One of three urls, can't renew certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ted4promos.com

Unfortunately, I have no way to answer your questions. My host company usually deals with this, and while I've looked into some of your threads on the topic, I'm a bit lost and will explain the best I can.

Hello,

I’ve got an issue that my hosting company normally handles, but they seem to have lost their ability to figure this out.

Every so often, I get notices that Let’s Encrypt certificates have been renewed, haven’t been renewed, etc. When they haven’t, I send a note to support at my host, and I soon get notice that they have been renewed.

I currently am unable to have certificate for ted4promos.com to be renewed. They’re telling me it’s that the url goes to what I call a “subscribed site”. The industry likely has a name for it, but I don’t know what that might be.

I did make a change, not sure of the exact date, but on or around April 1. It was from one subscribed site to another. Why they were renewable with my url pointed at the old site, but not the new site, I do not know.

Could it be this April issue with the 2 new countries?

My questions (I know nothing of all this):

  1. What is my exposure without the certificates?
  2. Can we somehow shut off the 2 new countries from my site and get back to normal?
  3. And, if there’s no way to renew the certificates, is there any way to halt the daily emails telling me that the certificate couldn’t be renewed?

I have 3 urls, tedpendlebury.com, capcitypromos.com (no issues that I’m aware of), and this one, ted4promos.com.

I thank you in advance,
Ted Pendlebury

1 Like
2

Hi Ted,

1 - Without certificates the communication with your sites are not encrypted. The impact of that depends on the sensitivity of the content or user submitted data but users will see errors related to security in most browsers .

2 - I think you are talking about validation from different countries, no you can't control or influence that but you haven't indicated why that would be a problem. Presumably your hosting company is saying something about that. They may be using geographic blocking which is increasingly incompatible with Let's Encrypt.

3 - Expiry notification emails will stop when the certs actually expire.

If these sites are unimportant to you, you can ignore certificate problems. If they are important then you need to go back to your hosting company and ask what they're going to do to fix it. You will be unable to resolve these issues yourself unless you are skilled in web server administration and have the appropriate level of control over the web server software etc.

Ultimately, domains point to web servers (computers running web server software to 'serve' web page) using the IP addresses set in DNS for that domain, the web server in turn serves the web pages or redirect to somewhere else that does that. If your using a hosting company then all you really control is where the domains point to (which IP addresses) and you more or less give up control of everything else to the hosting company.

5 Likes
3

You may need to find a different hosting company then.

You have 3 IP addresses in your DNS. Maybe one or more of them are wrong. This affects anyone trying to connect to your domain not just Let's Encrypt

dig +noall +answer ted4promos.com
ted4promos.com.         41      IN      A       209.141.38.71
ted4promos.com.         41      IN      A       107.161.23.204
ted4promos.com.         41      IN      A       198.251.81.30

It could but I cannot connect to your site even from the USA so I don't think that is related

Let's Encrypt does not send daily emails. It sends 2 emails for each cert that was not renewed. The first is 20 days before expiry. Once the cert expires no further emails are sent.

No HTTPS requests are getting through even for your "home" page. I would first try to fix this as it is likely related to why your hosting company cannot renew your cert for you

https://www.ssllabs.com/ssltest/analyze.html?d=ted4promos.com&hideResults=on&latest

5 Likes
4

Thank you Mike. First, regarding the emails, my apologies. The daily emails come from my host company, not LE. My error.

Regarding connecting to my site, I have the url forwarded to the following: https://ted4promos-com.dcpromosite.com/. Are you saying that it's not forwarding? I can get to my site here.

With regard to the 3 IP addresses, I'll see if I can figure out whether any of them are wrong. If you have any insight to make that determination, please let me know.

