Unexpected renewal failures since April 2024? Please read this!

A noticeable number of Let's Encrypt users who previously had many successful certificate renewals have been having renewal difficulties since April 2024. Many of these have been attributable to a recent change on the Let's Encrypt side.

If your Let's Encrypt client application shows you a specific error from the certificate authority (which it may or may not), an error message that mentions "secondary validation" is highly likely to be a symptom of this problem.

At the end of March 2024, Let's Encrypt enabled new remote perspectives for domain validation. These are servers in different parts of the world that connect to your site to help confirm that you own domain names for which you are requesting a certificate.

Let's Encrypt is required to check that you really own these domain names before giving you a publicly-trusted certificate that confirms your ownership of them. Checking that from more places around the Internet (as Let's Encrypt has done since 2020) helps make this verification process more secure, including making it less likely that someone else could maliciously pretend to be your site by manipulating Internet infrastructure. Let's Encrypt's documentation has mentioned since 2015 that this verification can be attempted from anywhere on the Internet.

However, some people may have firewalls that, for example, only allow incoming connections from certain countries ("geoblocking"). Some sites that do this are now encountering validation problems during certificate renewal because Let's Encrypt is performing the verification from two new countries. When those connections are blocked, Let's Encrypt can't get the verification that it needs in order to confirm that a requested certificate can be issued according to its policies.

If you have this problem, please check around on the forum, as there may be several existing forum threads that are relevant to your situation. In many cases, you may be encouraged to disable geoblocking permanently or during the brief periods of time when your Let's Encrypt client application attempts a certificate renewal. Some threads also offer advice on switching to the DNS-01 challenge method (which does not perform any connections directly to your web server), if your setup allows you to automate that.

Let's Encrypt has consistently said that it will not announce which IP addresses may perform these checks and that these addresses may change over time, without prior notice, including adding checks from new sources in different parts of the Internet. If you choose to make changes that are specific to the two new countries from which validation is now being performed (Sweden and Singapore), you may encounter exactly the same problem in the future when validation perspectives in still other countries are added.

More documentation may appear soon to provide further tips on switching to the DNS-01 method (for those who are unable to permit incoming connections from the whole world).

See also Let's Encrypt's documentation repository:

and the "API Announcements" category on the forum, where important technical and policy changes related to Let's Encrypt's services are announced:

If you do have questions that are specific to your situation (please, not "what IP addresses does Let's Encrypt validate from?"), please feel free to open your own topic in the Help category here on the forum!

21 Likes