Unable to validate domains via autossl

We installed the Let’s Encrypt plugin on our cpanel and set up as the autossl a few months ago following these instructions https://blog.cpanel.com/announcing-cpanel-whms-official-lets-encrypt-with-autossl-plugin/

The certificates are failing to renew, trying to generate and then reaching the rate limit. For example - https://wast0.co.uk. We are having to manually install them using sslforfree.

The webserver is Linux CentOS v6

Hosting provider is UKFast

I can login to a root shell on my machine.

Many thanks in advance.

I’m not sure if this is something you can fix yourself or that you should ask your hosting provider: it’s their cPanel and their cPanels AutoSSL.

That said, even if you’d be able to fix this with our aid, we need a lot more information. Just stating “failing to renew” isn’t very helpful, because it lacks the information about why it fails to renew. Certainly, reaching a rate limit doesn’t help, but that doesn’t tell us anything about the primary reason renewal is failing. Does AutoSSL and/or cPanel give you any error message when it fails (not including rate limit errors…)? Does it provide an error log?

Thanks for your reply.

The error message generated by the cpanel is for example:
An error occurred the last time AutoSSL ran, on May 5, 2020:
MASTER DCV: A rate limit prevents DCV.

The rate limit errors are the only ones that are being generated but I have an example of log files for the domain wast0.co.uk taken on 3 May. Looking at the log files I see towards the bottom there is reference to the certificate failing due to the system’s time.

Analyzing “zerowaste”’s domains …
10:09:28 PM Analyzing “wast0.co.uk” …
10:09:28 PM User-excluded domain: 1 (mail.wast0.co.uk)
ERROR TLS Status: Defective
ERROR Certificate expiry: 5/3/20, 5:24 PM UTC (0.84 days from now)
ERROR Defect: ALMOST_EXPIRED: The certificate will expire very soon.
10:09:28 PM Attempting to ensure the existence of necessary CAA records …
10:09:28 PM No CAA records were created.
10:09:28 PM Verifying 2 domains’ DNS management …
Verifying “Let’s Encrypt™”’s authorization on 2 domains via DNS CAA records …
10:09:28 PM DNS manages “wast0.co.uk”.
DNS manages “www.wast0.co.uk”.
DNS manages 2 of this user’s 2 domains.
CA authorized: “wast0.co.uk
CA authorized: “www.wast0.co.uk
“Let’s Encrypt™” is authorized to issue certificates for 2 of this user’s 2 domains.
10:09:28 PM Performing HTTP DCV (Domain Control Validation) on 2 domains …
10:09:28 PM Local HTTP DCV OK: wast0.co.uk
Local HTTP DCV OK: www.wast0.co.uk
10:09:28 PM No local DNS DCV is necessary.
10:09:28 PM Publishing DNS changes for local DNS DCV (10 zones) …
Querying DNS to confirm DCV changes …

  • ERROR “Let’s Encrypt™” general error (wast0.co.uk): A rate limit prevents DCV.*
  • ERROR “Let’s Encrypt™” general error (www.wast0.co.uk): A rate limit prevents DCV.*
  • ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.*
  • 4:10:07 AM The system has completed “zerowaste”’s AutoSSL check.*
    10:09:58 PM Processing “zerowaste”’s local DCV results …
    10:09:58 PM Analyzing “wast0.co.uk”’s DCV results …
    10:09:58 PM SUCCESS Let’s Encrypt DCV for “www.wast0.co.uk” is valid until 5/4/20, 7:14 PM UTC.
    SUCCESS “Let’s Encrypt™” DCV OK: www.wast0.co.uk
    SUCCESS Let’s Encrypt DCV for “wast0.co.uk” is valid until 5/4/20, 7:14 PM UTC.
    SUCCESS “Let’s Encrypt™” DCV OK: wast0.co.uk
    AutoSSL will request a new certificate.
    10:09:58 PM The system will attempt to renew the SSL certificate for the website (wast0.co.uk: wast0.co.uk www.wast0.co.uk).
    Certificate #1:wast0.co.uk” and “www.wast0.co.uk
    Reusing certificate order from DCV (Domain Control Validation) …
    10:10:00 PM WARN An SSL/TLS certificate failed verification because the system’s time is 5/2/20, 9:10 PM, and the certificate is not valid until 5/2/20, 9:15 PM. The certificate is otherwise valid. The system’s time may be incorrect. Try either the “rdate -s rdate.cpanel.net” or “ntpclient -s -h pool.ntp.org” command to fix this problem.
    WARN Certificate verification failed! CERT_NOT_YET_VALID at /usr/local/cpanel/Cpanel/SSL/Auto/Provider.pm line 999.
    WARN Certificate installation error: Cpanel::Exception/(XID 8zde5f) The system failed to install an SSL certificate onto the website “wast0.co.uk” because of the following error: Certificate verification failed! CERT_NOT_YET_VALID
    The system has completed “zerowaste”’s AutoSSL check.

Well, that might be something for you to check.

Indeed, your server is running behind:

osiris@erazer ~ $ curl -LvI https://wast0.co.uk 2>&1 | grep Date; date
< Date: Tue, 05 May 2020 14:13:04 GMT
Date: Tue, 05 May 2020 14:13:04 GMT
Tue  5 May 17:18:30 CEST 2020
osiris@erazer ~ $ 

CEST = UTC+2, so your server should reply 15:18 or at least very close to that. It’s more than an hour off.

Thank you. We’ll see if this might be the cause.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.