Security Certificate Won't Auto-renew

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cyc.wgt.mybluehost.me

I ran this command: AutoSSL

It produced this output: MASTER DCV: DNS problem: SERVFAIL looking up CAA for mybluehost.me - the domain’s nameservers may be malfunctioning (urn:acme:error:dns)

My web server is (include version): Bluehost, shared,box5845, Apache 2.4.39

The operating system my web server runs on is (include version): Linux with cPanel

My hosting provider, if applicable, is: Bluehost

I can login to a root shell on my machine (yes or no, or I don’t know): I don’t know

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): I don’t know what this means

I’m a novice. Building a website with WordPress.org and a customizable theme. I have been rolling along for months and now am getting messages that my SSL certificate has expired. I checked the status and some auto-renewed, some did not. I know bits and pieces and my have moved something in ftp that I shouldn’t have when I was “exploring…” Help! Can I just copy the certificate from a domain that hasn’t expired and paste it into the domains that have? Thank you!

1 Like

Hi @clindykersey

are you the domain owner of mybluehost.me? That domain is buggy - https://check-your-website.server-daten.de/?q=mybluehost.me#caa

There is a Refused answer, that blocks checking the CAA of your subdomain.

If it is your domain, fix your DNS. A NoData should be send.

If you use only the subdomain, try to add a CAA with cyc.wgt.mybluehost.me or wgt.mybluehost.me.

If one of these entries exist, the main domain isn’t checked.

That’s

X Fatal error: Nameserver doesn’t support TCP connection: ns1.bluehost.com / 162.159.24.80: Refused
X Fatal error: Nameserver doesn’t support TCP connection: ns2.bluehost.com / 162.159.25.175: Refused

terrible. Authoritative name servers must support TCP-connections.

There are some older Letsencrypt certificates. But they are created last year.

1 Like

It is my domain - created it years ago and I’d like to change it. It’s for a Community Youth Center project I worked on. I’ve been afraid to tackle that but I’ll start there. Back shortly.

2 Likes

There is a check of your subdomain - https://check-your-website.server-daten.de/?q=cyc.wgt.mybluehost.me#caa

That looks curious:

Both subdomains don’t have a Refused-answer.

Perhaps use

https://sslmate.com/caa/

to create a CAA entry. Then the main domain isn’t checked.

1 Like

Related, probably:

# dig +short cyc.wgt.mybluehost.me ns
ns1.bluehost.com.
ns2.bluehost.com.
# dig +short wgt.mybluehost.me ns
ns2.bluehost.com.
ns1.bluehost.com.
# dig +short mybluehost.me ns
# 

but…

# dig +nocmd +noall +auth @a0.nic.me mybluehost.me ns 
mybluehost.me.          86400   IN      NS      ns2.bluehost.com.
mybluehost.me.          86400   IN      NS      ns1.bluehost.com.
1 Like