SniCertificate::CertificateNonvalidError: Unable to verify challenge for my website

Hello support team,

i receive recently the same error

SniCertificate::CertificateNonvalidError: Unable to verify challenge for www.ios.dz: DNS problem: query timed out looking up A for www.ios.dz; DNS problem: query timed out looking up AAAA for www.ios.dz

the website is runing from many month without no problem in netlify but this week i receive an error for certificate SSL. i do not change anything in my dns server.

this is my dns record for my website https://ios.dz :

could you please let me know what i need to do to resolve it ?

Best regards

Hi @bkalem ,

As far as I can tell, your A record is misconfigured:

% host ios.dz 
ios.dz has address 104.198.14.52

Could you please change the A record to point to Netlify’s load balancer IP 75.2.60.5 ? Once propagation takes place, Let’s Encrypt should be able to renew the cert.

Please keep us posted!

Hello Audrey,

Thank you for your fast reply.

could you please check again. i update the dns record A to your new loadbalancer IP address

and propoagation is done ( juste check in google dns )
https://dns.google/query?name=ios.dz

is it for any reason you change the IP address of your loadbalancer ?
i have not been notified that i need to change the IP Address.

Best regards

Hello Audrey,

could you trigger Let’s Encrypt Certificate’ generation again ?

Hello Audrey,

can you please trigger regeneration of let’s Encrypt certificate because i don’t have the possibility to do it from my side. i think DNS propagation is done from 17hours earlier

Capture d’écran 2023-03-22 1210521910×1242 187 KB

Hi @bkalem ,

Your site has reached Let’s Encrypt’s rate limit. It should lift in about a week’s time before we can try renewing your cert again.

Apologies, I didn’t notice this earlier but it seems you’ve configured a DNS CAA record on that domain that blocks us (and everyone else, as far as I can tell) from issuing SSL certificates for every hostname under the ios.dz domain. This is the record in question:

% host -t caa ios.dz
ios.dz has CAA record 0 issuewild "letsencrypt.org"

While I can’t advise you on your own security policies, your IT and/or security team probably put that in place and you should talk with them about the effects of it on the sites you host with us. We will not be able to obtain or renew any SSL certificates for that domain until you change the setting in some way, so you’ll have to generate and bring your own custom certificates if you want to use our service and leave that record in place.

You can of course change it or narrow its scope to achieve similar unblocking, but again that is a policy decision your team will need to make.

Let me know if I can help further!

Hello Audrey,

Thank you for your reply.

i remove the CAA record from our DNS and i check it in propagation, it was removed

Could you double check from your side if CAA was removed for my domain https://ios.dz ?
https://dns.google/resolve?name=ios.dz&type=CAA

Thank you per advance

Looks good to me on my end as well @bkalem !

% host -t caa ios.dz
ios.dz has no CAA record

Hello Audrey,

Thank you for your confirmation that CAA dns record was removed for my domain https://ios.dz

Could you please let me know what it is next step to resolve the problem related to certificate ?

because i try it and it’s not work

Capture d’écran 2023-03-23 1356321966×1256 188 KB

Something further seems to be wrong with your DNS. I can see you host it yourself, so hopefully you are savvy to fix it. This 3rd-party testing tool shows the problems:

https://dnsviz.net/d/ios.dz/dnssec/

Specifically, you will need to fix at least the red “errors” before DNS will work for everyone - including Netlify + Let’s Encrypt, as well as your site visitors, people who want to email you, etc.