Certificates not renewed

Help
1

Last night and this morning I received several emails from cpanel@themanchesters.org (the hostpapa control panel for my domain) telling me that the certificates haven’t been renewed. I notice from a previous post that there has been an error related to verification. This is not mentioned in any of the emails I received. I also note from another post that it could be related to the country where the check takes place (Singapore and?). I have blocked all countries except the UK so this could be the issue (we were receiving many attacks from all across the world).

Please note that my IT skills are limited.

My domain is: themanchesters.org

I ran this command: I didn’t run any commands. Last night and this morning I have received several emails saying “themanchesters.org: The AutoSSL certificate expires on May 5, 2024 at 9:02:10 AM UTC. At the time of this notice, the certificate will expire in 13 days, 21 hours, and 12 minutes.

AutoSSL did not renew the certificate for “themanchesters.org”. You must take action to keep this site secure.

The “LetsEncrypt” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems: [followed by a list of followed by a list of errors]

It produced this output: Not applicable

My web server is (include version): s127

The operating system my web server runs on is (include version): I don’t know how to find this

My hosting provider, if applicable, is: Go Daddy

I can login to a root shell on my machine (yes or no, or I don't know): I don’t know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): hostpapa cpanel 110.0 (build 30)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I don’t know how to find this.

Any help or guidance would be greatly appreciated.

Kind regards
Pete

2

The Let's Encrypt Servers will make several requests from various countries including the US, Sweden, and Singapore. These may change at any time but that's the list today.

Limiting yourself just to UK should never have worked. Was that a recent change?

Above is how an HTTP Challenge works and is likely what you are using. There is also a DNS Challenge. You would have to talk with your provider (GoDaddy) whether your AutoSSL supports that. That challenge uses the public DNS to validate the cert request rather than your web server. It would allow you to continue to fence your web server while still getting a cert as long as you allow DNS queries world-wide.

A test request from my own test server in the USA got blocked by Cloudflare. Is that the method you used to block all but UK?

3 Likes
3

Hi Mike, thanks for your reply. The country block was a recent change (about one month ago). We were experiencing many attacks and our web host suspended the site. I took some advice and installed cloudflare and used this to block every country except UK. The site is dedicated to the Manchester Regiment in World War One and most of our members are in the UK (we have one member in Germany so I excluded his IP address from the block so he could still access the site.

If I understand your request properly, I’ll contact Go Daddy and ask about the DNS challenge and how to set it up. If it does support DNS challenge, I’ll use this and turn off the webserver challenge in Cloudflare (and allowing global access again). Is that right?

Thanks for your advice.

Kind regards
Pete

1 Like
4

If you plan to stay with Cloudflare you might consider using their Origin CA Certificate in your origin server. You create that in Cloudflare and it can only be used for HTTPS connections between the Cloudflare CDN edge and your origin. You can setup these certs with very long lifetimes.

This replaces the Let's Encrypt cert you currently use. Which would be simpler but these Origin CA certs have some restrictions. For simple uses like a basic web server it should be fine.

That's the first option I would explore. It would allow you to keep your country block and have an easy to maintain cert.

4 Likes
5

Thanks Mike, I’ll try that first. I really appreciate your advice.

Best regards
Pete

5 Likes
6

The Cloudflare Origin CA Cert would still be easier but here's a nice tip from another thread.

It allows blocking countries while still passing through the ACME challenge requests from anywhere

3 Likes
7

Thanks Mike, I know how to do this so I’ll give it a try first. I’ve made the change so I assume I sit back and see if I get any more certificate warnings. If I do, I’ll work out the cloudflare solution.

Thanks once again
Pete

3 Likes
8

Mike, since I made the change I’ve not had any further warnings, however, I haven’t received any emails to confirm the certificates have renewed. Is there any way that I can check they have renewed?

Best regards
Pete

9

Which change did you make? There were a couple ideas.

The Cloudflare CDN will keep its certs fresh and you don't need to worry about that. They use various Certificate Authorities.

If you used their Origin CA cert in your origin server you could have set a very long lifetime so again no worry there.

Checking your cert behind a CDN is a little trickier. Monitor your renewal process and make sure you have a way to alert yourself if it fails.

You can view all certs issued for your domain using tools like below. Cloudflare will be getting some for its CDN on your behalf and you will see those too.

https://crt.sh

Entrust Certificate Search

3 Likes
10

Mike, it was the ‘nice tip’ from another thread rather than the Origin solution (only because I knew how to do it)

1 Like
11

Thanks Mike

1 Like
12

Using the Entrust Search, I saw a cert by Let's Encrypt issued yesterday. You could check your AutoSSL to confirm

3 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.