We are getting many many renewal failures on one of our hosts. Domains that are on the host are getting errors like this:
There is no recorded error on the system for “mail.[domain-removed].com”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
It's like let's encrypt cannot validate anymore. Maybe a firewall IP Block.
What IP's does LE use for validation? I'd like to white list them in the firewall to see if that helps.
It seems a lot of people are asking this question without thinking that someone else might have asked, and searching for an answer.
And to add to what @danb35 has suggested, to assist with debugging there is a great place to start is Let's Debug.
Thanks. I'll start with debug.
They all pass the Let's Debug .
Are you hitting the Rate Limits?
So it seems like LE does not make their IP's know to anyone and will not share for troubleshooting.
I guess. I'll try to clear the the last week or so of firewall blocks and see how that goes.
No, they don't. They also recommend keeping port 80 open. See here. And, as alternative to HTTP Challenge there is DNS Challenge and TLS-ALPN (more here)
If you want specific help please answer questions below as best you can. You would have been shown this form had you posted in the Help section. I moved this thread there now
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
How do I close this topic. I've remove the last two weeks firewall blocks and ran autoSSL on our cPanel server. It seems to work now.
Log for the AutoSSL run for “user”: Monday, October 31, 2022 2:30:55 PM GMT-0500 (Let’s Encrypt™)
2:30:55 PM AutoSSL’s configured provider is “Let’s Encrypt™”.
Analyzing “user”’s domains …
2:30:55 PM Analyzing “[domain-removed].com” (website) …
2:30:55 PM SUCCESS TLS Status: OK
Certificate expiry: 1/29/23, 11:30 AM UTC (89.67 days from now)
2:30:55 PM SUCCESS This user’s SSL coverage is already optimal.
Click the 3 dots
and check mark Solution on the post that is the solution.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.