Who is getting our renewal emails from Lets Encrypt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ernestjohnsonantiques.com

I ran this command: ernestjohnsonantiques.com

It produced this output: NET:ERR_CERT_DATE_INVALID

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: bellhosting.ca

I can login to a root shell on my machine (yes or no, or I don't know): don't know

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

How did you get this certificate? What procedure did you follow?

5 Likes

Hello, the owner of the website does not know how the certificate was obtained or when. I have been helping him with his website for the past couple of years and this is a new problem we haven't encountered before.

I can determine that Let's Encrypt renewed the certificate back in June of this year but it has now expired. We need to get it renewed to get his website back up and operational. I don't have enough of a technical background to easily figure this out. Any help would be appreciated. I am hoping Let's Encrypt can tell me who the renewals email are sent to.

Dane

If I were inclined to guess, I'd say your hosting service provider messed up. Do you see anything at all related to certificates in their control panels?

4 Likes

This domain is hosted at wix

You should contact them for help. They setup and manage the certs

4 Likes

This domain is hosted by Bell Hosting here is Canada. In talking with their technical support, they tell me I should be able to contact Let's Encrypt and simply ask to have the security certificate renewed.

Is there an easy means of making this happen?

Thank you very much for your help. I'm out of my depth on this subject.

Dane

1 Like

I do not believe that is the present case, see https://sitereport.netcraft.com/?url=http%3A%2F%2Fernestjohnsonantiques.com

1 Like

Thank you for that information. If I run WHOIS on ernestjohnsonantiques.com I get the following:

Raw Whois Data
Domain Name: ERNESTJOHNSONANTIQUES.COM
Registry Domain ID: 26434651_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.web.com
Registrar URL: http://www.namesecure.com
Updated Date: 2023-04-05T08:02:46Z
Creation Date: 2000-05-05T16:49:47Z
Registry Expiry Date: 2024-05-05T16:49:47Z
Registrar: NameSecure L.L.C.
Registrar IANA ID: 30
Registrar Abuse Contact Email: email@web.com
Registrar Abuse Contact Phone: +1.8003337680
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.BELLHOSTING.COM
Name Server: NS2.BELLHOSTING.COM
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: Submitting a Complaint to ICANN Contractual Compliance - ICANN

Please note the nameserver information points to Bell Hosting.

I am at a loss as to why NS1.MEGANAMESERVERS.COM shows up on the Netcraft report as the nameserver. Any thoughts?

Interesting. Using this online tool https://unboundtest.com/ produces these results https://unboundtest.com/m/CAA/ernestjohnsonantiques.com/PS7OTOHZ
Which is basically how Let's Encrypt does its DNS lookup

Query results for CAA ernestjohnsonantiques.com

Response:
;; opcode: QUERY, status: NOERROR, id: 54723
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version 0; flags: do; udp: 512

;; QUESTION SECTION:
;ernestjohnsonantiques.com.	IN	 CAA

;; AUTHORITY SECTION:
ernestjohnsonantiques.com.	0	IN	SOA	ns1.meganameservers.com. postmaster.meganameservers.com. 2023091707 86400 86400 3600000 86400

----- Unbound logs -----
Sep 18 20:14:44 unbound[1395089:0] notice: init module 0: validator
Sep 18 20:14:44 unbound[1395089:0] notice: init module 1: iterator
Sep 18 20:14:44 unbound[1395089:0] info: start of service (unbound 1.16.3).
Sep 18 20:14:45 unbound[1395089:0] info: 127.0.0.1 ernestjohnsonantiques.com. CAA IN
Sep 18 20:14:45 unbound[1395089:0] info: resolving ernestjohnsonantiques.com. CAA IN
Sep 18 20:14:45 unbound[1395089:0] info: priming . IN NS
Sep 18 20:14:45 unbound[1395089:0] info: response for . NS IN

Yet using ICANN Lookup I see the same results you stated.

