Cert expired yesterday and can't be renewed

My domain is: adwdevelopments.com

My web server is: uname -a
Linux p3plcpnl0215.prod.phx3.secureserver.net 2.6.32-954.3.5.lve1.4.81.el6.x86_64 #1 SMP Mon Feb 1 12:39:21 EST 2021 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider is: GoDaddy cPanel shared Linux hosting
I can login to a root shell on my machine (yes or no, or I don't know): no

This is the guide that I used few years ago when I set the cert:

The problem is: Cert expired yesterday and can't be renewed.
(If it matters, I upgraded the GoDaddy hosting with Dedicated IP 2 days ago. Also I have added few DNS txt records for Google domain verification.)

Email stopped working too(we are using cPanel email), this is the email client msg:
“Sending of the message failed.
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
The configuration related to adwdevelopments.com must be corrected.”

I ran this command: acme.sh --issue -d adwdevelopments.com -w ~/www --dns dns_gd

It produced this output:
[пон, 07 јун 01:57:10 MST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
[пон, 07 јун 01:57:10 MST 2021] Single domain='adwdevelopments.com'
[пон, 07 јун 01:57:10 MST 2021] Getting domain auth token for each domain
[пон, 07 јун 01:57:12 MST 2021] Getting webroot for domain='adwdevelopments.com'
[пон, 07 јун 01:57:12 MST 2021] Verifying: adwdevelopments.com
[пон, 07 јун 01:57:16 MST 2021] adwdevelopments.com:Verify error:Invalid response from https://adwdevelopments.com/.well-known/acme-challenge/I4-CscPXhX3fdseChSnQIRDc9zaNXeZcOcYkDx50-es [192.186.231.233]:
[пон, 07 јун 01:57:16 MST 2021] Please check log file for more details: /home/adwdevelopments/.acme.sh/acme.sh.log

I ran this command: acme.sh --deploy -d adwdevelopments.com --deploy-hook cpanel_uapi
It produced this output:
[пон, 07 јун 02:07:59 MST 2021] Certificate successfully deployed
[пон, 07 јун 02:07:59 MST 2021] Success

Here is the log:
[пон, 07 јун 00:54:43 MST 2021] adwdevelopments.com:Verify error:Invalid response from https://adwdevelopments.com/.well-known/acme-challenge/DZqwHo8q2rnM2T0Ldn9Sm8-HSKiT0lM5FNG_EmPK2Fg [192.186.231.233]:
[пон, 07 јун 00:54:43 MST 2021] pid
[пон, 07 јун 00:54:43 MST 2021] No need to restore nginx, skip.
[пон, 07 јун 00:54:43 MST 2021] _clearupdns
[пон, 07 јун 00:54:43 MST 2021] dns_entries
[пон, 07 јун 00:54:43 MST 2021] skip dns.
[пон, 07 јун 00:54:43 MST 2021] _on_issue_err
[пон, 07 јун 00:54:43 MST 2021] Please check log file for more details: /home/adwdevelopments/.acme.sh/acme.sh.log
[пон, 07 јун 00:54:43 MST 2021] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/13777752522/-b8EeQ'
[пон, 07 јун 00:54:43 MST 2021] payload='{}'
[пон, 07 јун 00:54:43 MST 2021] POST
[пон, 07 јун 00:54:43 MST 2021] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/13777752522/-b8EeQ'
[пон, 07 јун 00:54:43 MST 2021] _CURL='curl --silent --dump-header /home/adwdevelopments/.acme.sh/http.header -L -g '
[пон, 07 јун 00:54:43 MST 2021] _ret='0'
[пон, 07 јун 00:54:43 MST 2021] code='400'

Question: how to fix this?

Can we have a look at:

  • the output of: apachectl -S
  • the file(s) containing adwdelvelopments.com (shown in the output)
  • anything that shows how HTTP challenge requests are being redirected to HTTPS

Is your site supposed to be returning a page with just " Future home of something quite cool."? Or should it actually show your website?

Further more, the HTTPS, POP3 and IMAP services at 192.186.231.235 (which is your IP address currently) are all returning the "Starfield Secure Certificate Authority" certificate for your shared server and no Let's Encrypt certificates.

Is that the correct (dedicated) IP address?

