Problem getting certificate re-issued; cPanel AutoSSL and rate limit

We have a problem with getting our certificate re-issued as we have hit our DCV rate limit.

We have a number of domains most of which have been updated to the new certificate -- all except the certificate assigned to our mail server. As such people are not able to send us mail (and the reason I signed up not using my corporate mail server account).

How can I get past this rate limit so my mail server certificate can get updated?

I can think of several ways:

  • wait for the timer to expire
  • add or remove an entry into the SAN of the cert you require
  • use another FREE CA - there are several to choose from
  • change the name of your mailserver
  • travel back in time and stop yourself from exceeding the rate limit and save the planet!
1 Like

Free CA that offer wildcard one? If yes which one, I can't find any of them :frowning:

1 Like

[I don't use either - so I can't speak from experience]

1 Like

Thanks you very much, but both of them are not free for wildcard certificat.
LE just killed a part of my user base from a day to another.

Which part got killed?
[I'm here to help you find answers]

1 Like

Every users which are not supported by ISRG Root X1 but were for DST Root CA X3
Actually many of them won't update their system and will be clueless about all of that.

Thanks -- I kinda knew if I waited it should go away but not receiving mail on our server for a week seemed a non-starter of a solution.

We are using cpanel/whm for the site and their AutoSSL utility so I really don't have direct control over when the requests go out -- and not certain why the limit was hit.

Anyway the quick solution I came up with was to replace the AutoSSL certificate with a wildcard certificate we have inhouse that we use on test servers. That has an expiry of July 2022 -- although it didn't cover all the Domains that were in the AutoSSL request -- however those domains aren't that important (e.g. our .ca domain which is simply a redirect to our .com).

Next week (once I have served my time) I will remove the wildcard SSL and try to get a new Let Encrypt certificate .. Lets hope Lets Encrypt will allow that.

I read something about how cPanel verifies a cert and it created like almost a denial of service loop because it is unable to verify a cert correctly once a trust store root path has expired [which covers what has happened here - since almost 24 hours now]
If that is the case with your cPanel, it might not be able to verify LE certs (ones that use the long "old Android friendly" chain) and may loop and be rate-limited yet again.

[don't quote me on any of this - and keep an eye out for any cPanel patches/updates to address this]

1 Like

Here is what I believe happened -- All my certificates when verified by Cpanel's AutoSSL logic failed verification due to the expired X3 certificate. As a result all my certificates got resubmitted to LetEncrypt to get updated however the update process didn't update the it CA Bundle since technically the R3 certificate hadn't changed. Sadly that meant it didn't reset the certificate above in the chain that so the old X3 certificate hung around.

Anyway the cure was to manually delete the CA bundle certificates presented by CPanel. It had to be done on every domain.

Now the SSL update AUTOSSL check runs clean and all I likely need to do is wait it out to get my mail certificate back on LE.

The crux of the problem was that Auto SSL kept hitting LE with requests since all certificates failed due to the CA chain not being properly updated.

So for others using CPanel -- go into your SSL/TLS page, select Manage SSL Sites, then call up all your site and clear the CA Bundle information -- CPanel will re-upload with the correct value. HTH -- It worked for us.

1 Like

Yes, good summary. The nature of the problem is discussed over here: Choice of default long chain vs short chain - #20 by rg305

Essentially, AutoSSL was using a different technique to validate the downloaded chain, and as a result failed to validate chains and went into a retry loop. It sounds like a fix is coming soon.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.