SniCertificate::CertificateNonvalidError: Unable to verify challenge for

@abarnes88 it looks like you have a conflicting CAA record for that’s preventing Let’s Encrypt from issuing a certificate. You’ll want to remove this record and then attempt to provision a certificate again.

Hi, I am having the same issue and I’m not sure what to do. Please could someone help me?

Netlify site ID : 53316da2-802a-44c2-ae30-2805cabdc98a

Can you confirm you’ve configured the DNS as documented here: Configure external DNS for a custom domain | Netlify Docs? Can you share a screenshot of your config?

Hello @hrishikesh , sorry for being a little dumb, can you tell me what info you are looking for(screenshot)? i am using Cloudflare as a nameserver, it has been working well until now until the time came to renew. I am very new to this issue so if you can point me to what info can help you, I’ll appreciate it

The screenshot of DNS settings for your domain in Cloudflare’s dashboard should be enough.

Hello @hrishikesh, hope this helps

Hi, @sid.mann. This is a link to the authorization URL for Let’s Encrypt:

That link will eventually time out so this is what is say for posterity:

  "identifier": {
    "type": "dns",
    "value": ""
  "status": "invalid",
  "expires": "2023-12-19T22:20:07Z",
  "challenges": [
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:unauthorized",
        "detail": "During secondary validation: 2606:4700:3035::ac43:b65a: Invalid response from 522",
        "status": 403
      "url": "",
      "token": "20AvlH8_jqjbLAapR8ahPNpczScjv8JjHVpt68_9rsw",
      "validationRecord": [
          "url": "",
          "hostname": "",
          "port": "80",
          "addressesResolved": [
          "addressUsed": "2606:4700:3035::ac43:b65a"
      "validated": "2023-12-17T13:41:45Z"

The IP address in the error message is 2606:4700:3035::ac43:b65a. That is Cloudflare’s IP address and the error says it is not responding correctly. From the screenshot above, it appears that no IPv6 configuration exists.

I’ve tested trying to connect to using IPv6 and that attempt also resulted in 522 status response:

$ curl --compressed -svo /dev/null --stderr -  --resolve  | egrep '^< |\* Connected to)'
< HTTP/2 522
< date: Mon, 18 Dec 2023 21:17:58 GMT
< content-type: text/html; charset=UTF-8
< content-length: 7102
< report-to: {"endpoints":[{"url":"https:\/\/\/report\/v3?s=VAtHi0ODU0XgaFR0IX7XKaLFwEbXXQ8fA8yXR6vtSWErLn18S%2Fe42mjL9ybg2N2M6Bc5XX8jwkwhSAg%2Bn%2FmzmuIjgOj%2FBhBr0IUvr512knjC%2Bbs5sypZ7w2T38geKjiVlzguOQe1tJ4ZfZt6oA%3D%3D"}],"group":"cf-nel","max_age":604800}
< nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< x-frame-options: SAMEORIGIN
< referrer-policy: same-origin
< cache-control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< expires: Thu, 01 Jan 1970 00:00:01 GMT
< server: cloudflare
< cf-ray: 837a6ec7be575ec5-PDX
< alt-svc: h3=":443"; ma=86400

The A records at Cloudflare are probably the cause here. Would you try changing those to use CNAMEs that point to the site subdomain under (like but replacing subdomain with the actual subdomain for you site)?

If that doesn’t resolve the issue, please let us know.

Hello, have provided with screenshot , please let me know how to resolve this

Responded on the topic you created @sahil0 Failed to renew TLS certificate. SniCertificate::CertificateNonvalidError: Unable to verify challenge

Hello I am having the same certificate error, this is my netlify subdomain:

Hi, @collectoapp. I’m showing the SSL provisioning succeeded about an hour after this post was made. If there are any remaining questions or concerns, please let us know.

Hi, I’m having this same issue except that I have no AAAA records, we changed he domain and the certificate still appears to be from the previous domain.

My domain is and the previous one was, could someone help me?

There is an AAAA record that does not point to Netlify here:	60	IN	AAAA	2a02:4780:21:b046:81ac:5567:6832:3e28

That is an IP address controlled by Hostinger. That AAAA must be deleted before SSL provisioning will succeed.

1 Like

It was indeed a record that Hostingar had outside of user control due to their SSL certificate. They removed it and it worked. Thank you so much Luke!

1 Like

thanks for writing back in and confirming you found a solution to your problem!

1 Like

I’m having the same error, my domains are and