The certificates are failing to renew, trying to generate and then reaching the rate limit. For example - https://wast0.co.uk. We are having to manually install them using sslforfree.
I’m not sure if this is something you can fix yourself or that you should ask your hosting provider: it’s their cPanel and their cPanels AutoSSL.
That said, even if you’d be able to fix this with our aid, we need a lot more information. Just stating “failing to renew” isn’t very helpful, because it lacks the information about why it fails to renew. Certainly, reaching a rate limit doesn’t help, but that doesn’t tell us anything about the primary reason renewal is failing. Does AutoSSL and/or cPanel give you any error message when it fails (not including rate limit errors…)? Does it provide an error log?
The error message generated by the cpanel is for example: An error occurred the last time AutoSSL ran, on May 5, 2020:
MASTER DCV: A rate limit prevents DCV.
The rate limit errors are the only ones that are being generated but I have an example of log files for the domain wast0.co.uk taken on 3 May. Looking at the log files I see towards the bottom there is reference to the certificate failing due to the system’s time.
**ERROR LOG
Analyzing “zerowaste”’s domains …
10:09:28 PM Analyzing “wast0.co.uk” …
10:09:28 PM User-excluded domain: 1 (mail.wast0.co.uk)
ERROR TLS Status: Defective
ERROR Certificate expiry: 5/3/20, 5:24 PM UTC (0.84 days from now)
ERROR Defect: ALMOST_EXPIRED: The certificate will expire very soon.
10:09:28 PM Attempting to ensure the existence of necessary CAA records …
10:09:28 PM No CAA records were created.
10:09:28 PM Verifying 2 domains’ DNS management …
Verifying “Let’s Encrypt™”’s authorization on 2 domains via DNS CAA records …
10:09:28 PM DNS manages “wast0.co.uk”.
DNS manages “www.wast0.co.uk”.
DNS manages 2 of this user’s 2 domains.
CA authorized: “wast0.co.uk”
CA authorized: “www.wast0.co.uk”
“Let’s Encrypt™” is authorized to issue certificates for 2 of this user’s 2 domains.
10:09:28 PM Performing HTTP DCV (Domain Control Validation) on 2 domains …
10:09:28 PM Local HTTP DCV OK: wast0.co.uk
Local HTTP DCV OK: www.wast0.co.uk
10:09:28 PM No local DNS DCV is necessary.
10:09:28 PM Publishing DNS changes for local DNS DCV (10 zones) …
Querying DNS to confirm DCV changes …
ERROR “Let’s Encrypt™” general error (wast0.co.uk): A rate limit prevents DCV.*
ERROR “Let’s Encrypt™” general error (www.wast0.co.uk): A rate limit prevents DCV.*
ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.*
4:10:07 AM The system has completed “zerowaste”’s AutoSSL check.*
10:09:58 PM Processing “zerowaste”’s local DCV results …
10:09:58 PM Analyzing “wast0.co.uk”’s DCV results …
10:09:58 PM SUCCESS Let’s Encrypt DCV for “www.wast0.co.uk” is valid until 5/4/20, 7:14 PM UTC.
SUCCESS “Let’s Encrypt™” DCV OK: www.wast0.co.uk
SUCCESS Let’s Encrypt DCV for “wast0.co.uk” is valid until 5/4/20, 7:14 PM UTC.
SUCCESS “Let’s Encrypt™” DCV OK: wast0.co.uk
AutoSSL will request a new certificate.
10:09:58 PM The system will attempt to renew the SSL certificate for the website (wast0.co.uk: wast0.co.ukwww.wast0.co.uk).
Certificate #1: “wast0.co.uk” and “www.wast0.co.uk”
Reusing certificate order from DCV (Domain Control Validation) …
10:10:00 PM WARN An SSL/TLS certificate failed verification because the system’s time is 5/2/20, 9:10 PM, and the certificate is not valid until 5/2/20, 9:15 PM. The certificate is otherwise valid. The system’s time may be incorrect. Try either the “rdate -s rdate.cpanel.net” or “ntpclient -s -h pool.ntp.org” command to fix this problem.
WARN Certificate verification failed! CERT_NOT_YET_VALID at /usr/local/cpanel/Cpanel/SSL/Auto/Provider.pm line 999.
WARN Certificate installation error: Cpanel::Exception/(XID 8zde5f) The system failed to install an SSL certificate onto the website “wast0.co.uk” because of the following error: Certificate verification failed! CERT_NOT_YET_VALID
The system has completed “zerowaste”’s AutoSSL check. END