checkallsslcerts script warning
hi, i am the only user on my server and i dont use letsencrypt so i dont know why i am getting this warning. Suggestions or resources please ?
The following cPanel service generated warnings from the checkallsslcerts script.
⚠ cPanel 429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (too many new orders (300) from this account in the last 3h0m0s, retry after 2025-04-28 14:00:29 UTC: see https://letsencrypt.org/docs/rate-limits/#new-orders-per-account)
Thanks in advance :)
-
AUTOSSL was disabled on providers tab, i also changed the users tab to disabled, i hope that was the issue. :)
0 -
Hey there! It seems like you've got this resolved but let me know if anything else comes up!
0 -
Hi, the warning happened again..
429 urn:ietf:params:acme:error:rateLimited (The request exceeds a rate limit) (too many new orders (300) from this account in the last 3h0m0s, retry after 2025-05-05 06:01:05 UTC: see https://letsencrypt.org/docs/rate-limits/#new-orders-per-account)
I am not sure why this is happening, i dont use letsencrypt and its all disabled. Any suggestions ?
0 -
When you say Let's Encrypt is disabled on the server, you have the option set to "disabled" in WHM >> Manage AutoSSL Providers? Is that correct?
0 -
Yes sir that is correct.
And also under manage users it is disabled
Did i miss something somewhere, suggestions?
Thanks :)
0 -
What about the hostname of the server? Is that possibly tied to an account with a large number DNS entries that could explain the ratelimit?
0 -
Hi, I dont think so but i will check.
I only have one account (i am the only user on the server) for example
my one account example.com with a username assigned
the server name is server5.example.com
i am using powerDNS
It seems i have all the normal DNS records for hostname
server5.example.com. 86400 SOA
server5.example.com. 86400 NS
server5.example.com. 14400 A
server5.example.com. 14400 MX
mail.server5.example.com. 14400 CNAME
www.server5.example.com. 14400 CNAME
ftp.server5.example.com. 14400 CNAME
default._domainkey.server5.example.com. 14400 TXT
_acme-challenge.mail.server5.example.com. 14400 TXT
_acme-challenge.webdisk.server5.example.com. 14400 TXT
_acme-challenge.cpanel.server5.example.com. 14400 TXT
_acme-challenge.autodiscover.server5.example.com. 14400 TXT
_acme-challenge.whm.server5.example.com. 14400 TXT
_acme-challenge.server5.example.com. 14400 TXT
_acme-challenge.cpcontacts.server5.example.com. 14400 TXT_acme-challenge.ipv6.server5.example.com. 14400 TXT
_acme-challenge.autoconfig.server5.example.com. 14400 TXT
_acme-challenge.cpcalendars.server5.example.com. 14400 TXT
_acme-challenge.www.server5.example.com. 14400 TXT
_acme-challenge.webmail.server5.example.com. 14400 TXT
server5.example.com. 14400 TXT
_dmarc.server5.example.com. 14400 TXTI will keep looking for something along those lines in your reply, if you think of something else please let me know :)
0 -
I don't have a good explanation for this then, as that isn't nearly enough to break the ratelimit from Let's Encrypt.
A crazy idea - can you check the headers of the message to confirm they are coming from the server you expect? I've seen users get warnings from systems they thought were decommissioned, or their contact email is still active on an old machine, but the headers would confirm the IP or hostname of the sender.
0 -
Hi, checked email source, correct ip and hostname. I will keep digging. I really appreciate your help on this. I cant be the only one that has ever had this challenge so maybe there is something on the web which can help as well :)
Again thanks :)
0 -
Hi, here is what i have found regarding the warning this is in 2 parts.
Part 1, google AI brought something to my attention.
It appears that even with letsencrypt and AutoSSL disabled, the system could still continue to send out notifications (even false positives) if the notifications under Manage AutoSSL > Options are not also disabled. So i have disabled autoSSL notifications for admin on that page. I believe this is what is happening.
Part 2 - my server host did some searching and they think that its possible there may still be some letsencrypt API data associated with one of the older domains such as domain mapping still triggering calls to their API. This could be the case because the older domains where originally on a shared server with autoSSL and letsencrypt enabled. Then the shared server account was transferred by the host to a VPS with all those domains, some of that letsencrypt API data could still be attempting to connect.
Here is my host reply:
Basically, the message shows that the 'checkallsslcerts' script on your server is still attempting to issue certificates through Let’s Encrypt. Even if you’ve disabled Let’s Encrypt or AutoSSL in the UI, some internal settings or domain mappings may still be triggering calls to their API, much to our regret.
We did some research for you and supposedly found the right commands on how to make sure it is disabled. Still, we can not guarantee the commands will work fine.
We suggest you create a backup of your server beforehand, as well as consult/hire a system administrator outside of Namecheap to assist you better.
Here are the SSH commands and steps to perform that we found for you that should be helpful to ensure that Let's Encrypt/AutoSSL is disabled:
1. Double-check that Let's Encrypt is disabled at the system level:
/usr/local/cpanel/bin/autossl_disable_lets_encrypt|
2. Set the active AutoSSL provider to cPanel or disable it entirely:
whmapi1 set_autossl_provider provider=cPanel
Or disable AutoSSL completely:
touch /var/cpanel/autossl_disable
3. Clear any remaining Let's Encrypt data.
Remove any Let's Encrypt entries in:
/var/cpanel/userdata/
/var/cpanel/ssl/installed/
/etc/letsencrypt/
Be careful here, and make sure you back up these folders first.
Alternatively, you could disregard further notifications if needed: using this SSH command:
touch /etc/ssl/disable_autossl_notifications
Once again, we would like to point out that the commands found on our side do not guarantee a successful result as we are not acquantied with your server's configuration. We highly recommend hiring a professional for such purposes.
Here are some resources that might be helpful:
https://support.cpanel.net/hc/en-us/articles/360050823313-How-to-install-and-enable-the-Let-s-Encrypt-provider-for-AutoSSL
https://www.siberoloji.com/almalinux-9-how-to-configure-ssl-tls-and-obtain-lets-encrypt-certificates-on-apache-server/My conclusion:
Neither of these possibilities explains why the warning began to happen about 2 months ago and never before, but i suspect maybe a server update fixed something that was broken or vice versa. I would not call this a bug, but i would ask that cPanel update their docs to include some text on the possiblity, or handling it internally with an upgrade at some point at some point. That is for bigger brains than mine :)
If none of this works i will let you know :)
0 -
Thanks for the detailed reply. I do disagree with their reply as none of that will stop the checkallsslcerts tool from running.
You can disable the hostname cert check with the following touch files outlined in our docs:
1 -
Thanks cPRex, i could not find most of those directories/files my server host suggested anyway lol They were part of an old cpanel version or they just never existed, who knows... lol
Thank you for the link :)
0
Please sign in to leave a comment.
Comments
12 comments