SniCertificate::CertificateNonvalidError: Unable to verify challenge for djunicode.in

Hello. I am having issues with certificate renewal.
Netlify site name:- youthful-yalow-cc9cb3.netlify.app
Custom domain:- www.djunicode.in

Error message:-

SniCertificate::CertificateNonvalidError: Unable to verify challenge for djunicode.in: Invalid response from http://djunicode.in/.well-known/acme-challenge/teo4A5l4rhc7Xp96RnFlvOR-qW_zuvF7JFa4Lm-COc8 [2001:4860:4802:34::15]: "<!DOCTYPE html>\n<html lang=en>\n <meta charset=utf-8>\n <meta name=viewport content="initial-scale=1, minimum-scale=1, width=dev"

We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.
1 Like

I received the same error a couple of days ago on a site that has been running for 3 years, No clue how to resolve it :face_with_raised_eyebrow:

Hi @Unicode,

It looks like you’ve got AAAA records for your domain:

This is causing problems. And now, you’ve hit the rate limit which cannot be removed till the next 7 days.

@jamesholcomb Could you share the site name?

Hi @hrishikesh

Site => www.ridealert.co

Error: Netlify

Failed to renew TLS certificate for www.ridealert.co

The TLS certificate for www.ridealert.co will expire on Feb 24, 2022. We tried to renew it, but got this error message:

SniCertificate::CertificateNonvalidError: Unable to verify challenge for ridealert.co: Invalid response from https://ridealert.co/.well-known/acme-challenge/GfWW0XN2WE64_-rDlmPfGzK3Lf8RdfxVHoiJOW7QUCs [35.194.14.251]: "{\"code\":404,\"message\":\"Page not found: /.well-known/acme-challenge/GfWW0XN2WE64_-rDlmPfGzK3Lf8RdfxVHoiJOW7QUCs\",\"name\":\"NotFound"

Note, the ridealert.co root cert is managed outside of Netlify.

Hi, @jamesholcomb. Our service normally automatically pairs the apex domain (meaning ridealert.co) and the www subdomain (www.ridealert.co). However, the following sounds to me like you do not want to have the apex domain served by Netlify:

Note, the ridealert.co root cert is managed outside of Netlify.

Am I understanding that correctly? Also, the IP address for the apex domain is not one that Netlify controls:

ridealert.co.		300	IN	A	35.194.14.251

Our support team can manually override this but I don’t show that has been done for this site. Would you like to use www.ridealert.co only for this site?

If so, I have already made that change and renewed the SSL certificate.

It is important to note that the change I made has a side effect. Now that I’ve made the override for the domain names in the SSL certificate, you cannot control the list of domains in the SSL certificate via the web UI for this site. However, our support team can still make changes to it.

To summarize, this site now has working SSL and will only use www.ridealert.co going forward. Netlify will never attempt to provide SSL for ridealert.co (the apex domain) until this change is rolled back.

If you do not want to keep this change or if you want to modify the list of domains the SSL certificate covers, please feel free to reply here or to make a new topic to let us know.

Thanks for resolving this @luke. Your assumptions were correct.