Renewal fails trying to verify domain

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
usmcmta.org

I ran this command:
acme.sh -r -d usmcmta.org

It produced this output:
Checking www.usmcmta.org for _acme-challenge.www.usmcmta.org
Not valid yet, let's wait 10 seconds and check next one.

My web server is (include version):
I think Nginx

The operating system my web server runs on is (include version):
Unknown

My hosting provider, if applicable, is:
Godaddy

I can login to a root shell on my machine (yes or no, or I don't know):
No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes
cPanel v110.0.15

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme.sh VER=2.8.6

I just discovered that my cert did not renew. The logs indicate that acme can't verify the domain. I know the domain is good and has not expired. I know Godaddy is does not work well with Let Encrypt, that is why I use the acme.sh script. Up until now, it has worked without issue.

Thoughts?

Thank you

1 Like
2

GoDaddy recently started restricting access to the DNS API. You haven't shown any detail error message but it is probably related to this. Check the acme.sh logs for something like a 403 error

You are not using a wildcard so would the HTTP Challenge work for you? Those are usually easier to setup anyway. And, you have a GoDaddy cert that does not expire until 2025-04-19. You could use that until you resolve your DNS API problem.

Below is someone using acme.sh with the same DNS API issue

3 Likes
3

I cloned down the most recent acme script. I had to re-register and redeploy the cert, but it appears to have solved my issue.

Thank you for the reply.

2 Likes
4

You are also now using a cert issued by ZeroSSL

That is the default for acme.sh. If you want Let's Encrypt certs you need to specify that on the command line with --server option and can change default too

4 Likes
5

Thank you for this information. I did not know that the cert was no longer signed by LetEncrypt. I tried following the documentation that you provided, but I can't seem to renew the cert using the LetEncrypt server. I've tried several times and now I

too many failed authorizations recently

What can I do to resolve this issue?

Thanks

1 Like
6

Hi @rosede look here

3 Likes
7

Once again. Thank you for this information. Now I'm getting:

You didn't specify a Cloudflare api key and email yet.

Is this normal? Do I need to create a Cloudflare API key and add it to the domain?

Thanks

1 Like
8

If you changed to using the DNS Challenge with Cloudflare then yes. You should visit the acme.sh github for the docs for that.

BUT, I just looked at your DNS and it is still pointing at GoDaddy. You would need to change that to Cloudflare to use that option.

3 Likes
9

Here are the commands that I used:

I first used this command from the documentation that you provided:

acme.sh --issue -d [domain] --dns dns_cf --server letsencrypt

That kept failing and caused the lockout, so I tried this command:

acme.sh --register-account -m [email] --server letsencrypt

This is where I'm getting the cloadflare message. To the best of my knowledge, I didn't specify anything with Cloadflare.

The acme shell script was recommended to me by users on this forum. Is there an alternative option instead of the acme shell script that I can use with Godaddy?

Thanks

1 Like
10

Yep, a much easier option. :slightly_smiling_face:

CertSage doesn't yet support autorenewal, but takes under 30 seconds every 90 days to acquire and install a certificate from any web browser without needing to log into cPanel.

3 Likes
11

The link I provided was for someone else who changed to using the webroot HTTP challenge. I don't see how Cloudflare got involved.

It looked like you had automated cert renewal working for a long time. The problem occurred when GoDaddy restricted access to their DNS API.

You then got a replacement working but it was for ZeroSSL cert. There is nothing wrong with that. I pointed it out because it was different than the Let's Encrypt certs you had been getting. But, if you are happy with that go ahead and continue.

4 Likes
12

@griffin

Thank you. I'll give this a review and try.

4 Likes
13

I reviewed the documentation. It talks about a password in a plain texted file called "password.txt". Where does this password come from? Is it a password that I generate and have to supply? Hopefully this isn't my account password, is it?

Thanks

Sorry, I missed that sentence that said this is created automatically when visiting the certsage page.

4 Likes
14

Success. I was able to successfully obtain an LetEncrypt cert using the CertSage script.

Thank you very much

4 Likes
15

:partying_face:

Glad CertSage worked for you! Wish you the best in your endeavors! :smiley:

3 Likes
16

3 posts were split to a new topic: Want CertSage help

17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.