SniCertificate::CertificateNonvalidError: Unable to verify challenge for djunicode.in

@abarnes88 it looks like you have a conflicting CAA record for breakthroughenergy.org that’s preventing Let’s Encrypt from issuing a certificate. You’ll want to remove this record and then attempt to provision a certificate again.

Hi, I am having the same issue and I’m not sure what to do. Please could someone help me?

Netlify site ID : 53316da2-802a-44c2-ae30-2805cabdc98a

Can you confirm you’ve configured the DNS as documented here: Configure external DNS for a custom domain | Netlify Docs? Can you share a screenshot of your config?

Hello @hrishikesh , sorry for being a little dumb, can you tell me what info you are looking for(screenshot)? i am using Cloudflare as a nameserver, it has been working well until now until the time came to renew. I am very new to this issue so if you can point me to what info can help you, I’ll appreciate it

The screenshot of DNS settings for your domain in Cloudflare’s dashboard should be enough.

Hello @hrishikesh, hope this helps

Hi, @sid.m. This is a link to the authorization URL for Let’s Encrypt:

https://acme-v02.api.letsencrypt.org/acme/authz-v3/293048234346

That link will eventually time out so this is what is say for posterity:

{
  "identifier": {
    "type": "dns",
    "value": "www.sahilg.dev"
  },
  "status": "invalid",
  "expires": "2023-12-19T22:20:07Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "During secondary validation: 2606:4700:3035::ac43:b65a: Invalid response from http://www.sahilg.dev/.well-known/acme-challenge/20AvlH8_jqjbLAapR8ahPNpczScjv8JjHVpt68_9rsw: 522",
        "status": 403
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/293048234346/jEHaag",
      "token": "20AvlH8_jqjbLAapR8ahPNpczScjv8JjHVpt68_9rsw",
      "validationRecord": [
        {
          "url": "http://www.sahilg.dev/.well-known/acme-challenge/20AvlH8_jqjbLAapR8ahPNpczScjv8JjHVpt68_9rsw",
          "hostname": "www.sahilg.dev",
          "port": "80",
          "addressesResolved": [
            "104.21.32.28",
            "172.67.182.90",
            "2606:4700:3035::ac43:b65a",
            "2606:4700:3036::6815:201c"
          ],
          "addressUsed": "2606:4700:3035::ac43:b65a"
        }
      ],
      "validated": "2023-12-17T13:41:45Z"
    }
  ]
}

The IP address in the error message is 2606:4700:3035::ac43:b65a. That is Cloudflare’s IP address and the error says it is not responding correctly. From the screenshot above, it appears that no IPv6 configuration exists.

I’ve tested trying to connect to www.sahilg.dev using IPv6 and that attempt also resulted in 522 status response:

$ curl --compressed -svo /dev/null --stderr -  --resolve www.sahilg.dev:443:2606:4700:3035::ac43:b65a https://www.sahilg.dev/  | egrep '^< |\* Connected to)'
< HTTP/2 522
< date: Mon, 18 Dec 2023 21:17:58 GMT
< content-type: text/html; charset=UTF-8
< content-length: 7102
< report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=VAtHi0ODU0XgaFR0IX7XKaLFwEbXXQ8fA8yXR6vtSWErLn18S%2Fe42mjL9ybg2N2M6Bc5XX8jwkwhSAg%2Bn%2FmzmuIjgOj%2FBhBr0IUvr512knjC%2Bbs5sypZ7w2T38geKjiVlzguOQe1tJ4ZfZt6oA%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< x-frame-options: SAMEORIGIN
< referrer-policy: same-origin
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< server: cloudflare
< cf-ray: 837a6ec7be575ec5-PDX
< alt-svc: h3=":443"; ma=86400
<

The A records at Cloudflare are probably the cause here. Would you try changing those to use CNAMEs that point to the site subdomain under netlify.app (like subdomain.netlify.app but replacing subdomain with the actual subdomain for you site)?

If that doesn’t resolve the issue, please let us know.

Hello, have provided with screenshot , please let me know how to resolve this

Responded on the topic you created @sahil0 Failed to renew TLS certificate. SniCertificate::CertificateNonvalidError: Unable to verify challenge

Hello I am having the same certificate error, this is my netlify subdomain:
collecto-landing-page.netlify.app

Hi, @collectoapp. I’m showing the SSL provisioning succeeded about an hour after this post was made. If there are any remaining questions or concerns, please let us know.

Hi, I’m having this same issue except that I have no AAAA records, we changed he domain and the certificate still appears to be from the previous domain.

My domain is defiscal.com.mx and the previous one was defiscal.info, could someone help me?

There is an AAAA record that does not point to Netlify here:

defiscal.com.mx.	60	IN	AAAA	2a02:4780:21:b046:81ac:5567:6832:3e28

That is an IP address controlled by Hostinger. That AAAA must be deleted before SSL provisioning will succeed.

1 Like

It was indeed a record that Hostingar had outside of user control due to their SSL certificate. They removed it and it worked. Thank you so much Luke!

1 Like

thanks for writing back in and confirming you found a solution to your problem!

1 Like

I’m having the same error, my domains are maximal-acquisition.com and www.maximal-acquisition.com

This seems to be resolved.

Hello, same problem.
https://bitcoinitalianetwork.com/

*SniCertificate::CertificateNonvalidError: Unable to verify challenge for .bitcoinitalianetwork.com: CAA record for bitcoinitalianetwork.com prevents issuance

We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

@btcitalianetwork
As the error indicates, the CAA present on that domain is preventing the SSL certificate from being issued:

% dig CAA bitcoinitalianetwork.com

; <<>> DiG 9.18.21 <<>> CAA bitcoinitalianetwork.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64616
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; ANSWER SECTION:
bitcoinitalianetwork.com. 300	IN	CAA	0 issue "https://acme-v02.api.letsencrypt.org/acme/acct/54403714"
bitcoinitalianetwork.com. 300	IN	CAA	0 issue "pki.goog"

A CAA record that would allow letsencrypt to provision a certificate would look like this:

bitcoinitalianetwork.com        CAA 0 issue "letsencrypt.org"

Thank you for the support, everything has been resolved.