SniCertificate::CertificateInvalidError: Unable to verify challenge for We can’t renew your Let’s Encrypt certificate automatically until the issue is resolved

Hello everyone,

I see this issue is a fairly common one and I have perused other similar questions. Sorry for reposting, it just seems to have quite variable solutions.

My site is

I am configuring it using external DNS as I am pulling the data from a WordPress installation on the subdomain at another hosting provider.

It was all working up until late this week and I can’t figure out where it is going wrong. These are my domain settings for this site at Netlify. I am pointing the A record which is set at my hosting provider.

Screenshot 2020-08-30 at 12.00.54|690x181

I am wondering if there’s a problem with the setup at my hosting provider.

Thanks for your help.

Hi, @0x0Bop. It appears that you have a Netlify DNS zone for this custom domain here:

However, the DNS zone is inactive and that will prevent us from being able to create or update SSL certificates for this custom domain.

There is more information about how to detect and fix this type of issue in this support guide:

Would you please read the support guide above and try one of the two solutions described there?

If this doesn’t fix the issue, please let us know what steps you tried and what the result was. We will be happy to research what is happening and suggest steps to resolve it.

Hi Luke,

Thanks for all the information it was a really useful guide.

I went with Solution #1: Delete the inactive DNS zone and use external DNS. I have configured a CNAME record on my hosting provider DNS to point to

I thought I had configured it this way to start with but I must have messed something up.

The site is still accessible, I’m just waiting to see if the SSL resolves.

It’s still failing to resolve the SSL. I get this error on Netlify.

And this error on the site.

Could this be an apex domain/ sub-domain www issue ???

So I have CNAME record pointing to -

I have the other records below,

At this point I am wondering about trying out solution 2. But before I do, I was wondering if it might be worth trying to redirect one of the records shown above.

From what I can gather letsencrypt is still finding this particular inactive DNS @ netlify.

Hi, @0x0Bop. Actually, this time it did do the HTTP-based verification. However, there is an AAAA record for the apex domain which doesn’t point to Netlify:		3600	IN	AAAA	2a07:7800::135

Let’s Encrypted queried this IP address for the HTTP-based verification and, again - because this isn’t an IP address at Netlify, the HTTP verification. If you delete that record above, the “Renew certificate” button should work in, at most, the next hour. (I say one hour because the TTL value in the record is 3600 seconds).

If it still doesn’t work once the AAAA record is deleted, please let us know.

Yep, that’s done the trick. I noticed a similar solution in the other thread. If I was more knowledgable with DNS I would have just gone for it.

Thank you, Luke, for all of your support.

NOTICE: Remember to renew the SSL after deleting the AAAA records.

1 Like