diff --git a/howto/tls.md b/howto/tls.md
index d4e24fba3bb0882ee12e517476af5d8f938a56c3..27292cd5712ba8a11b407de208081cd0b99155db 100644
--- a/howto/tls.md
+++ b/howto/tls.md
@@ -118,6 +118,50 @@ should go through.
 Don't forget to remove the random `TXT` record created above once
 everything is done.
 
+### Challenge is invalid!
+
+If you get an email that looks like:
+
+    Subject: Cron <letsencrypt@nevii> sleep $(( RANDOM % 3600 )) && chronic dehydrated-wrap --cron
+
+    [...]
+
+    Waiting for master to update torproject.org (for _acme-challenge.dip.torproject.org) from 2021021304.  Currently at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+     SOA nevii.torproject.org. hostmaster.torproject.org. 2021021305 10800 3600 1814400 3601 from server 49.12.57.135 in 0 ms.
+     SOA nevii.torproject.org. hostmaster.torproject.org. 2021021304 10800 3600 1814400 3601 from server 194.58.198.32 in 11 ms.
+     SOA nevii.torproject.org. hostmaster.torproject.org. 2021021305 10800 3600 1814400 3601 from server 95.216.159.212 in 26 ms.
+     SOA nevii.torproject.org. hostmaster.torproject.org. 2021021305 10800 3600 1814400 3601 from server 89.45.235.22 in 29 ms.
+     SOA nevii.torproject.org. hostmaster.torproject.org. 2021021305 10800 3600 1814400 3601 from server 38.229.72.12 in 220 ms.
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+    Waiting for master to update torproject.org (for _acme-challenge.gitlab.torproject.org) from 2021021304.  Currently at 2021021305..
+    Waiting for secondaries to update to match master at 2021021305..
+     + Responding to challenge for dip.torproject.org authorization...
+     + Cleaning challenge tokens...
+     + Challenge validation has failed :(
+    ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"dns-01"
+    ["status"]	"invalid"
+    ["error","type"]	"urn:ietf:params:acme:error:dns"
+    ["error","detail"]	"During secondary validation: DNS problem: query timed out looking up CAA for torproject.org"
+    ["error","status"]	400
+    ["error"]	{"type":"urn:ietf:params:acme:error:dns","detail":"During secondary validation: DNS problem: query timed out looking up CAA for torproject.org","status":400}
+
+It's because the DNS challenge took too long to deploy and it was
+refused. This is harmless: it will eventually succeed. Ignore the
+message, or, if you want to make sure, run the cron job by hand:
+
+    ssh -tt root@nevii.torproject.org sudo -u letsencrypt /srv/letsencrypt.torproject.org/bin/dehydrated-wrap --cron
+
 ## Disaster recovery
 
 No disaster recovery plan yet (TODO).