/acme-challenge/teo4A5l4rhc7Xp96RnFlvOR-qW_zuvF7JFa4Lm-COc8 [2001:4860:4802:34::15]: "<!DOCTYPE html>\n<html lang=en>\n <meta charset=utf-8>\n <meta name=viewport content="initial-scale=1, minimum-scale=1, width=dev"

We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

I received the same error a couple of days ago on a site that has been running for 3 years, No clue how to resolve it

Hi @Unicode,

It looks like you’ve got AAAA records for your domain:

image1036×172 22.4 KB

This is causing problems. And now, you’ve hit the rate limit which cannot be removed till the next 7 days.

@jamesholcomb Could you share the site name?

Hi @hrishikesh

Site => www.ridealert.co

Error:

Failed to renew TLS certificate for www.ridealert.co

The TLS certificate for www.ridealert.co will expire on Feb 24, 2022. We tried to renew it, but got this error message:

SniCertificate::CertificateNonvalidError: Unable to verify challenge for ridealert.co: Invalid response from https://ridealert.co/.well-known/acme-challenge/GfWW0XN2WE64_-rDlmPfGzK3Lf8RdfxVHoiJOW7QUCs [35.194.14.251]: "{\"code\":404,\"message\":\"Page not found: /.well-known/acme-challenge/GfWW0XN2WE64_-rDlmPfGzK3Lf8RdfxVHoiJOW7QUCs\",\"name\":\"NotFound"

Note, the ridealert.co root cert is managed outside of Netlify.

Hi, @jamesholcomb. Our service normally automatically pairs the apex domain (meaning ridealert.co) and the www subdomain (www.ridealert.co). However, the following sounds to me like you do not want to have the apex domain served by Netlify:

Note, the ridealert.co root cert is managed outside of Netlify.

Am I understanding that correctly? Also, the IP address for the apex domain is not one that Netlify controls:

ridealert.co.		300	IN	A	35.194.14.251

Our support team can manually override this but I don’t show that has been done for this site. Would you like to use www.ridealert.co only for this site?

If so, I have already made that change and renewed the SSL certificate.

It is important to note that the change I made has a side effect. Now that I’ve made the override for the domain names in the SSL certificate, you cannot control the list of domains in the SSL certificate via the web UI for this site. However, our support team can still make changes to it.

To summarize, this site now has working SSL and will only use www.ridealert.co going forward. Netlify will never attempt to provide SSL for ridealert.co (the apex domain) until this change is rolled back.

If you do not want to keep this change or if you want to modify the list of domains the SSL certificate covers, please feel free to reply here or to make a new topic to let us know.

Thanks for resolving this @luke. Your assumptions were correct.

I am having the same issue and I don’t know how to fix it.

**SniCertificate::CertificateNonvalidError: Unable to verify challenge for .fungalecology.com: CAA record for .fungalecology.com prevents issuance

My custom domain is www.fungalecology.com

The problem is because you’ve configured these DNS records:

image2426×212 23.3 KB

I’m not sure what you’re trying to do with those.

Hello

I have the same problem with my page: https://cholufrässer.ch

What’s causing this problem for my domain?

Regards
raphaeldas

What site is that connected to? Can you share Netlify site ID or subdomain?

cholufraesser.netlify.app

b95d0d4a-e511-4e09-b539-9457728fda14

Hi @raphaeldas,

Thanks for the follow-up.

Could you try removing the AAAA (IPv6) Records?

host xn--cholufrsser-r8a.ch
xn--cholufrsser-r8a.ch has address 75.2.60.5
xn--cholufrsser-r8a.ch has IPv6 address 2604:a880:400:d0::1561:9001

We don’t support IPv6 when using our load balancer IP address. Please remove the AAAA record and then click the Renew Certificate button here:

Let us know if you continue to have issues.

Indeed, the AAAA Record was the problem. Thank you very much for the fast and good support!

Regards raphaeldas

Hi, I am having the same issue and I’m not sure what to do. Please could someone help me?

SniCertificate::CertificateNonvalidError: Unable to verify challenge for djmelech.com: 94.136.40.82: Fetching http://94.136.40.51/djmelech.com/index.html: Invalid host in redirect target "94.136.40.51". Only domain names are supported, not IP addresses

We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

Can you share the domain name in question?

Hi @melech,

Thanks for reaching out and welcome to Netlify’s Support Forums!

Looks like you have a second A Record for djmelech.com.

host djmelech.com
djmelech.com has address 94.136.40.82
djmelech.com has address 75.2.60.5
djmelech.com mail is handled by 0 smtp.secureserver.net.
djmelech.com mail is handled by 10 mailstore1.secureserver.net.

Could you remove that A Record so only the A Record pointing to 75.2.60.5 remains?

Thank you for getting back to me.

ok, I removed that other A Record in the DNS settings of my domain provider. I’ve noticed that I am still having the same issue though. Does it take a bit of time for the changes to come into action?

Thanks for the update @melech,

I see that the DNS configuration is correct, I’ve renewed the SSL Certificate and the process was successful. You can see the SSL Certificate here. Visiting the domain I’m no longer getting the SSL error.

Let us know if you have any issues.

Ah yes, that works! Thank you so much!

glad this works! thanks for confirming!