Not valid yet, let's wait 10 seconds...until failure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:auburnchurchofchrist.com

I ran this command:acme.sh --renew -d auburnchurchofchrist.com --log

It produced this output:
[~]$ --renew -d auburnchurchofchrist.com --log
[Sat Jun 1 07:58:12 MST 2024] Renew: 'auburnchurchofchrist.com'
[Sat Jun 1 07:58:17 MST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Jun 1 07:58:17 MST 2024] Multi domain='DNS:auburnchurchofchrist.com,DNS:.auburnchurchofchrist.com'
[Sat Jun 1 07:58:19 MST 2024] Getting domain auth token for each domain
[Sat Jun 1 07:58:25 MST 2024] Getting webroot for domain='auburnchurchofchrist.com'
[Sat Jun 1 07:58:25 MST 2024] Getting webroot for domain='
.auburnchurchofchrist.com'
[Sat Jun 1 07:58:25 MST 2024] Adding txt value: SwDNB-m19IkMKfQIFCTKZqdfBqnnpJ0_hC4hh2U9auw for domain: _acme-challenge.auburnchurchofchrist.com
[Sat Jun 1 07:58:26 MST 2024] Adding record
[Sat Jun 1 07:58:27 MST 2024] Added, sleeping 10 seconds
[Sat Jun 1 07:58:38 MST 2024] The txt record is added: Success.
[Sat Jun 1 07:58:38 MST 2024] Adding txt value: mIPiZKsSeEWaEX5jAjTDqYfMOmtWuU3OYnBiN2Ua6og for domain: _acme-challenge.auburnchurchofchrist.com
[Sat Jun 1 07:58:38 MST 2024] Adding record
[Sat Jun 1 07:58:38 MST 2024] Added, sleeping 10 seconds
[Sat Jun 1 07:58:49 MST 2024] The txt record is added: Success.
[Sat Jun 1 07:58:49 MST 2024] Let's check each DNS record now. Sleep 20 seconds first.
[Sat Jun 1 07:59:11 MST 2024] You can use '--dnssleep' to disable public dns checks.
[Sat Jun 1 07:59:11 MST 2024] See: dnscheck · acmesh-official/acme.sh Wiki · GitHub
[Sat Jun 1 07:59:11 MST 2024] Checking auburnchurchofchrist.com for _acme-challenge.auburnchurchofchrist.com
[Sat Jun 1 07:59:14 MST 2024] Not valid yet, let's wait 10 seconds and check next one.

~30 minutes later
[Sat Jun 1 08:25:14 MST 2024] You can use '--dnssleep' to disable public dns checks.
[Sat Jun 1 08:25:14 MST 2024] See: dnscheck · acmesh-official/acme.sh Wiki · GitHub
[Sat Jun 1 08:25:14 MST 2024] Checking auburnchurchofchrist.com for _acme-challenge.auburnchurchofchrist.com
[Sat Jun 1 08:25:16 MST 2024] Not valid yet, let's wait 10 seconds and check next one.
[Sat Jun 1 08:25:31 MST 2024] Checking auburnchurchofchrist.com for _acme-challenge.auburnchurchofchrist.com
[Sat Jun 1 08:25:35 MST 2024] Not valid yet, let's wait 10 seconds and check next one.
[Sat Jun 1 08:25:47 MST 2024] Let's wait 10 seconds and check again.
[Sat Jun 1 08:25:58 MST 2024] Timed out waiting for DNS.
[Sat Jun 1 08:25:58 MST 2024] check dns error.
[Sat Jun 1 08:25:58 MST 2024] Please check log file for more details: /home/nrqe0s3j8jbp/.acme.sh/acme.sh.log
[Sat Jun 1 08:25:58 MST 2024] Removing DNS records.
[Sat Jun 1 08:25:58 MST 2024] Removing txt: SwDNB-m19IkMKfQIFCTKZqdfBqnnpJ0_hC4hh2U9auw for domain: _acme-challenge.auburnchurchofchrist.com
[Sat Jun 1 08:25:59 MST 2024] The record does not exist, skip
[Sat Jun 1 08:25:59 MST 2024] Removed: Success
[Sat Jun 1 08:25:59 MST 2024] Removing txt: mIPiZKsSeEWaEX5jAjTDqYfMOmtWuU3OYnBiN2Ua6og for domain: _acme-challenge.auburnchurchofchrist.com
[Sat Jun 1 08:25:59 MST 2024] The record does not exist, skip
[Sat Jun 1 08:25:59 MST 2024] Removed: Success

