My customer uses SiteLock, and under SiteLock it says they have an SSL certificate issued by Let's Encrypt. That certificate is expiring in August and will need to be renewed. But they have no memory of setting up this SSL before. Can you check on it and see what we will need to do to renew it? it is for cpanel.colletassociates.com. Thanks.
3 Likes
Not really. You get a Let's Encrypt cert by running an ACME Client program to request one. In this case it sounds like cPanel is the program getting the cert.
Normally you renew certs every 60 days and is done automatically. The cert expiring on Aug19 would be renewed around Jul20 so not for a couple weeks.
If that doesn't happen they should talk to whoever hosts their site or setup the cPanel system for them.
See the pattern of renewal about every 60 days?
8 Likes
No, that's not how it works. Let's Encrypt is a fully automated certificate authority using the ACME protocol, which requires an ACME server (in this case Let's Encrypt) and an ACME client, which is run by the website owner/hosting provider.
Let's Encrypt only issues certificates and is not part of the client side of the whole process.
6 Likes
I’m sorry, I really don’t understand. SiteLock says that you will have to be the one to renew the certificate since you were the issuer. I just need to know what I have to do to do that. So are you saying SiteLock has to do this?
1 Like
Sitelock is mistaken. Let's Encrypt only issues certs when a client requests them. However that cert was requested initially is who you should talk to (probably the company who provided cPanel to them)
Is SiteLock the hosting company? Or just a security monitoring service? Because if the latter they are not well versed in Let's Encrypt or ACME certificate issuance
8 Likes
I'm afraid the employee of SideLock who said that is not familiar with Let's Encrypt and the ACME protocol used by Let's Encrypt.
3 Likes
So HOW do I renew it?
1 Like
You'd need to use the ACME client which originally issued the certificate to begin with.
If you don't know the ACME client used for that, the first step would be to identify which ACME client was used to begin with. As Mike already alluded to, looking at the cpanel part of the hostname, there's a good chance the cPanel control panel used to manage your website was used, as often cPanel has a built-in ACME client.
Also:
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
6 Likes
AutoSSL is likely your ACME client in cPanel.
6 Likes
I think you missed this up-topic--the cert isn't due for renewal yet. Certificates from Let's Encrypt are valid for 90 days, and most clients request a new one (or "renew") after about 60 days. You shouldn't need to do anything yourself to renew it, and it's premature to renew it now.
Or, put more simply: chill out.
5 Likes
It has not been renewing itself for months now. Or it's renewing but not reinstalling. It's been expiring and then I have to go in and fix it. I'm trying to get on top of this so it just keeps working. Then I can chill out.
2 Likes
It hasn't been expiring. The pic I posted earlier shows a new cert being issued about a month before the prior expires.
It's possible something goes wrong and the new cert is not used by your server. But, that's really more something you should be doing. If you can explain more about what your system actually is one of us may try to help anyway.
And, I'm now puzzled what the real story is so maybe you want to explain it again?
Because your first post said "your customer" had no memory of setting up SSL at all and now you say you are doing something manually regularly.
6 Likes
I apologize if I have not been clear. I am a network administrator so I am very familiar with SSL certificates, but I am not a website developer and am not an expert in Bluehost or CPanel. I took over this customer, who already had a website hosted with Bluehost and also uses Sitelock for security. Several months ago the SSL certificate stopped working on the website. It was showing expired on the website. I spoke to Bluehost, who told me that it was a Sitelock issue. I called Sitelock who told me it was a Bluehost issue, but somehow was able to update the certificate. At no time was I able to find out where to find the certificate so I could install it myself. So yes, the certificate had been renewed apparently, but had not been installed/activated for the website’s use. Then three months later (a couple weeks ago) the same thing happened. The website was no longer secured, and on the website the certificate showed as expired. Again I got stuck in a loop between Bluehost and Sitelock telling me to call the other. Finally the Bluehost tech got me the certificate so I installed it through Sitelock and everything was fine. I still don’t know where to find the certificate myself. At no time did either Bluehost or CPanel suggest I talk to Let’s Encrypt until I called Bluehost a couple days ago trying to sort this out. And now the current one expires in August and this time I want to find out ahead of time exactly what I should be doing. If I need to do this manually I just need to know where to find the renewed certificate so I can install it. Or if this is supposed to happen automatically I need to know who to talk to in order to find out why it isn’t. I am trying to be proactive and find out what to do before the expiration date of the currently installed certificate. I hope this helps explain it, and please forgive my lack of knowledge of some parts of this.
