we are trying to generate certificate with certsage.php under our domain root directory. however, it gives following error message (we've successfully installed few certs for other domains)
================================== CertSage
version 1.2.0
support@griffin.software
Trouble...
urn:ietf:params:acme:error:caa
CAA record for sportec.tw prevents issuance
If you need help with resolving this issue, please post a topic in the help category of the Let's Encrypt Community.
CAA records are set by the domain owner in DNS. You'd need to look at whatever system administrates your DNS.
What to change it to depends on what CAs you want to allow your domain to use. They're generally not set accidentally, though, so someone at some point specifically set that domain to only use that one CA.
I see your domain DNS nameservers are with hinet.net , they probably set that by default. If you don't know how to fix it just contact your DNS provider (hinet) but it should be pretty obvious in your DNS control panel for that domain.
CAA records is just removed. it's still failing to acquire a certificate with certsage.php
is it that it takes sometime for the dns record to properly update, maybe few hours or a day, after that we can then acquire the certificate with certsage.php, correct?
You only have to wait for the authoritative DNS servers to sync which already have as you can see at https://unboundtest.com Let's Encrypt queries them directly and does not have to wait for TTL propagation.
I'm the author of CertSage. Sorry for not responding sooner. My day job has had me busy. I see that you've been receiving the excellent support here though for which this great community is renown. There's no need to remove certsage.php since its usage is protected by password. In 60 days, when it's time to consider renewal of your certificate, just browse to certsage.php again and follow the steps again to renew your certificate.
Update: I'm just realizing that you're using CertSage version 1.2, which doesn't use a password. For security, please replace your certsage.php with version 1.4.1.
I've updated the certsage.php from v1.2 to v1.4.1
I checked the expiration date of multiple certs for multiple sites. the expiration dates remain the same as previous expiration date. is this correct?
If so, is there any way to update the installation/expiration date so that we can make all of the certs with same expiration date.
for renewal of the cert, do we have to renew after the expiration date?
Did you push the "cPanel installation button"? If you don't have cPanel and/or the installation button doesn't work, you need to re-install the certificate manually into your webserver. Renewing is a two-step process: getting a (re)new(ed) certificate and making sure the webserver actually uses this new cert. Often this is an automatic process. But sometimes it's not.
Let's Encrypt recommends to renew after 2/3rds of the lifetime of the certificate. In the case of Let's Encrypt, that's after 60 days out of the 90 days lifetime of the cert.
So yes and no: yes, you need to renew the cert yourself (as you're using a manual process) and no, you shouldn't renew after the expiration date, but before.
CertSage