Why My Blog Was Down For Weeks (And The Netlify DNS Mistake You Should Avoid)

{ "author": { "bio": null, "image": { "_type": "image", "alt": "Caroline Scholles, Content & SEO Specialist in Lisbon, Portual ", "asset": { "_ref": "image-30252a4308f1def976faa953ad20b174c29761a0-180x320-jpg", "_type": "reference" } }, "name": "Caroline Scholles" }, "body": [ { "_key": "3d580c666c83", "_type": "block", "children": [ { "_key": "3aa10a234057", "_type": "span", "marks": [], "text": "How to fix" }, { "_key": "da9fd24d3ad9", "_type": "span", "marks": [ "em" ], "text": " SniCertificate::CertificateValidationError: Unable to verify challenge for *" } ], "markDefs": [], "style": "normal" }, { "_key": "09a6f948b55e", "_type": "block", "children": [ { "_key": "5a701f7b87dd", "_type": "span", "marks": [], "text": "If you’ve visited my site over the last few weeks, you might have noticed it was completely down, blocked by a scary browser security warning." } ], "markDefs": [], "style": "normal" }, { "_key": "811c152f10fc", "_type": "block", "children": [ { "_key": "ee27f2ae0e61", "_type": "span", "marks": [], "text": "I finally figured out why, and I am writing this post to save you from making the exact same infrastructure mistake I did." } ], "markDefs": [], "style": "normal" }, { "_key": "610b78be7edf", "_type": "block", "children": [ { "_key": "f0f80749578d", "_type": "span", "marks": [], "text": "The Setup: Squarespace and Netlify" } ], "markDefs": [], "style": "h3" }, { "_key": "5fc29c5d7cde", "_type": "block", "children": [ { "_key": "44d8c124955b", "_type": "span", "marks": [], "text": "I buy my domains through " }, { "_key": "fa82f6a3e827", "_type": "span", "marks": [ "strong" ], "text": "Squarespace " }, { "_key": "aa59c255fc87", "_type": "span", "marks": [], "text": "(originally Google Domains), but I host my code on " }, { "_key": "6747ea942b17", "_type": "span", "marks": [ "strong" ], "text": "Netlify" }, { "_key": "c82d036f867b", "_type": "span", "marks": [], "text": ". This is a very common setup." } ], "markDefs": [], "style": "normal" }, { "_key": "a8473b838171", "_type": "block", "children": [ { "_key": "5827ae3ae5ea", "_type": "span", "marks": [], "text": "To understand what broke, you have to understand how a " }, { "_key": "8427b1d99d24", "_type": "span", "marks": [ "strong" ], "text": "DNS (Domain Name System)" }, { "_key": "347684b26d9c", "_type": "span", "marks": [], "text": " works. Think of a DNS as the internet's phonebook. Humans remember names (like carolinescholles.com), but computers only understand numbers (IP addresses like 75.2.60.5)." } ], "markDefs": [], "style": "normal" }, { "_key": "180566b28bea", "_type": "block", "children": [ { "_key": "582372a16aa4", "_type": "span", "marks": [], "text": "Because my domain is registered with Squarespace, they are the official keeper of my phonebook. Netlify provided the \"phone number\" (the IP address where my code lives)." } ], "markDefs": [], "style": "normal" }, { "_key": "6a9e6ce872ae", "_type": "block", "children": [ { "_key": "9f6784b89963", "_type": "span", "marks": [], "text": "Normally, you just add an entry in your Squarespace phonebook that says: " }, { "_key": "a5e9f953322e", "_type": "span", "marks": [ "em" ], "text": "\"Send traffic for my domain to Netlify's number,\"" }, { "_key": "1e6c2fc3899f", "_type": "span", "marks": [], "text": " and everything works perfectly." } ], "markDefs": [], "style": "normal" }, { "_key": "e6324c7bdcc3", "_type": "block", "children": [ { "_key": "075b842624ee", "_type": "span", "marks": [], "text": "The Mistake" } ], "markDefs": [], "style": "h3" }, { "_key": "e882406c6e80", "_type": "block", "children": [ { "_key": "ff798fb7c962", "_type": "span", "marks": [], "text": "While setting up my project in the Netlify dashboard, I might have clicked the " }, { "_key": "39500ffc9b78", "_type": "span", "marks": [ "strong" ], "text": "\"Set up Netlify DNS\"" }, { "_key": "169517b33921", "_type": "span", "marks": [], "text": " option. By clicking that button, I accidentally created a \"split-brain\" DNS situation. Netlify automatically generated a second, " }, { "_key": "a733f80a4e38", "_type": "span", "marks": [ "em" ], "text": "ghost phonebook" }, { "_key": "9316de98848a", "_type": "span", "marks": [], "text": " on their servers. The internet at large was still reading the official Squarespace phonebook. But Netlify now thought " }, { "_key": "b6855fa87af4", "_type": "span", "marks": [ "em" ], "text": "it" }, { "_key": "bbe53152ba45", "_type": "span", "marks": [], "text": " was in charge." } ], "markDefs": [], "style": "normal" }, { "_key": "872d50c92b54", "_type": "block", "children": [ { "_key": "ee54a2feb777", "_type": "span", "marks": [], "text": "Enter Let's Encrypt (The Endless Loop)" } ], "markDefs": [], "style": "h3" }, { "_key": "382cef5107cf", "_type": "block", "children": [ { "_key": "e917fb2911bb", "_type": "span", "marks": [], "text": "For your website to be secure (that little padlock in the URL bar), a service called " }, { "_key": "3723b9221dff", "_type": "span", "marks": [ "83703f920691" ], "text": "Let's Encrypt " }, { "_key": "9556b049bbf4", "_type": "span", "marks": [], "text": "has to verify your domain and issue an SSL certificate." } ], "markDefs": [ { "_key": "83703f920691", "_type": "link", "href": "https://letsencrypt.org/" } ], "style": "normal" }, { "_key": "66df49578f45", "_type": "block", "children": [ { "_key": "60747c48b168", "_type": "span", "marks": [], "text": "When Let's Encrypt tried to verify my site, Netlify confidently stepped in and pointed it to its own blank, ghost phonebook instead of the real Squarespace one. Because Let's Encrypt couldn't find the right verification records in the empty phonebook, it failed." } ], "markDefs": [], "style": "normal" }, { "_key": "6a35a7f2775a", "_type": "block", "children": [ { "_key": "d570a28c4322", "_type": "span", "marks": [], "text": "Netlify aggressively retried the verification in the background, failing over and over again, until Let's Encrypt completely blocked my domain for hitting their rate-limit. My site's SSL certificate failed to renew, and the blog was taken offline for weeks." } ], "markDefs": [], "style": "normal" }, { "_key": "9874d8469466", "_type": "block", "children": [ { "_key": "0284b9bac8c8", "_type": "span", "marks": [], "text": "The Fix" } ], "markDefs": [], "style": "h3" }, { "_key": "e8e70ae8fcca", "_type": "block", "children": [ { "_key": "b63562016df5", "_type": "span", "marks": [], "text": "If your domain is hosted on an external platform (like Squarespace, Namecheap, or GoDaddy), " }, { "_key": "1f80ea5a8ef3", "_type": "span", "marks": [ "strong" ], "text": "do not use Netlify DNS unless you intend to completely transfer your Name Servers." } ], "markDefs": [], "style": "normal" }, { "_key": "6dead0c634d7", "_type": "block", "children": [ { "_key": "73e79e6da8ae", "_type": "span", "marks": [], "text": "To bring my site back online, I went into the Netlify Domains tab and navigated to the \"Danger Zone\" to " }, { "_key": "25798a3e902f", "_type": "span", "marks": [ "strong" ], "text": "Delete the DNS zone" }, { "_key": "50bd2f6d0cf8", "_type": "span", "marks": [], "text": "." } ], "markDefs": [], "style": "normal" }, { "_key": "293dd65b204f", "_type": "block", "children": [ { "_key": "8284167a03a1", "_type": "span", "marks": [], "text": "By deleting the ghost zone, I forced Netlify to fall back to \"External DNS\" mode. It immediately stopped trying to read its own fake phonebook, looked at Squarespace instead, and successfully provisioned my SSL certificate instantly." } ], "markDefs": [], "style": "normal" }, { "_key": "b658aec36591", "_type": "block", "children": [ { "_key": "879f71030006", "_type": "span", "marks": [], "text": "We are officially back online! Hopefully, this saves you a few hours (or weeks!) of debugging." } ], "markDefs": [], "style": "normal" } ], "categories": [ { "title": "Tools & Workflows" } ], "faqs": [ { "_key": "2b3a807feda096da69c8949a7a6e8c33", "answer": "This error occurs when Let’s Encrypt cannot complete the 'challenge' to verify you own the domain. It is typically caused by a DNS misconfiguration where the verification records are missing or being looked for in the wrong place.", "question": "What does the 'SniCertificate::CertificateValidationError' error mean?" }, { "_key": "a46b5da4669eb42827b8f2488f07034d", "answer": "It happens when you enable 'Netlify DNS' without transferring your domain's Nameservers. This creates a 'ghost' DNS zone on Netlify that the platform prioritizes for SSL checks, even though the rest of the internet is still using your official registrar's records.", "question": "What is a 'split-brain' DNS situation in Netlify?" }, { "_key": "ef85de75d5fb2f0697204037929dbba5", "answer": "If Netlify repeatedly fails to verify the domain using its 'ghost' records, it can hit Let’s Encrypt’s rate limits (specifically the 'failed validation' limit of 5 failures per hour). This can lead to an extended block on issuing new security certificates.", "question": "Why can this mistake take a website offline for weeks?" }, { "_key": "69f998cb7f77bc281d6f63b7ced5df9c", "answer": "Navigate to the 'Domains' tab in Netlify, go to the 'Danger Zone,' and delete the DNS zone for that domain. This forces Netlify to fall back to 'External DNS' mode and look at your actual registrar (like Squarespace or GoDaddy) for verification.", "question": "How do you fix a Netlify SSL verification failure for an external domain?" } ], "mainImage": null, "publishedAt": "2026-04-13T10:11:00.000Z", "references": [ { "_key": "9a76743a87b8", "_type": "referenceModule", "anchorText": "Netlify Answers", "url": "https://answers.netlify.com/t/not-able-to-renew-ssl-certificate-from-netlify-snicertificate-unable-to-verify-challenge-for-molecules-om-incorrect-txt-record-3245-found-at-acme-challenge/104054" } ], "seo": { "title": "Why My Blog Was Down For Weeks (And The Netlify DNS Mistake You Should Avoid)" }, "slug": { "_type": "slug", "current": "the-netlify-dns-mistake-you-should-avoid" }, "takeaways": [ "Do not enable 'Netlify DNS' unless you intend to fully point your domain's Nameservers to Netlify.", "Using both Netlify DNS and an external provider simultaneously creates a 'split-brain' conflict that breaks SSL renewals.", "Aggressive SSL verification retries can trigger Let’s Encrypt rate limits, extending downtime even after the fix is applied.", "Deleting the inactive Netlify DNS zone is the primary fix to restore SSL provisioning for externally managed domains." ], "title": "Why My Blog Was Down For Weeks (And The Netlify DNS Mistake You Should Avoid)" }