1 Like

First, if it helps, I have successfully created new cert here: https://test2.adwdevelopments.com/

On your questions, @rg305 and @Osiris:

  • -bash: apachectl: command not found

This are the files in .acme.sh/adwdevelopments.com
If needed I can share one.
Could not find /.well-known/acme-challenge/ folders.

Using " Really Simple SSL" WordPress plugin.
Here is the htaccess file

  • yes

I'm confused about that. I have 2 addresses: 192.186.231.234 and 192.186.231.235 (I can ssh to server by both).

When I set the DNS A record to .234 site shows, as now, and .234 is shown in cPanel as dedicated IP.
With .235 site is not showing just " Future home ..." shows.

But Godaddy support says .235 is the dedicated IP and .234 is for "invite-a-delegate-to-access-my-godaddy-account".

Well, if I surf to adwdevelopments.com, I'm not seeing a real website, just a placeholder page from your hosting provider. I would suggest you get your website up and running properly first and only when that's all good, try to get a certificate again. Nevermind, placeholder was cached, I can see your site now, now your IP address resolves to the .234 address.

Not sure why you got the dedicated IP address in the first place, but I'm betting the reason you weren't able to get a certificate is due to the fact the IP address in DNS wasn't "pointing" to the correct site in cPanel.

1 Like

The certificate was working for adwdevelopments.com last 2 years without problems. This issue happened just on last renewal June 6, and still cant renew it.
Dedicated IP was upgrade intended to get better hosting performance.

Another thing to mention, I moved the site to subfolder between the last 2 cert renewals(from /public_html/ to /public_html/adwdevelopments/ ). Does that affects the renewal?

I can see in this file:
.acme.sh/adwdevelopments.com/adwdevelopments.com.conf
this path line:
Le_Webroot='/home/adwdevelopments/www,dns_gd'
I updated that to:
Le_Webroot='/home/adwdevelopments/www/adwdevelopments.com,dns_gd'
but no sucess, error appears again:

adwdevelopments.com:Verify error:Invalid response from https://adwdevelopments.com/.well-known/acme-challenge/-LoCG6xB2ZjE0qu1GMiAJ5KtNN9fqJo2n1IyXwMqjNI [192.186.231.234]: 
[сре, 09 јун 01:53:36 MST 2021] Please check log file for more details: /home/adwdevelopments/.acme.sh/acme.sh.log

That might be the problem.

This file:

and the corresponding Apache config must agree on the webroot location.

yes @rg305, the problem was that new site is in subfloder: /public_html/adwdevelopments/

Problem with site cert was resolved as this:

  1. switched back to old site(by enabling old htaccess)
  2. renew the cert
  3. enable new site htaccess again.
    (I can't point adwdevelopments.com to the /public_html/adwdevelopments/ because it's 'primary domain' and fixed to /public_html/. So I used htaccess for pointing to the new site. )
    I'll continue to look how to renew the cert without switching to old site?!

Another problem left is that email client( Mozilla Thunderbird) is giving ssl error when I try to send mail:

“Sending of the message failed.
Unable to communicate securely with peer: requested domain name does not match the server’s certificate.
The configuration related to adwdevelopments.com must be corrected.”

Port 465 is not typically controlled by the web server.
That means that, although it uses the same cert, it too must be restarted/updated to use newly issued certs.

As you said it's on shared hosting, I suspect that whoever runs the server at GoDaddy doesn't allow you to update certificates for port 465 (as @rg305 mentioned, different software—e-mail server software rather than web server software) with the same ease or via the same procedure as you can on port 443. (In the worst case, maybe GoDaddy doesn't permit this at all, at least not with your current hosting plan.)

Did this ever work (using that name)?
I see a cert with this SAN there:

DNS Name=*.prod.phx3.secureserver.net
DNS Name=prod.phx3.secureserver.net

Perhaps you could try using that (second name) instead.
OR
(either way) Speak with your email provider about how to use their system with Thunderbird.

Note: Certs with individualized names are useful/required for website security; but are not used/required to be individualized for email security.

yes, before the hosting upgrade with dedicated IP it worked without errors/warnings.
GoDaddy support did not helped at all with the issue.

Email clients(Thunderbird, Outlook) now work, but users now need to click "Confirm Security Exception" to send: