Hi. I received an expiration notice for some of my domains (I have a dozen of them and got notices for 6 or them). They are now going to expire in 5 days. The email warns me that I should renew them before they expire, but I’m not sure how to do that. I was under the impression (perhaps mistaken) that they were going to automatically renew 30 days before the expiration date. Can someone help me figure out what, if anything, I did wrong and how I can set this up so that I don’t have to do anything every 90 days and they will still renew?
P.S. I did read the entire email, as well as the links in the solution above, but I’m afraid that it is over my head. I don’t really understand it, and I’m not sure of how much of that is the same as my setup. If I remember correctly, I think I installed certbot which was supposed to automatically renew the certification.
I think a new thread will be easier to manage for this case since the symptom is the same as the other thread but the root cause may be different. I went ahead and split your post off so we can continue here.
The best way to get started with this is for you to share a little bit more information about your current setup. Can you answer the new Help topic template questions for the community?
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I received an email telling me my domains will expire in 5 days and I don’t know what command to run.
My web server is (include version):
Apache
The operating system my web server runs on is (include version):
Linux
My hosting provider, if applicable, is:
Godaddy hosting
I cannot login to a root shell on GoDaddy’s server as I use shared hosting.
I’m using a control panel to manage my site. Cpanel
The version of my client is acme.sh VER=2.8.2
I now remembr that I couldn’t use Certbot because of the lack of sudo rights, so I switched to acme.sh
You all helped me step by step through getting all of my websites certified so that SSL was running on them, but I do not remember all the steps and didn’t fully understand all that I was doing.
I did find the acme.sh folder on my web server, and I have putty installed so I can run commands, but I really don’t remember much of what I did before.
Any help that you can give would be much appreciated.
Main_Domain KeyLength SAN_Domains
asklepiosresearch.org "" www.asklepiosresearch.org,asklepios research.com,www.asklepiosresearch.com Tue Jul 23 12:24:31 UT C 2019 Sat Sep 21 12:24:31 UTC 2019
mail.worldhealingday.com "" whd.hplconsortium.com,worldhealingd ay.com,www.whd.hplconsortium.com,www.worldhealingday.com
newchurchofhope.org "" www.newchurchofhope.org,newchurchof hope.com,www.newchurchofhope.com Tue Jul 23 16:23:02 UT C 2019 Sat Sep 21 16:23:02 UTC 2019
opfl.org "" www.opfl.org Sat Sep 21 07:07:35 UT C 2019 Wed Nov 20 07:07:35 UTC 2019
pagodawriters.com "" www.pagodawriters.com Tue Jul 23 15:56:24 UT C 2019 Sat Sep 21 15:56:24 UTC 2019
pagodawriters.org "" www.pagodawriters.org
syihtq.org "" no Tue Jul 23 02:17:51 UT C 2019 Sat Sep 21 02:17:51 UTC 2019
taichipark-masterjoutsunghwa.org "" www.taichipark-masterjoutsunghwa.co m Sat Sep 21 07:08:03 UT C 2019 Wed Nov 20 07:08:03 UTC 2019
taijiquanenthusiasts.org "" www.taijiquanenthusiasts.org,tjqe.o rg,www.tjqe.org Tue Jul 23 16:26:30 UT C 2019 Sat Sep 21 16:26:30 UTC 2019
whd.hplconsortium.com "" worldhealingday.com,www.worldhealin gday.com
worldhealingday.com "" www.worldhealingday.com
(scroll over to the right to see the dates associated with the domains)
Then the acme.sh --cron responded with:
[Wed Oct 16 16:20:26 MST 2019] ===Starting cron===
[Wed Oct 16 16:20:26 MST 2019] Renew: ‘asklepiosresearch.org’
[Wed Oct 16 16:20:27 MST 2019] Multi domain=‘DNS:asklepiosresearch.org,DNS:www.asklepiosresearch.org,DNS:asklepiosresearch.com,DNS:www.asklepiosresearch.com’
[Wed Oct 16 16:20:27 MST 2019] Getting domain auth token for each domain
I should note that at this point, I had to press Ctrl-C to get it to stop, because it never returned to the putty prompt.
Any help you can give would be most appreciated. I know that cron jobs are automated tasks, but I don’t have a clue as to how to set one up and run it.
Well - the update certainly fixed the hanging. When I ran the cron command,
here’s what I got. I’ll do the debug if you think it will help, but you may be able to figure out if it is working from this. It looks like there are some invalid responses, but I don’t know if that’s a serious error or just one of those temporary situations.
[Wed Oct 16 17:43:41 MST 2019] ===Starting cron===
[Wed Oct 16 17:43:41 MST 2019] Renew: ‘asklepiosresearch.org’
[Wed Oct 16 17:43:42 MST 2019] Multi domain=‘DNS:asklepiosresearch.org,DNS:www.asklepiosresearch.org,DNS:asklepiosresearch.com,DNS:www.asklepiosresearch.com’
[Wed Oct 16 17:43:42 MST 2019] Getting domain auth token for each domain
[Wed Oct 16 17:43:44 MST 2019] Getting webroot for domain=‘asklepiosresearch.org’
[Wed Oct 16 17:43:44 MST 2019] Getting webroot for domain=‘www.asklepiosresearch.org’
[Wed Oct 16 17:43:44 MST 2019] Getting webroot for domain=‘asklepiosresearch.com’
[Wed Oct 16 17:43:44 MST 2019] Getting webroot for domain=‘www.asklepiosresearch.com’
[Wed Oct 16 17:43:44 MST 2019] Verifying: asklepiosresearch.org
[Wed Oct 16 17:43:47 MST 2019] asklepiosresearch.org:Verify error:Invalid response from https://asklepiosresearch.org/ [23.229.140.154]:
[Wed Oct 16 17:43:47 MST 2019] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed Oct 16 17:43:47 MST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed Oct 16 17:43:48 MST 2019] Error renew asklepiosresearch.org.
[Wed Oct 16 17:43:48 MST 2019] Renew: ‘mail.worldhealingday.com’
[Wed Oct 16 17:43:48 MST 2019] Skip invalid cert for: mail.worldhealingday.com
[Wed Oct 16 17:43:48 MST 2019] Skipped mail.worldhealingday.com
[Wed Oct 16 17:43:48 MST 2019] Renew: ‘newchurchofhope.org’
[Wed Oct 16 17:43:49 MST 2019] Multi domain=‘DNS:newchurchofhope.org,DNS:www.newchurchofhope.org,DNS:newchurchofhope.com,DNS:www.newchurchofhope.com’
[Wed Oct 16 17:43:49 MST 2019] Getting domain auth token for each domain
[Wed Oct 16 17:43:51 MST 2019] Getting webroot for domain=‘newchurchofhope.org’
[Wed Oct 16 17:43:51 MST 2019] Getting webroot for domain=‘www.newchurchofhope.org’
[Wed Oct 16 17:43:51 MST 2019] Getting webroot for domain=‘newchurchofhope.com’
[Wed Oct 16 17:43:51 MST 2019] Getting webroot for domain=‘www.newchurchofhope.com’
[Wed Oct 16 17:43:51 MST 2019] Verifying: newchurchofhope.org
[Wed Oct 16 17:43:54 MST 2019] newchurchofhope.org:Verify error:Invalid response from https://newchurchofhope.org/ [23.229.140.154]:
[Wed Oct 16 17:43:54 MST 2019] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed Oct 16 17:43:54 MST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed Oct 16 17:43:55 MST 2019] Error renew newchurchofhope.org.
[Wed Oct 16 17:43:55 MST 2019] Renew: ‘opfl.org’
[Wed Oct 16 17:43:55 MST 2019] Skip, Next renewal time is: Wed Nov 20 07:07:35 UTC 2019
[Wed Oct 16 17:43:55 MST 2019] Add ‘–force’ to force to renew.
[Wed Oct 16 17:43:55 MST 2019] Skipped opfl.org
[Wed Oct 16 17:43:55 MST 2019] Renew: ‘pagodawriters.com’
[Wed Oct 16 17:43:55 MST 2019] Multi domain=‘DNS:pagodawriters.com,DNS:www.pagodawriters.com’
[Wed Oct 16 17:43:56 MST 2019] Getting domain auth token for each domain
[Wed Oct 16 17:43:57 MST 2019] Getting webroot for domain=‘pagodawriters.com’
[Wed Oct 16 17:43:57 MST 2019] Getting webroot for domain=‘www.pagodawriters.com’
[Wed Oct 16 17:43:57 MST 2019] Verifying: pagodawriters.com
[Wed Oct 16 17:44:00 MST 2019] pagodawriters.com:Verify error:Invalid response from https://pagodawriters.com/ [23.229.140.154]:
[Wed Oct 16 17:44:00 MST 2019] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed Oct 16 17:44:00 MST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed Oct 16 17:44:00 MST 2019] Error renew pagodawriters.com.