How to fix SniCertificate::CertificateValidationError: Unable to verify challenge for *

If you’ve visited my site over the last few weeks, you might have noticed it was completely down, blocked by a scary browser security warning.

I finally figured out why, and I am writing this post to save you from making the exact same infrastructure mistake I did.

The Setup: Squarespace and Netlify

I buy my domains through Squarespace (originally Google Domains), but I host my code on Netlify. This is a very common setup.

To understand what broke, you have to understand how a DNS (Domain Name System) works. Think of a DNS as the internet's phonebook. Humans remember names (like carolinescholles.com), but computers only understand numbers (IP addresses like 75.2.60.5).

Because my domain is registered with Squarespace, they are the official keeper of my phonebook. Netlify provided the "phone number" (the IP address where my code lives).

Normally, you just add an entry in your Squarespace phonebook that says: "Send traffic for my domain to Netlify's number," and everything works perfectly.

The Mistake

While setting up my project in the Netlify dashboard, I might have clicked the "Set up Netlify DNS" option. By clicking that button, I accidentally created a "split-brain" DNS situation. Netlify automatically generated a second, ghost phonebook on their servers. The internet at large was still reading the official Squarespace phonebook. But Netlify now thought it was in charge.

Enter Let's Encrypt (The Endless Loop)

For your website to be secure (that little padlock in the URL bar), a service called Let's Encrypt has to verify your domain and issue an SSL certificate.

When Let's Encrypt tried to verify my site, Netlify confidently stepped in and pointed it to its own blank, ghost phonebook instead of the real Squarespace one. Because Let's Encrypt couldn't find the right verification records in the empty phonebook, it failed.

Netlify aggressively retried the verification in the background, failing over and over again, until Let's Encrypt completely blocked my domain for hitting their rate-limit. My site's SSL certificate failed to renew, and the blog was taken offline for weeks.

The Fix

If your domain is hosted on an external platform (like Squarespace, Namecheap, or GoDaddy), do not use Netlify DNS unless you intend to completely transfer your Name Servers.

To bring my site back online, I went into the Netlify Domains tab and navigated to the "Danger Zone" to Delete the DNS zone.

By deleting the ghost zone, I forced Netlify to fall back to "External DNS" mode. It immediately stopped trying to read its own fake phonebook, looked at Squarespace instead, and successfully provisioned my SSL certificate instantly.

We are officially back online! Hopefully, this saves you a few hours (or weeks!) of debugging.

The Setup: Squarespace and Netlify

The Mistake

Enter Let's Encrypt (The Endless Loop)

The Fix

References

What does the 'SniCertificate::CertificateValidationError' error mean?

What is a 'split-brain' DNS situation in Netlify?

Why can this mistake take a website offline for weeks?

How do you fix a Netlify SSL verification failure for an external domain?