Skip to main content

Failure to renew certificate via manual execution of AutoSSL.

Comments

23 comments

  • cPRex Jurassic Moderator

    Hey there!  When you manually run AutoSSL, what error does it give?  If the file was missing or unreachable I would expect it to tell you that in the log.

    0
  • glPanel

    Hi cPRex , thank you for your reply.

    This message appears, "Success: The Auto SSL check has completed. The page will refresh in 5 seconds."

    Here is the image.

     
     

     

     

    0
  • cPRex Jurassic Moderator

    Do you have access to WHM of the server or only the cPanel account?  In WHM >> Manage AutoSSL, there would be a tab where you can view the logs for the server and see more detail about what may have happened.

    If you don't have that level of access you'll likely need to speak with your host in order to get to the root cause of the issue.

    0
  • glPanel

    I only have access to cPanel and I don't see any other logs that give me more information.

    0
  • cPRex Jurassic Moderator

    Correct - you'll have to reach out to your host to have them look at the logs and find the root cause.

    0
  • Laurn Werner

    I too am having the same issue. I keep getting this...

    "The system failed to fetch the DCV (Domain Control Validation) file at “http://website.com/.well-known/acme-challenge/XS716K2IES4A79JCUA62FQB6Y_ONOJ0U” because of an error: The system failed to send an HTTP (Hypertext Transfer Protocol) “GET” request to “http://website.com/.well-known/acme-challenge/XS716K2IES4A79JCUA62FQB6Y_ONOJ0U” because of an error: Could not connect to 'website.com:80': Connection timed out."

    I can see autossl creating the file in the acme-challenge directory. I have tested creating a file in that directory and i can access it via html. So i know port 80 is open and working.

    My certificate renewed on December 18th and is now failing. I noticed that the letsencrypt plugin was updated on December 20th to a newer version. Any ideas?

    0
  • cPRex Jurassic Moderator

    Laurn Werner - do you have root access to the server?

    0
  • Laurn Werner

    yes i do

    0
  • cPRex Jurassic Moderator

    Can you try using the tool here to see if that also reports the correct IP address for the domain name?

    https://support.cpanel.net/hc/en-us/articles/360048319894-How-to-diagnose-AutoSSL-issues-using-scripts-cpdig

    You may also want to scan the domain using a tool such as intodns.com, as any DNS problem will keep AutoSSL from working properly.

    0
  • Laurn Werner

    seems to work here under root.

    0
  • Laurn Werner

    i'm not seeing anything that looks like dns issues

    0
  • cPRex Jurassic Moderator

    We may need to see a ticket on this one if the cpdig test is working, as that is the command that AutoSSL users to detect and verify the domain.

    0
  • Laurn Werner

    a technical support ticket? Where do i go to do that?

    0
  • cPRex Jurassic Moderator

    You can do that from WHM >> Create a Support Ticket.

    0
  • Laurn Werner

    its showing that some other company can only create support requests for our IP address

    0
  • cPRex Jurassic Moderator

    That just means your cPanel license isn't purchased directly through us.  You can still contact that provider for support, and if they can't figure out the issue they can escalate it to us.

    As a test, could you temporarily disable the firewall on the system to see if that could be blocking the connection from the AutoSSL provider?

    0
  • Laurn Werner

    how do i go about disabling the firewall?

    0
  • cPRex Jurassic Moderator

    That part I can't say for sure, as it isn't controlled by cPanel.  There also may be an external firewall outside of your machine that your host could check when you submit that ticket.

    0
  • Laurn Werner

    i'm able, from root, to curl out to letsencrypt 

    0
  • cPRex Jurassic Moderator

    That's good, but it's completely possible there are inbound issues, or that it's something else entirely - the firewall check was just a guess.

    0
  • glPanel

    In my case I've solved the problem by changing the Dns CAA record from "sectigo.com" to "letsencrypt.org" because my provider changed the party issuing ssl certificates.

    Only my hosting provider's support had access to this log which allowed them to diagnose the problem: 

    "DNS CAA records forbid "Let's Encrypt™" from issuing certificates for any of this user's 12 domains. AutoSSL cannot increase "glsistem"'s SSL coverage."

    While I was only seeing the message

    "Success: The Auto SSL check has completed. The page will refresh in 5 seconds."

    which I pointed out in my second post, which is misleading because it suggests that there is no problem.

    I would suggest to the cpanel team that the user also see the correct log.

    0
  • cPRex Jurassic Moderator

    I agree!  I've created case CPANEL-43934 to see if we can add more log details to the cPanel user side when clicking the "Run AutoSSL" button inside the cPanel >> SSL/TLS Status interface.

    0
  • glPanel

    Perfect, that's something that would be useful to implement

    1

Please sign in to leave a comment.