Hello dears. My ssl certificate on the site is running out, you can somehow renew it for a year, and I’ll just throw money into my account, I want to say right away that I’m not a programmer and not a server administrator at all.
Can someone help me here?
Because I received an email that my SSL certificate will expire on Tuesday.
You really need to answer these questions. If you don't know, tell us so. It's also important you tell us how you got your certificate, the one that's expiring.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --versionorcertbot-auto --versionif you're using Certbot):
Dear forum members, thank you for your feedback.
Yes, I understand that I did not give any information.
The fact is that we were setting up a website with the Russian Federation, they installed this certificate for us, and now I received a letter saying that the certificate expires on Tuesday.
The domains of the site https://altynachar.com are located in Turkmenistan.
As Russian programmers assure, our local provider blocks their connection, that is, they connect to the site via ssh and receive silence in response.
I have all access to the site admin panel on Prestashop, as well as all access to the server.
Therefore, if there is an opportunity to renew the certificate that is currently available, it will be generally convenient, because I won’t have to climb onto the server so that I can simply transfer money to the invoice.
Something like this)
Best regards, Arthur.
I don't know how your server is set up.
You should try and find out if Certbot is installed (try running certbot certificates) or if some other ACME client is there.
Ideally, certificate renewal happens with no human intervention at all, so someone did mess up.
Do you want to say that it will last itself when the period completely expires?
I don't know all this: You should try and find out if Certbot is installed (try running certbot certificates) or if some other ACME client is there.
As I said earlier, I am not a server admin.
It's not a matter of certbot, but of request blocking
Colleagues from the Russian Federation ask what kind of certificate they can give you
Blocking by Let's Encrypt?
I'm having a very hard time understanding what you're exactly asking. Any issue between your Russian programmers and your local provider is not something Let's Encrypt can fix.
Without very detailed specifics (specific error messages), we often cannot help on this Community.
No no, since we already have this certificate, there are no problems with it. The problem is precisely with the connection to our server; foreign companies cannot access our server and carry out a number of works.
Unless connecting via AnyDesk
Thank you for your help, I will continue to look for a solution.
Well, it's due for renewal as your email notification mentioned you already, so that's a "thing" with the certificate. But it's still valid, so that shouldn't be the issue indeed.
The certificate looks good. The only thing I could remark is that the server is sending the "long chain" which is for old Android compatibility and the default currently. Some TLS clients can't deal properly with this long chain, as it chains up to an expired root. Which is fine for Android. And non-Android TLS clients should accept the chain at the currently valid ISRG Root X1 root cert. But for some TLS clients, it could fail.
But any non-TLS related connectivity issue is probably not within the scope of this Community.
Dear @Osiris thank you for your feedback.
So that’s why I’m asking where and how can I extend it? Payment page? Our colleagues from the Russian Federation installed it for us, but now they can’t reinstall it! They were also told to just extend it for us. They replied that: This is a matter of blocking requests.
Of course, as a person who doesn’t understand at all, it’s easier for me to extend it for 2-3 years at once, and that’s all, so as not to climb onto the server every time.
Let's Encrypt certificates are 100 % free of charge. And issuance/renewal is done automatically using an API, the so called ACME server. Nothing manual should be necessary.
I don't know what your Russian collegues mean by that. It shoulds like they should be opening a thread on this Community if they have a hard time with the renewal of the certificate. (But not for other issues of course.) Because without details, it's very hard to guide you/them.
The only thing I noticed is that the website Lets Debug at Let's Debug mentions a "time out" when trying to do a test run using the Let's Encrypt staging environment, meaning the connection is probably hitting a firewall or something similar, while I'm getting a "403 forbidden" error when trying to retrieve the exact same file. Thus not a timeout.
So that's a discrepancy. Maybe your hosting provider is blocking some parts of the world and is not blocking some other parts of the world, I dunno. As far as I know, Let's Encrypt does not block IP ranges currently.
With everything set up properly, usually Let's Encrypt, by its automated nature, is a one-time setup thing. Or even a no-time-thing if your hosting provider provides it by default. With renewals et cetera done automatically without anyone to worry about.
Yes, you are right, this is exactly what they say that our provider, the hosting provider is blocking. Therefore, I am kind of confused and don’t know what to do. And if you say that it is automatically extended, then why shouldn’t it be extended this time too? ))
Ask your hosting provider why they're blocking parts of the world. You could e.g. show connectivity testing sites like Website Availability Test - Check Website Availability | Uptimia (it shows 5 out of 43 testing sites from the US and Europe as red on the map).
Well, automatically renewing is just one part of the process. I mean, it shouldn't require manual intervention, but for that to be the case, everything needs to be running smoothly. But in your case, something is wrong: part of the world cannot connect to your website and the Let's Encrypt validation server is one of them. As the Let's Debug page I linked to earlier shows (time out).
Without a way to connect to your server, no valid challenge. Without a valid challenge, no certificate renewal.
Alternatively, if your DNS is hosted by a different party and/or without any blocking, it might be possible to use the dns-01 challenge. But if your tech people can't even connect using SSH to do their work, well, that's also rather difficult.
Do you have ssh access to your server?
Or you can tell your Russian devs about the magic of ssh ProxyJump (the -J command line option)
Good afternoon. Yes, I have access to ssh.
I told them, they have only one answer, no response from the server, although they access the server without any problems.
If you can login at root level, then you should be able to handle the entire cert management process.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.