SniCertificate::CertificateInvalidError: Unable to verify challenge for *our domain*


We are having trouble with our Let’s Encrypt certificate. It seems to have expired and upon clicking renew we the following error:

SniCertificate::CertificateInvalidError: Unable to verify challenge for our domain

Any ideas on how to resolve this issue? We are currently stuck with this issue.

Any help you can provide would be great!



Hi, I looked into this and I believe something unusual is happening with this site’s Managed DNS.


i have the same problem for two days now.
If someone finds a solution would be great.


my problem was that i didn’t have a CNAME on mysubdomain pointing to my netlify site,
maybe this can help you too

hey @siblancoMember! Just to clarify, does that mean that you fixed your issue?

I also started having this issue 2 days ago.

I clicked the “Renew Certificate” button manually on netlify and it magically started working again (despite not changing any DNS settings before or after clicking the button).

I have the same issue, but clicking on “Renew Certificate” doesn’t solve the problem.

I have custom domain with Netlify DNS ( And custom headers:

  for = "/*"
    Strict-Transport-Security = "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options = "nosniff"
    Content-Security-Policy = "connect-src 'self'; object-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'none'; style-src 'sha256-u416R1BFbASVCPBGPpFw1jm2QrBLAUMFTJ0bbQVFHiw='; script-src 'sha256-24UQLHsa8ThXHBWjsc4XLCjrOBZeZ3eMW7T+4AUpDUk=' 'self'"

Hi @iskin,

It may be an issue with the DNSSEC records you have setup on your domain. Can you disable DNSSEC with the provider you configured it on?

Did you mean CAA record? (I didn’t find DNSSEC config in DNS panel).

I removed CAA and will try to renew certificate tomorrow (can’t do it today because of the Let’s Encrypt limits).

Yeap, removing CAA record from DNS helped.

How I can have CAA and Let’s Encrypt? CAA record is very useful for security.

We don’t have any docs on that. You should read and contact your DNS provider for additional assistance in setting up proper CAA records that will work.

I’m having the same issue.

Here are the setting on


I’ve checked my configuration on ionos, and it looks good. Any idea? I can’t understand who is responsible for these.

Any help?


Hi @sebaz! Welcome to our Community!

Is everything working now? It looks to be working from our end. It can take up to 24 hours sometimes for DNS to propagate, and our certificates can’t be issued until that is complete.

Yes! I removed the AAAA record and works properly.

1 Like