[Wed Oct 16 17:44:00 MST 2019] Renew: ‘pagodawriters.org’
[Wed Oct 16 17:44:00 MST 2019] Skip invalid cert for: pagodawriters.org
[Wed Oct 16 17:44:00 MST 2019] Skipped pagodawriters.org
[Wed Oct 16 17:44:00 MST 2019] Renew: ‘syihtq.org’
[Wed Oct 16 17:44:01 MST 2019] Single domain=‘syihtq.org’
[Wed Oct 16 17:44:01 MST 2019] Getting domain auth token for each domain
[Wed Oct 16 17:44:02 MST 2019] Getting webroot for domain=‘syihtq.org’
[Wed Oct 16 17:44:02 MST 2019] Verifying: syihtq.org
[Wed Oct 16 17:44:05 MST 2019] Pending
[Wed Oct 16 17:44:07 MST 2019] Pending
[Wed Oct 16 17:44:10 MST 2019] Pending
[Wed Oct 16 17:44:12 MST 2019] Pending
[Wed Oct 16 17:44:15 MST 2019] syihtq.org:Verify error:Fetching http://syihtq.org/.well-known/acme-challenge/dlnsxaasoyCpTJZYPp0nQ1Q6h18w_NvJL2CwRcy5fUo: Timeout during connect (likely firewall problem)
[Wed Oct 16 17:44:15 MST 2019] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed Oct 16 17:44:15 MST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed Oct 16 17:44:15 MST 2019] Error renew syihtq.org.
[Wed Oct 16 17:44:15 MST 2019] Renew: ‘taichipark-masterjoutsunghwa.org’
[Wed Oct 16 17:44:15 MST 2019] Skip, Next renewal time is: Wed Nov 20 07:08:03 UTC 2019
[Wed Oct 16 17:44:15 MST 2019] Add ‘–force’ to force to renew.
[Wed Oct 16 17:44:15 MST 2019] Skipped taichipark-masterjoutsunghwa.org
[Wed Oct 16 17:44:15 MST 2019] Renew: ‘taijiquanenthusiasts.org’
[Wed Oct 16 17:44:16 MST 2019] Multi domain=‘DNS:taijiquanenthusiasts.org,DNS:www.taijiquanenthusiasts.org,DNS:tjqe.org,DNS:www.tjqe.org’
[Wed Oct 16 17:44:16 MST 2019] Getting domain auth token for each domain
[Wed Oct 16 17:44:21 MST 2019] Getting webroot for domain=‘taijiquanenthusiasts.org’
[Wed Oct 16 17:44:21 MST 2019] Getting webroot for domain=‘www.taijiquanenthusiasts.org’
[Wed Oct 16 17:44:21 MST 2019] Getting webroot for domain=‘tjqe.org’
[Wed Oct 16 17:44:21 MST 2019] Getting webroot for domain=‘www.tjqe.org’
[Wed Oct 16 17:44:21 MST 2019] Verifying: taijiquanenthusiasts.org
[Wed Oct 16 17:44:24 MST 2019] Pending
[Wed Oct 16 17:44:27 MST 2019] Pending
[Wed Oct 16 17:44:30 MST 2019] Pending
[Wed Oct 16 17:44:32 MST 2019] Pending
[Wed Oct 16 17:44:34 MST 2019] taijiquanenthusiasts.org:Verify error:Fetching http://taijiquanenthusiasts.org/.well-known/acme-challenge/tRh5HIIO1YEGKMDxjl6twZqBiBZdyDbTxHW1BxIFkW4: Timeout during connect (likely firewall problem)
[Wed Oct 16 17:44:34 MST 2019] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed Oct 16 17:44:34 MST 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed Oct 16 17:44:36 MST 2019] Error renew taijiquanenthusiasts.org.
[Wed Oct 16 17:44:36 MST 2019] Renew: ‘whd.hplconsortium.com’
[Wed Oct 16 17:44:36 MST 2019] Skip invalid cert for: whd.hplconsortium.com
[Wed Oct 16 17:44:36 MST 2019] Skipped whd.hplconsortium.com
[Wed Oct 16 17:44:36 MST 2019] Renew: ‘worldhealingday.com’
[Wed Oct 16 17:44:36 MST 2019] Skip invalid cert for: worldhealingday.com
[Wed Oct 16 17:44:36 MST 2019] Skipped worldhealingday.com
[Wed Oct 16 17:44:36 MST 2019] ===End cron===
Again, I greatly appreciate all your help with this.
CJ
There’s one thing to be fixed, but I don’t think it’s going to be super complicated.
Do you remember when you added HTTP to HTTPS redirects to your domains? There’s a problem with the way you’ve set that up, that interferes with the renewal proces.
Currently, when somebody visits http://asklepiosresearch.org/.well-known/acme-challenge/test , they get redirected to https://asklepiosresearch.org/ .
This is a problem because the .well-known/acme-challenge/test is getting chopped off in the redirected URL. That’s the bit that breaks renewal.
If you look in the .htaccess file where you added the redirect, you will probably find something like (it’s not going to match exactly):
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://asklepiosresearch.org/ [L,R=301]
What you really want to do, in order not to break renewals, is something like:
RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
If that doesn’t make sense - try posting the .htaccess file you are using for that domain, and we can work through a solution for it.
