Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
AutoSSL certificate expiry on 10/24/18 UTC. AutoSSL did not renew the certificate for “test.myobjectives.com”. You must take action to keep this site secure. The “LetsEncrypt” AutoSSL provider could not renew the SSL certificate without a reduction of coverage because of the following problems: DNS DCV: The DNS query to “_cpanel-dcv-test-record.myobjectives.com” for the DCV challenge returned no “TXT” record that matches the value “_cpanel-dcv-test-record=UPWDWWC9vSNvaNvmCstap0a9S4emriermIV2HGE4mzBQ762PKm2JuaOR21V3kpTu”.; HTTP DCV: The system queried for a temporary file at “http://test.myobjectives.com/.well-known/acme-challenge/MDYAEZAURRBNPXZWPRIIMMXHBJR5QNP7”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.
Note: We have a half-dozen websites on this VPS using Let’s Encrypt SSLs, all auto-renewed; only this one did not renew for some reason. We do have a temporary IP lock on this URL as it is a development site (it will probably show “host unreachable” if you try to reach this url from your location). Don’t understand the SSL renewal error though, it’s not the only site we have the IP-lock on and the other sites renewed, any help is appreciated!
My web server is (include version): CENTOS 6.10 v74.0.9
The operating system my web server runs on is (include version): Linux + Apache CGI PHP 7.2
My hosting provider, if applicable, is: Bluehost
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Yes / full WHM & cPanel
Thank you for the response Steven, I appreciate your time sir.
I do have access to the cpanel & WHM. The AutoSSL logs are full of errors for all the domains. Here's a copy of the AutoSSL logs related to the domain in question:
8:09:05 PM Analyzing “test.myobjectives.com” …
8:09:05 PM ERROR TLS Status: Defective
ERROR Certificate expiry: 10/24/18, 2:04 AM UTC (1.96 days from now)
ERROR Defect: ALMOST_EXPIRED: The certificate will expire very soon. WARN Local HTTP DCV error (test.myobjectives.com): The system queried for a temporary file at “http://test.myobjectives.com/.well-known/acme-challenge/7C6Q0V5SJWSTH__7VMU6EO1PC9XRGT-O”, but the web server responded with the following error: 403 (Forbidden). A DNS (Domain Name System) or web server misconfiguration may exist.
The warning mirrors what we saw in the email, I do not understand what it is saying. We are able to access the website just fine.
(also could you please check if “route all challenges to a system .well-known folder” is enabled?)
Can you tell me where I can enable this? I'm in the "Manage AutoSSL" option in WHM and do not see this option. We use Bluehost, they have their own version of cPanel. I can manage my SSLs from here and inside this module I can see my SSL but no option to enable routing all challenges to .well-known folder.
To simplify things, this plugin should exclude http requests to the /.well-known/acme-challenge/ folder.
I don't believe Really Simple SSL goes that deep. It's an "install, turn it on and forget it" type of plugin.
The only options it has are:
Auto replace mixed content (enabled)
Enable WordPress 301 redirection to SSL (enabled)
Enable 301 .htaccess redirect (disabled)
Enable Javascript redirection to SSL (disabled)
Debug (disabled)
Stop editing the .htaccess file (disabled)
Switch mixed content fixer hook (disabled)
That's all they give us on that plugin. I don't know if this is the source of our issues, I was including this information if it was of help in troubleshooting (as I believe it has altered our htaccess file).
To your point, how do I exclude requests to the /.well-known/acme-challenge/ folder? I have sublime text editor and FTP access, I can make changes if need be - I just need to be told what to do.
We had an IP block on the site because it was a development site. I just temporarily disabled this for our troubleshooting purposes. On that note, thanks for your time.
I just created that file and placed it on the server. I temporarily disabled the Really Simple SSL plugin. I am able to get to that file by clicking the link.
Hm, I am properly confused. The file is there. I am able to load it from an incognito window. Even when I click your link it opens in a new window for me. We did have an IP block installed up until a minute ago, would it be a cache issue?
Are you able to renew the certificate while the IP block is disabled? (I believe there should be an option under “SSL/TLS Status” to make it retry immediately, though I don’t use cPanel myself)
It went through the steps. I got an error after agreeing to TOS and sharing my email question, cleaning up challenges section:
File:
- Could not be found to be deleted /etc/httpd/conf.d/le_http_01_challenge_pre.conf - Certbot probably shut down unexpectedly
File:
- Could not be found to be deleted /etc/httpd/conf.d/le_http_01_challenge_post.conf - Certbot probably shut down unexpectedly
An unexpected error occurred:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in
load_entry_point('letsencrypt==0.7.0', 'console_scripts', 'letsencrypt')()
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 1364, in main
return config.func(config, plugins)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 1124, in run
certname, lineage)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 334, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 126, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/configurator.py", line 2280, in perform
http_response = http_doer.perform()
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/http_01.py", line 72, in perform
self._mod_config()
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot_apache/http_01.py", line 118, in _mod_config
with open(self.challenge_conf_pre, "w") as new_conf:
FileNotFoundError: [Errno 2] No such file or directory: '/etc/httpd/conf.d/le_http_01_challenge_pre.conf'
Odd it is saying these files aren't there, we currently have Let's Encrypt on the site although I have temporarily turned off the forcing of https.
Next morning update: Overnight I received an email that AutoSSL had successfully renewed the DV certificate for the site, which tells me the previous failures were probably related to the temporary IP block/filter we had installed.
Good to know. I’m putting that information out here in case others have a similar issue in the future and find this thread in a search.