There is no recorded error on the system

We are getting many many renewal failures on one of our hosts. Domains that are on the host are getting errors like this:

There is no recorded error on the system for “mail.[domain-removed].com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.

It's like let's encrypt cannot validate anymore. Maybe a firewall IP Block.

What IP's does LE use for validation? I'd like to white list them in the firewall to see if that helps.

1 Like

It seems a lot of people are asking this question without thinking that someone else might have asked, and searching for an answer.


And to add to what @danb35 has suggested, to assist with debugging there is a great place to start is Let's Debug.


Thanks. I'll start with debug.


They all pass the Let's Debug .

1 Like

Are you hitting the Rate Limits?


So it seems like LE does not make their IP's know to anyone and will not share for troubleshooting.

I guess. I'll try to clear the the last week or so of firewall blocks and see how that goes.

1 Like

Let's Encrypt uses Multi-Perspective Validation Improves Domain Validation Security - Let's Encrypt


No, they don't. They also recommend keeping port 80 open. See here. And, as alternative to HTTP Challenge there is DNS Challenge and TLS-ALPN (more here)

If you want specific help please answer questions below as best you can. You would have been shown this form had you posted in the Help section. I moved this thread there now


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


How do I close this topic. I've remove the last two weeks firewall blocks and ran autoSSL on our cPanel server. It seems to work now.

Log for the AutoSSL run for “user”: Monday, October 31, 2022 2:30:55 PM GMT-0500 (Let’s Encrypt™)

2:30:55 PM AutoSSL’s configured provider is “Let’s Encrypt™”.

Analyzing “user”’s domains …

2:30:55 PM Analyzing “[domain-removed].com” (website) …

2:30:55 PM SUCCESS TLS Status: OK

Certificate expiry: 1/29/23, 11:30 AM UTC (89.67 days from now)

2:30:55 PM SUCCESS This user’s SSL coverage is already optimal.

1 Like

Click the 3 dots
and check mark Solution on the post that is the solution.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.