SniCertificate::CertificateInvalidError: Unable to verify challenge for *our domain*


We are having trouble with our Let’s Encrypt certificate. It seems to have expired and upon clicking renew we the following error:

SniCertificate::CertificateInvalidError: Unable to verify challenge for our domain

Any ideas on how to resolve this issue? We are currently stuck with this issue.

Any help you can provide would be great!



Hi, I looked into this and I believe something unusual is happening with this site’s Managed DNS.


i have the same problem for two days now.
If someone finds a solution would be great.


my problem was that i didn’t have a CNAME on mysubdomain pointing to my netlify site,
maybe this can help you too

hey @siblancoMember! Just to clarify, does that mean that you fixed your issue?

I also started having this issue 2 days ago.

I clicked the “Renew Certificate” button manually on netlify and it magically started working again (despite not changing any DNS settings before or after clicking the button).

I have the same issue, but clicking on “Renew Certificate” doesn’t solve the problem.

I have custom domain with Netlify DNS ( And custom headers:

  for = "/*"
    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options = "nosniff"
    Content-Security-Policy = "connect-src 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'none'; style-src 'sha256-u416R1BFbASVCPBGPpFw1jm2QrBLAUMFTJ0bbQVFHiw='; script-src 'sha256-24UQLHsa8ThXHBWjsc4XLCjrOBZeZ3eMW7T+4AUpDUk=' 'self'"

Hi @iskin,

It may be an issue with the DNSSEC records you have setup on your domain. Can you disable DNSSEC with the provider you configured it on?

Did you mean CAA record? (I didn’t find DNSSEC config in DNS panel).

I removed CAA and will try to renew certificate tomorrow (can’t do it today because of the Let’s Encrypt limits).

Yeap, removing CAA record from DNS helped.

How I can have CAA and Let’s Encrypt? CAA record is very useful for security.

We don’t have any docs on that. You should read and contact your DNS provider for additional assistance in setting up proper CAA records that will work.

I’m having the same issue.

Here are the setting on


I’ve checked my configuration on ionos, and it looks good. Any idea? I can’t understand who is responsible for these.

Any help?


Hi @sebaz! Welcome to our Community!

Is everything working now? It looks to be working from our end. It can take up to 24 hours sometimes for DNS to propagate, and our certificates can’t be issued until that is complete.

Yes! I removed the AAAA record and works properly.

1 Like

Same problem here. I tried to renew the certificate but I always receive the same error:

SniCertificate::CertificateInvalidError: Unable to verify challenge for xxxxx

We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved. Check our troubleshooting guide for more information on how to fix the problem, and then renew the certificate.

I also tried to install Cloudflare Origin CA certificates as my DNS is managed in Cloudflare in DNS mode only.

But I get the error


Can anyone help to solve this error please?

Thank you for your help.

Hi, @huckbit. To troubleshoot, we’ll need to look at the DNS records for the domain and to do this we need to know the domain name.

Would you please let us know what site and domain you are trying to get SSL working for?

Hi @luke thank you for your message. The domain is a subdomain ->

Form yesterday, in the control panel the status has changed to:

Currently provisioning your Let’s Encrypt certificate

Provisioning this free certificate usually takes only a few seconds, but occasionally takes longer to receive from Let’s Encrypt. Consider donating to Let’s Encrypt to keep these certificates fast and free for all.
If provisioning your certificate takes longer than 30 minutes, please contact support

Thank you for your help.

Hi, @huckbit, the issue is that there is a Netlify DNS zone created for this domain but it isn’t actually being used. This will prevent SSL provisioning from working on our service.

The WHOIS data for the domain shows the authoritative name servers:

$ whois  | grep -i "name server"
Name Server:
Name Server:

The first step will be to delete the DNS zone here:

Once that zone is deleted, the SSL provisioning will succeed. If not, please let us know.

Thanks @luke I deleted the zone but the wheel is still pinning and I can’t add a custom certificate either. I don’t have the option anymore. Thank you again for your help.

Hi, @huckbit, I found one more issue.

The DNS record is pointing to the apex/bare/root domain ( and not the site subdomain:	300	IN	CNAME

That is a problem because then the CAA records for our domain apply:

$ dig CAA  +noall +answer

; <<>> DiG 9.10.6 <<>> CAA +noall +answer
;; global options: +cmd	299	IN	CNAME		1799	IN	CAA	128 issue ""		1799	IN	CAA	128 iodef ""

This prevents the SSL certificate from being provisioned. Please change that record to this:	300	IN	CNAME

Once that is done, the SSL certificate provision should work. If not, please let us know.

1 Like