Failed to renew certificates for domains that can issue certificates

We find the certificate of some of our large customers don't get refreshed.

These customer are with relevant famous domain name, like "zjaasd.zappos.com". We know in some cases Let's encrypt will refuse to sign certificate for some famous websites, like google.com or AWS EC2 domain names.

We are considering if what we are hitting is the same case. However, we can use Let's encrypt to sign certificates initially for these websites but failed to renew certificates.

My domain is:
For example: zjaasd.zappos.com

We are using cert-manager(cert-manager - cert-manager Documentation) acme to manage the certificate renew.

My web server is (include version):

The webserver is running on mircrok8s on an ubuntu(20.04.5 LTS (Focal Fossa)) EC2 node

We are using ingress-nginx controller as the ingress controller and using cert-manager for renewing certificates.

My hosting provider, if applicable, is:

AWS EC2

I can login to a root shell on my machine (yes or no, or I don't know):

Since the machine if from a client, we don't have access to the machine.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

If it's due to the specific blocking that you're talking about, the error message would say something like "blocked by policy". I don't see in your post what error you're getting when you try. I'm not familiar with your ACME client, and I know some of them make actually showing you the error much more complicated than it should be, but hopefully somewhere there's a log that tells you the actual response from Let's Encrypt, which might help shed light on what problem you're running into.

This ^^^.

The exact error presented by the ACME server is paramount here.

If you are using HTTP Challenge you need to keep port 80 open. Right now that zjaasd sudbdomain only has port 443 open (not 80).

Agree with previous posts though the specific error is always helpful

Thanks for the information! Could I ask how should we check if port 80 is open for a specific domain?

Lots of ways. Here are two commands

curl http://(domain)
nmap -p80 -Pn (domain)

Or, try using https://letsdebug.net it will tell you if it is open or not

Hi,
I am colleague of horis233. I am wondering if you can help find when the following domains attempted to renew certificates:

The reason is that these domains are affected by another issue. I want to figure out if there is any relation between these issues.

Thanks

crt.sh | capi.thedodo.com
crt.sh | capi.thrillist.com
Both renewed on 2022-09-25

[which means they've missed their normally scheduled 60 day renewal period]

I'm sincerely curious: you're asking for help, but the only information you're providing is that the domains are "affected by another issue". How do you expect us to advice you with so little information? Note that this is a community of mostly volunteers. We cannot check Let's Encrypt log files or anything. We rely on the information provided by the people seeking help.

Thank you.

Let me explain a little bit more on 'another issue'. We are using microk8s inside EC2 instances. We don't enable the auto renewal of microk8s service certificates. So once the service certificates expire, kubectl can not talk with microk8s service. I suspect this may also cause cert-mamager not function properly. However, I don't have direct evidence to prove it.

I believe this question is out of the scope of the Let's encrypt community. it is more like a question for the cert-manager community. From my personal understanding, it will cause impact, since cert-manager can't create the acme resolver without the connection to k8s apiserver.

I feel sorry about keep bothering you and community with questions and I am really appreciate the help from the community even if we can only provide tiny information.

We found the issue happen this morning, so we haven't collected much information from our client side. I will keep posting logs and error from acme side if we can get them from our clients. Thanks!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.