2 Likes

Well using the Name Server NS1.BELLHOSTING.COM says the SOA and NS are ns1.meganameservers.com, ns2.meganameservers.com, and ns3.meganameservers.com

$ nslookup ernestjohnsonantiques.com NS1.BELLHOSTING.COM
Server:         NS1.BELLHOSTING.COM
Address:        69.156.240.252#53

Name:   ernestjohnsonantiques.com
Address: 23.236.62.147
$ nslookup -q=soa ernestjohnsonantiques.com NS1.BELLHOSTING.COM
Server:         NS1.BELLHOSTING.COM
Address:        69.156.240.252#53

ernestjohnsonantiques.com
        origin = ns1.meganameservers.com
        mail addr = postmaster.meganameservers.com
        serial = 2023091707
        refresh = 86400
        retry = 86400
        expire = 3600000
        minimum = 86400
$ nslookup -q=ns ernestjohnsonantiques.com NS1.BELLHOSTING.COM
Server:         NS1.BELLHOSTING.COM
Address:        69.156.240.252#53

ernestjohnsonantiques.com       nameserver = ns1.meganameservers.com.
ernestjohnsonantiques.com       nameserver = ns2.meganameservers.com.
ernestjohnsonantiques.com       nameserver = ns3.meganameservers.com.
2 Likes

Your DNS is hosted there but your website is a WIX based site

Bell Canada's tech support is completely wrong that Let's Encrypt can renew certs for you. An ACME Client program must request a cert from the Let's Encrypt Server. In this case I am very confident that request is handled on wix. In any case, it is not something LE can do without being asked by an ACME client by the website operator.

Do you know how wix got involved? Do you have an account there or was there some other reseller involved.

Why do I say wix is the proper contact? Because:

This request shows your website responses
curl -Ik https://www.ernestjohnsonantiques.com

Note the various response headers naming "wix"
But most indicative is "Server: Pepyaka" is the proprietary WIX server

HTTP/2 200
date: Mon, 18 Sep 2023 20:36:05 GMT
link: <https://static.parastorage.com/>; ... <https://static.wixstatic.com/>; 
x-wix-request-id: 1695069365.716771614727812418
server: Pepyaka/1.19.10
5 Likes

And to add further weight to what @MikeMcQ said about WIX; use your web browser with 147.62.236.23.bc.googleusercontent.com

$ nslookup www.ernestjohnsonantiques.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   www.ernestjohnsonantiques.com
Address: 23.236.62.147
$ nslookup 147.62.236.23.bc.googleusercontent.com
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   147.62.236.23.bc.googleusercontent.com
Address: 23.236.62.147
3 Likes

It appears that Bell Hosting uses meganameservers.com as a nameserver provider (as do many other registrars/hosts). Bizarrely, this service's homepage doesn't seem to functionally support TLS/SSL. :face_with_raised_eyebrow:

http://www.meganameservers.com/

When I try to connect to here:

https://www.meganameservers.com/

I get this:

5 Likes

note the footer:

© meganameservers.com 1999-2003

7 Likes

So @daneharris just to clarify, the domain DNS is hosted with bellhosting.ca via meganameservers but that's besides the point really.

The site is 100% hosted on WIX, if the client is not currently paying for wix that would suggest the reason their cert wasn't renewed was because they didn't pay wix hosting. It's confusing, but it's not a debate - that's just what the site is and how it works.

Wix does offer a free plan apparently, but not with a custom domain. https://www.wix.com/premium-purchase-plan/dynamo

4 Likes

Thank you Griffin for this information. I will take this up with Bell Hosting.

I have had a lot of help from people at Let's Encrypt and am now working with WIX to get this problem resolved.

Take care, Dane

5 Likes

Thank you for your help Christopher. I have now successfully corrected the problem using Wix Technical Support.

4 Likes

Thank you Mike. I have successfully corrected the problem with help from Wix Technical Support. I really appreciate the many helpful responses from the Let's Encrypt community.

4 Likes