Thanks again,
Ted

2 Likes
5

Hi Christopher,
I think I need to get this fixed. I don't need visitors getting the message that the site is unprotected.
Thank you for your thorough reply.
Ted

1 Like
6

I get redirected when using HTTP but not HTTPS.

curl -i http://www.ted4promos.com
HTTP/1.1 301 Moved Permanently
Server: nginx
Location: https://ted4promos-com.dcpromosite.com/

curl -i -m10 https://www.ted4promos.com
curl: (28) Operation timed out after 10000 milliseconds with 0 bytes received

A common way to get a cert is using the HTTP Challenge. That requires that every IP address be able to reply properly. While an ACME Client can technically setup multiple servers to reply properly it is very complicated. If your host is using this challenge type this can explain why cert requests fail.

A DNS Challenge is also possible and probably better with multiple server IPs. But, these are often more difficult to setup initially.

Your DNS looks unusual but that doesn't mean it is "wrong" in any specific way. So, I can't say what you need to do other than review it and make sure it is all correct.

# Your www subdomain 
dig +noall +answer www.ted4promos.com
www.ted4promos.com.     300     IN      CNAME   parking.namesilo.com.
parking.namesilo.com.   148     IN      A       168.235.88.209
parking.namesilo.com.   148     IN      A       173.44.37.208
parking.namesilo.com.   148     IN      A       198.251.81.30
parking.namesilo.com.   148     IN      A       198.251.84.92
parking.namesilo.com.   148     IN      A       204.188.203.154
parking.namesilo.com.   148     IN      A       209.141.38.71
parking.namesilo.com.   148     IN      A       45.58.190.82
parking.namesilo.com.   148     IN      A       64.32.22.102
parking.namesilo.com.   148     IN      A       70.39.125.243
parking.namesilo.com.   148     IN      A       104.238.249.57
parking.namesilo.com.   148     IN      A       107.161.23.204

# Your registered name
dig +noall +answer ted4promos.com
ted4promos.com.         185     IN      A       107.161.23.204
ted4promos.com.         185     IN      A       209.141.38.71
ted4promos.com.         185     IN      A       198.251.81.30
2 Likes
7

This appears to me that maybe I didn't do something correctly when I made created the forward. Does that make sense? Since it looks like Namesilo has the https 'parked'?

8

Yes, I am just guessing but you may have a URL Redirect or Domain Forwarding service (same thing, different names) for those domain names.

It usually isn't possible to get certs for such a service. You'd have to ask the provider (Namesilo) if it is with their setup. That may be what your hosting company meant about "subscribed site" and not being able to get a cert.

Note your registered name tedpromos.com has 3 of the same IP addresses as your www subdomain. That they are not the same set seems odd too but a good question for Namesilo.

Usually, the IP points to a server that handles the HTTP and HTTPS requests. That server gets the cert for HTTPS. This is what the ted4promos-com.dcpromosite.com site does although it also uses an AWS Load Balancer in front of the servers and the ALB uses an AWS cert.

5 Likes
9

Thanks Mike. I appreciate your help here. What I received from Namesilo. Apparently, there's a difference between uppercase S and lowercase s. Maybe I should talk to the provider of the website.

"Hello,

Our Domain Forwarding service at present does not support HTTPs to HTTPS.

It can only support HTTP to HTTPS forwards.

HTTPS requests to our forwarding server do not work which is why the curl may be failing with a timeout.

NameSilo Support Team"

1 Like
10

No, the "case" does not matter. What they are saying is they cannot handle an HTTPS request and redirect it to another domain (or https - same thing). That is how most such services work.

Yes, you could try the dcpromosite operator and see if they offer "custom" or alternative names.

Otherwise yes you would be creating a server to just handle such redirects.

2 Likes
11

Thanks again, Mike. Much appreciated.

3 Likes
12

It's a little more complex to setup but things like Cloudflare can do redirection Redirect one domain to another · Cloudflare Fundamentals docs if you move your domain to their DNS hosting (free).

4 Likes
13

That's a really cool idea.

2 Likes
14

May not be possible, as the site I have is a big product database with my 'skin' on it. But I'll look into what they can do on that end. I have yet to approach them.

Many thanks to you both.

2 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.