Somebody must have helped me with it, because I don't really recognize much except the addhandler which allows the system to parse the html files as if they were php. (Yes, I know that's not optimum, and I'm working to change that, but for now I have to keep it).
I figure RewriteRule and RewriteCond are the commands, and then they have some arguments which includes the domain. But I haven't a clue why %{SERVER_PORT) 80 is repeated so many times. That might just be an error. And of course I don't know what [NC] and [R,L] stand for, or the difference between ^(.)$ and just .
So please, any help you can give would be greatly appreciated.
Aha! That makes so much sense. Thanks for taking the time to explain it. I was not recognizing the pattern, but now that you’ve pointed it out, it makes perfect sense.
Well, it appears to have worked for the first domain, asklepiosresearch.org. But all the rest failed, so I must have done something wrong. Here's the .htaccess file now:
Here is what I got when I reran the acme.sh --cron
[Wed Oct 16 18:34:27 MST 2019] ===Starting cron===
{many lines were deleted in edit for ease of reading in the future. Only the last few lines are left for troubleshooting purposes}
[Wed Oct 16 18:35:42 MST 2019] Renew: 'taijiquanenthusiasts.org'
[Wed Oct 16 18:35:42 MST 2019] Multi domain='DNS:taijiquanenthusiasts.org,DNS:www.taijiquanenthusiasts.org,DNS:tjqe.org,DNS:www.tjqe.org'
[Wed Oct 16 18:35:43 MST 2019] Getting domain auth token for each domain
[Wed Oct 16 18:35:45 MST 2019] Getting webroot for domain='taijiquanenthusiasts.org'
[Wed Oct 16 18:35:45 MST 2019] Getting webroot for domain='www.taijiquanenthusiasts.org'
[Wed Oct 16 18:35:45 MST 2019] Getting webroot for domain='tjqe.org'
[Wed Oct 16 18:35:45 MST 2019] Getting webroot for domain='www.tjqe.org'
[Wed Oct 16 18:35:45 MST 2019] Verifying: taijiquanenthusiasts.org
[Wed Oct 16 18:35:48 MST 2019] Pending
[Wed Oct 16 18:35:50 MST 2019] Pending
[Wed Oct 16 18:35:52 MST 2019] Pending
[Wed Oct 16 18:35:55 MST 2019] Pending
[Wed Oct 16 18:35:57 MST 2019] taijiquanenthusiasts.org:Verify error:Fetching http://taijiquanenthusiasts.org/.well-known/acme-challenge/ZlBCPq2h9ivJYVRZKmIo1ZBqBMVeYEBQdJ4bNnhv95I: Timeout during connect (likely firewall problem)
[Wed Oct 16 18:35:58 MST 2019] ===End cron===
Again, any help you can give would be most appreciated.
CJ
Ostensibly they mean that your website is not responding to requests. But this is clearly untrue - your websites work fine.
The second possibility that comes to mind is that GoDaddy is rate limiting connections from Let’s Encrypt, or possibly rate limiting connections to your cPanel account.
One way to try prove this could be try renew the certificates individually, spaced apart in time, so that there is a lower likelyhood that rate limiting takes place. For example:
acme.sh --renew -d newchurchofhope.org
As for how rate limiting of connections potentially affects your automatic renewals - it should probably be fine, because acme.sh will retry every day. The first certificate renewed should succeed, and next time the second one would get its turn, and so on and so forth.
I think you may be right. I ran the acme.sh cron again, and two other domains worked, and then the rest got that “may be a firewall” error again.
I’ll try renewing the ones that still didn’t renew.
Thanks
CJ
I think I got them all. When I ran the list again, the dates are all either November or December.
The question is, however, is this going to be a problem in the future? Does the cron job not work because godaddy is putting some kind of limit on it? Or was this a one-time thing?
I have multiple email addresses on godaddy, and sometimes when I try to download all my email at one time and there is a lot, it times out and I have to wait a few minutes to try again. Will the cron job try again if it fails?
There was a once-off problem, which was when acme.sh was hanging and you had to Ctrl-C it. It was preventing any renewal attempts, but you solved it with acme.sh --upgrade. That should be fixed permanently.
The other problem you will experience on an ongoing basis is the one with the timeout errors. I don’t know why they happen, they are probably the result of some kind of GoDaddy policy.
I don’t think you need to worry about them too much, though.
How I figure that is:
acme.sh runs its cron once per day, no matter what
You have observed that acme.sh can renew 1 or 2 certificates before it begins failing
acme.sh begins renewing certificates 30 days before they expire
Even if acme.sh only makes progress on 1 or 2 certificates per day, by the time 30 days passes, it should have worked through each certificate.
Still, it’s worth keeping an eye on it - and the Let’s Encrypt expiration reminder emails will help with that.
None of this is ideal - but if you’re stuck with GoDaddy, that’s all we can really do.
.