Certificate still renews and is attached to domain after removal by host

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pinebushequine.com

I ran this command: n/a

It produced this output: n/a

My web server is (include version): apache version unknown

The operating system my web server runs on is (include version): unknown

My hosting provider, if applicable, is: original: lynxxdirect.com / new: painlesswebhost.net

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel version unknown

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): unknown

I had my site hosted at lynxxdirect which uses Let's Encrypt to provide SSL certs in their cPanel hosting. I have since transferred my site to a new host. lynxxdirect states they have removed the SSL cert from my site and account and also that they have removed my account altogether. However, at the new host I am unable to add a new certificate as it will show as an invalid certificate. Also by visiting my site I can see that it is still somehow using the original Let's Encrypt cert even though lynxxdirect states it was removed. So this Let's Encrypt SSL cert is somehow still working on my domain even though its not installed on the server of the new host. And in fact, the SSL cert is still automatically renewing its self on a 3 month interval. lynxxdirect is now little help as again they state the SSL cert was removed and my account was removed. I really need someone who understands SSL certificates and who is familiar with Let's Encrypt to help me get this SSL removed from my domain so I can install a new valid SSL cert on the new hosting server. This is causing many issues for us like with securing sub-domains used for the email server. This is causing issues with sending and receiving email reliably which is very important to us.

Thank you

1 Like

The setup is a bit more complicated than you have described:

Name:      pinebushequine.com
Addresses: 2606:4700:3031::ac43:a48f

I see CloudFlare CDN IPs for that domain.


@rg305 thank you for your reply.
Yes it is a bit more complicated. This is our business site. We control the site's hosting and email but our parent company controls the domain and DNS. A CloudFlare SSL was tried to install on the domain after transfer to painlesswebhost and that is where it say certificate invalid. Also the parent company uses CloudFlare for the DNS and I guess CDN.

I am very unfamiliar with how this works. How does this effect the SSL issue?
In troubleshooting this should I request that the CDN be temporarily disabled?

1 Like

It makes the problem less visible [from where I'm sitting].

No, but there is a setting that can allow LE certs to be issued while behind the CF CDN.


My new host does not support LE certs and I new to either purchase and new cert or be able to use a CF cert.
But installing a CF cert on the new server always shows an error as an invalid cert and the site keeps using the old LE cert even though the old hosting company says they removed the cert when they closed our account there.

I would advise to get help from CF about using one of their certs.


@rg305 Is there not a way to just remove this LE cert or make it stop renewing?
Neither CL or my new host will help because they say they can not provide help with a LE cert.
Once its removed or expired I can just get another.

Furthermore I do not understand how this LE cert works. How can it still be associated and active on my domain if it does not exist on the old server or the new server where my site is hosted.

If you have more understand as to what is happening with this cert could you please explain it to me?

Thank you very much for you insight into this.

EDIT: @jrspada Oh, I think I just realized your confusion. Cloudflare sometimes uses Let's Encrypt to get certs for its own purposes. I think this is probably what you are seeing. Review the SSL Decoder link I show below and hopefully will be more clear.

Well, yes, but this is all under your control.

First, I don't see it active on your "domain". Requests from the public internet see the Cloudflare cert. Check a browsers "security" icon or see the cert at a site like this SSL Decoder test. That is how Cloudflare's CDN (well, any CDN) works. There is a separate connection between the CDN Edge and your Origin Server.

What kind of request do you make that still sees the prior Let's Encrypt cert?

I am not sure what info you are displaying in post #5. What were you using to display that cert info?

Your last Let's Encrypt cert was renewed on Jul 6. If you have disabled the renewal at your old hosting service then nothing should renew going forward.


That is what chrome shows me when I click on the security icon. This is what displays weather I have the CF cert installed or not.

This is the CF cert installed on my server.
It seems like its fine but then the main screen of cPanel shows me this

Im sorry but this is beyond my understanding. I do see that it shows the CF cert but I dont understand the LE certs.
I use cloudflare certs for other sites too. pbsbbbq.com for example. I used the checker on that site and it does not show any LE certs just CF certs.

I just dont understand why the new host's cPanel shows it as an invalid expired cert. The CF cert is set to expire in 2037.
And this seems to causing issues with our mail. subdomain as sometimes we will get an error of unable to establish a secure connection to the server.

Again thank you for all your time answering all the questions from someone who knows little more about SSL certs other than copy / pasting / installing them on a server.


TL;DR: Don't worry about the Let's Encrypt certs Cloudflare obtained on your behalf.

I see how my wording could be misunderstood. Let me try again.

You are using the Cloudflare CDN (proxied DNS). The Cloudflare CDN Edge obtains a cert for your domain for its own use at this Edge. It is used to talk HTTPS between it and clients (like browsers or other apps). It manages this cert. For your pinebushequine domain it got this cert from Let's Encrypt. There is nothing you can do about that. It is what CF did. It may get certs from other providers or even use its own CA cert like it did for the pbsbbbq domain.

Your Origin Server talks to the Cloudflare Edge (and only to the Edge, not directly to clients when you proxy that domain). You can setup your own cert on your Origin for HTTPS connects to the Edge (like from Let's Encrypt or other CA). Cloudflare also offer an Origin CA cert which is sometimes helpful. It looks like you tried to use this in your Origin server with cPanel. And, for some reason cPanel did not like it (well, because it is a self-signed cert). I don't know enough about your cPanel config to advise one way or the other but you may need to get a cert from another source then. That's a question for your hosting service about cPanel requirements. Or, perhaps Cloudflare about the use of their Origin CA cert.

Is that clearer than how I described it earlier? I hope this at least explains why the Let's Encrypt certs you see do not require action on your part.

As for mail. It is my understanding many people have trouble using Cloudflare CDN (proxied DNS) for mail protocols. You may need to just use regular Cloudflare DNS (not proxied) for your mail domains and acquire certs if/as needed.

You may wish to visit the Cloudflare forums and ask about these items there. I am sure people have run into issues with cPanel on Origin Servers. And, trying to proxy mail protocols.

Here are some useful topics in the Cloudflare docs. If nothing else they are good indexes.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.