SSL cert expires in 20 days - should I worry?

Custom domain:
Netlify domain:

The cert for the custom domain expires in 20 days. From what I’ve read, it should auto-renew sooner than that (we’re using Netlify DNS).

The site was on old infrastructure, but I’ve migrated it.

Is there something I need to do to get the cert to update?

Hi Jake,

Your DNS looks odd to me and this is certainly impacting your renewal. It’s odd in two ways!

First, you have our DNS hosting configured, but not in use. This will prevent your SSL renewal. You can remove the wrong setting here, if that is how you want to proceed: Netlify App

This article has more information about this situation: [Support Guide] Is my site using Netlify’s DNS correctly?

If you will continue to use your current DNS host, once you remove that setting, then we can move onto the next problem with your setup.

Could you please confirm you don’t have any “special” record types like ANAME, Flattened CNAME, or ALIAS in use at your DNS provider which seems to be… ?

You’ll want to read this article about the most appropriate settings, which do not include those record types.

If you don’t use a weird record type, well, your provider is returning weird answers and you should ask their tech support why they return the answers that they do here:

% host has address has address

These are individual CDN node addresses somehow being returned on the bare domain, whereas we’d expect and advise one of our load balancers ( there.

Fortunately, these sound like two problems you can address in minutes, rather than weeks, so we’ll try to renew your certificate again in 10 days (or when you hit the renew button here: Netlify App), and if that doesn’t work, we’ll still be here and you can let us know and we’ll help you resolve any remaining blockers.

Our intention is to use Netlify for DNS.

When I run whois | grep -i "name server", I get:

Name Server:
Name Server:
Name Server:
Name Server:

Doesn’t that suggest the correct nameservers are in use?

Hi, @jakearchibald. Yes, the DNS configuration for Netlify DNS is correct and working at this time.

The error message in the UI was this:

  • SniCertificate::CertificateNonvalidError: Unable to verify challenge for DNS problem: NXDOMAIN looking up TXT for - check that a DNS record exists for this domain

However, that was back on 2023-01-27 and I don’t have a way to see the historical DNS configuration at that time. I can see what the error was on January 27 but I cannot see the reason for the error.

Again, it is working now.

I clicked the “Renew certificate” button on the page as Chris suggested above and that did resolve the issue. The SSL certificate was renewed successfully and I have every reason to believe that future renewals will also be successful. Going forward, they should renew 30 days before expiration (which is Let’s Encrypt’s recommended best practice hence why we do so).

If they do not renew there will be a new error message at day 29 before renewal. If that happens (which I do not expect but if), please feel free to reply here anytime and we’ll be ready to troubleshoot.

It might have been because it was using an old image. Glad it’s sorted now!

1 Like