My web server is (include version): cPanel 110.0.15

The operating system my web server runs on is (include version):Linux (unsure of version provided by host)

My hosting provider, if applicable, is:GoDaddy

I can login to a root shell on my machine (yes or no, or I don't know):with some work, I can. Normally just access through terminal within cPanel

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): using acme.sh only.

I have three websites/domains which I update SSLs on, I normally run acme.sh --renew-all --log, and go my merry way, but was receiving the 'not valid yet...' line. So broke down to trying just a single at a time. Figure if I can get the one working, I should be able to get the other two in line.

Backstory: been using letsencrypt for nearly 4 years and had zero issues with the auto renewal until earlier this year. For an operation needed every 8-12 weeks...I can do it manually. However...here I am now.

Hi @Divot,

Using the online tool https://unboundtest.com/ show
https://unboundtest.com/m/TXT/_acme-challenge.auburnchurchofchrist.com/K46O3KO2
(just the top shown here)

Query results for TXT _acme-challenge.auburnchurchofchrist.com

Response:
;; opcode: QUERY, status: NOERROR, id: 3395
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;_acme-challenge.auburnchurchofchrist.com.	IN	 TXT

;; ANSWER SECTION:
_acme-challenge.auburnchurchofchrist.com.	0	IN	TXT	"auburnchurchofchrist.com."

----- Unbound logs -----
Jun 01 16:16:53 unbound1.19[2294289:0] debug: creating udp6 socket ::1 1053
Jun 01 16:16:53 unbound1.19[2294289:0] debug: creating tcp6 socket ::1 1053
Jun 01 16:16:53 unbound1.19[2294289:0] debug: creating udp4 socket 127.0.0.1 1053

Has your hosting provider and / or cPanel and / or acme.sh changed their behavior since the last renewal**?**

Edit:
Also you can find more help for acme.sh on GitHub

Edit 2:
Hi @Divot
Also since the DNS-01 challenge of the Challenge Types - Let's Encrypt I suggest looking for a Domain Name Service Provider that easily supports the DNS-01 challenge. Here is a pointer that may help.
DNS providers who easily integrate with Let's Encrypt DNS validation

2 Likes

Last renewal I had to run manually using acme.sh --renew-all --log as for some reason, the chronjob didn't run right/correctly.

Hosting provider (GoDaddy) hasn't changed.

GoDaddy did some upgrade to the linux backend. Info I have state migration from CloudLinux6 to CloudLinux8.

Unaware of any cPanel changes

You might be affected by a recent change in GoDaddy's support for API access to their DNS.

See this other thread for details and alternatives. Several other threads discuss this same GoDaddy change

Your log errors show you are using a DNS Challenge and it failed to delete the TXT record at the end. It said it did not exist which probably means it never got added either.

3 Likes

But their behavior has changed as @MikeMcQ pointed out.

1 Like

Reading it now....if so....curses on them.

I did look at the DNS, and saw a txt entry for _acme-challenge added, but the second portion was blank.

3 Likes

Thus why

3 Likes

If the domain number req's in your linked thread are correct...I'm two shy of the 10 needed for DNS API access. Logging into my account to look at the DNS name servers, and they are locked/uneditable. All other pieces I can alter at will.

thank you MikeMcQ and Bruce 5051, appreciate your time.

3 Likes

Hi, did anyone find a solution to this issue. Appreciate your help!

You'd have to contact GoDaddy if you want them to restore their prior service.

But, the link I provided earlier contains suggestions by other people affected by this GoDaddy change

4 Likes

If you're using GoDaddy with cPanel, you could just use CertSage instead of acme.sh. It requires 20 seconds of manual renewal every 60 days WITHOUT you needing to login to cPanel or use a terminal.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.