3 Likes
Let me add that this just started happening this spring. I don’t know what changed, but the certificate had been fine on the website for at least a year, maybe several years, before that. Also, what I meant about the customer is that they had set up Bluehost and had set up Sitelock, but had never heard of Let’s Encrypt and did not remember doing anything themselves to add that SSL certificate. I assume it was part of the setup of Sitelock, and they never specifically dealt with the SSL certificate.
2 Likes
That is very helpful thank you. You deserve a thoughtful, cogent reply but I am just about to sign off for the night. I plan to reply tomorrow unless someone else has been able to sort this with you. Best wishes and hopefully did not come across as too terse.
5 Likes
If SiteLock is employed as a hosted WAF proxy between your visitors and your webserver, it is possible that it is interfering with the automated certificate issuance. It can happen with Cloudflare and Let's Encrypt HTTP-01 challenges if Cloudflare is not configured in a compatible manner.
You might get an idea about such interference using Lets Debug.
5 Likes
I looked at each of the domains in your cert shown in post #2. It looks like only your root and www domain are handled by SiteLock as the responses for the others clearly indicate an Apache server whereas these two (root, www) have no server indication in the response headers. This often means a firewall or similar service in front of the actual web server.
The Bluehost tech should be able to explain where the files are. There will be a file for the cert and one for the private key. The cert probably includes the intermediate chain but if not you'll get a 3rd file for that. The private key only exists on the machine that requested the cert. Let's Encrypt does not create a private key and never sees it. Even if LE wanted to they could not provide the full set of cert files to you.
The cert renewal could and should happen automatically. And, I am confident this is done at Bluehost (not SiteLock). You need to find out from them how the cert gets renewed (manual or auto) and where the resulting files are.
But, updating SiteLock with the cert files from Bluehost will be a manual effort unless they offer an automated way to update the cert they use. I am assuming you are using their WAF service (link here). I did not study the docs to see if they offer an API to update the WAF cert.
It may be possible for SiteLock to automatically acquire a cert directly from Let's Encrypt (or a different CA). But, I don't know enough about SiteLock or the actual service you have with them. Just know it is technically possible for multiple services to each acquire a cert for the same domain names.
Instead of waiting for expiration notices to appear you could use a site like below to view your active cert. There are even automated monitoring tools to check this. Use this site a few weeks before your next cert expiry to ensure it got updated correctly
5 Likes
Please check the cPanel GUI for AutoSSL. There is a strong chance you'll find AutoSSL is managing the renewal of this certificate (and failing to correctly renew due to the WAF reasons mentioned by others). Knowing WHAT (meaning ACME client) is acquiring the certificate would be extremely helpful here. Whoever used said ACME client clearly has the means (i.e. access) to pass either an HTTP-01 or DNS-01 challenge. I see the remains of a DNS-01 challenge for colletassociates.com, but none for any subdomains thereof. Based on this, I would normally expect to see an apex and wildcard (A&W) cert to have been issued, but based on @MikeMcQ's screenshot of the issued certs, it's possible these remains could be very old or the corresponding remains could have been cleaned up.
See TXT records for _acme-challenge.colletassociates.com versus _acme-challenge.www.colletassociates.com
7 Likes
Currently you are acquiring one cert that covers all of
DNS Name: colletassociates.com
DNS Name: cpanel.colletassociates.com
DNS Name: cpcalendars.colletassociates.com
DNS Name: cpcontacts.colletassociates.com
DNS Name: webdisk.colletassociates.com
DNS Name: webmail.colletassociates.com
DNS Name: www.colletassociates.com
These all point to the same IP address, which is a bluehost.com server
I would guess that cpanel is managing these certs for you - you don't seem to have answered the questions regarding AutoSSL? Can you not login to the site to check that?
SiteLock appears to be a monitoring system and are otherwise absolutely nothing to do with your website and have no responsibility for your certificate.
At the end of the day, you are the network administrator, you control your network. You can delegate services to others but there is nothing that's out of your hands. The root of this problem seem not to be that something is magically renewing your cert or is about to expire etc, it's just that you don't know how to use cpanel to check?
I'd recommend hiring a freelance web administrator if you're not comfortable managing web servers as your website is likely a business critical function. While many people do just wing it (most website administrators are not trained in any way) it's worthwhile treating it seriously and using people who have specific skills related to web server administration, just like you would with mail services etc.
3 Likes
Hmmm. Not these two. And, server responses vary amongst domains
https://unboundtest.com/m/A/colletassociates.com/XGF6EJMR
https://unboundtest.com/m/A/cpanel.colletassociates.com/JTYHUFX2
8 Likes