Wildcard SSL for subdomains expired after 3 months

I purchased a wildcard SSL for subdomains that are automatically generated upon the upload of contact data for prospective clients. They are called PURLS (Personal URLs). I have about 40,000 subdomains now and adding 6K per week. From June 4th to September 4th the wildcard SSL was doing it’s job and there were no privacy errors. The wildcard ssl expired on 9/4/2019 which surprised me because I purchased it for 2 years. I also got error messages from my server saying “It seems that you are using dns manual mode.” and “Error renew” and then the domain name leading up to the expiration. When I clicked on the privacy error, it said it was from letsencrypt and that the ssl certificate had expired.

I am just trying to figure out how to fix this, who do I need to pay and how much. Either I got ripped off on the 2 year deal that was only really for 3 months, or I need to renew every 3 months and just don’t know how. Incidentally, this domain has an active SSL on the main domain that autorenews using ‘AutoSSL’, however I was told that wildcard SSLs don’t work with the ‘AutoSSL’ renew feature, which may be why all of the subdomains (the part that I need) are returning privacy errors.

The damage is irreversable. There is marketing out there that has the subdomains printed on them, and when a prospective client visits the subdomain, they get a privacy error, which causes most people to not go any further.

Where did you purchase the wildcard certificate from?

Let's Encrypt certificates only ever have a 90 day duration. The idea is that they automatically renew every 60-90 days, by use of a piece of software called an ACME client.

It seems odd that somebody would have sold you a Let's Encrypt certificate with a fixed term like 2 years.

This error comes from a (free) ACME client called "acme.sh": GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol . The error means that you setup acme.sh in such a way that does not support automated renewal.

I think we need some details about what your setup is, because your story has too many gaps at the moment to form a coherent picture. Could you please answer the following questions:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi and thanks for the response.

I bought the cert from ssl2buy.com. I paid $84 for 2 years. It was purchased at the direction of a developer from upwork.com. After a while he stopped responding. SSL2Buy.com also hasn’t responded.

image.png2605×1529 186 KB

That neilpang/acme.sh was also in the error message:

[Mon Sep 9 00:53:01 EDT 2019] It seems that you are using dns manual mode. Read this link first: https://github.com/Neilpang/acme.sh/wiki/dns-manual-mode
[Mon Sep 9 00:53:01 EDT 2019] Error renew hopecredit.us.

My domain is: hopecredit.us

I ran this command: I didn’t run any commands, it just expired

It produced this output: N/A

My web server is (include version): Apache 2.4.41

The operating system my web server runs on is (include version): Linux - architecture: x86_64 kernel version: 3.10.0-957.27.2.el7.x86_64

My hosting provider, if applicable, is: liquidweb.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): CPanel 82.0 (build 14)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot and certbot-auto were both command not found

Hi, thanks for the reply.
I replied back but it says Askimet has temporarily hidden the post.

That makes things a little more clear, but something is still confusing.

What domain name is your AlphaSSL certificate from SSL2BUY for? I get the feeling that it wasn’t for *.hopecredit.us, but for another domain name.

Could you clarify?

It does seem possible you’ve been as you say “ripped off”. AlphaSSL is a commercial provider and would issue certificates for two years, but the invoice you’ve shown us doesn’t say which names the certificate is for and I can confirm by inspecting the public Certificate Transparency logs that AlphaSSL did not issue a certificate for *.hopecredit.us.

Instead, a free certificate from Let’s Encrypt was obtained for *.hopecredit.us. If you paid somebody $84 for a certificate for *.hopecredit.us then I think somebody has your $84 (or a certificate) and you’ve got something free instead. Let’s Encrypt is a service from a not-for-profit which creates certificates valid only for 90 days, to encourage people to use software that automatically renews certificates rather than doing everything manually. Since automatic systems don’t have wallets the service is also offered at no cost to the user.

There are two things you may want to do from here, and I suspect volunteers on this community site can help you most with A and not B.

A: You need to get *.hopecredit.us working again with a new certificate. Volunteers here can help you use Let’s Encrypt to do this for no dollar cost, if you have at least a little bit of technical knowledge and control over that hopecredit.us domain name. Alternatively you can (as you tried to do originally) buy a certificate from a commercial provider like AlphaSSL, but this time make extra sure nobody rips you off!

B: You can try to understand what happened to the $84 you thought you spent on *.hopecredit.us. Maybe there was a misunderstanding and it was actually spent on something else? Or perhaps somebody deliberately misled you in order to have you pay for a certificate they actually used on another project. In some cases your financial institution may be able to “claw back” the money if you were lied to.

So aside from the question of who ripped you off, there’s a bit of a problem here: a wildcard cert from Let’s Encrypt requires the use of DNS validation, you’re using liquidweb.com for your DNS hosting, and acme.sh doesn’t support automatic updates to DNS records on liquidweb.com.

In the short term, you can probably get the cert renewed by running acme.sh --cron. This will require you to manually update two DNS TXT records, and then it will issue a new cert, good for another 90 days (if it doesn’t work as is, post the complete output and we can help you figure it out). That will give you time to figure out and implement a longer-term solution.

In the longer term, I can think of two solutions:

• Move your DNS hosting to a provider that supports automated updates. Cloudflare is pretty popular, is free for DNS hosting, and works well. This doesn’t involve moving any of your content.
• Keep your DNS hosting where it is, and use acme-dns to provide DNS records only for the purpose of validation.

Ok, a little more info: SSL2Buy replied, and here is a screenshot of the order being associated with *.hopecredit.us

image.png2290×1310 149 KB

And here is SSL2Buy.com’s reply. I had to copy and paste because new users are only allowed to post 1 picture in a reply:

> SSL2BUY Support
> 9/9/2019 3:30:45 AM
*> *
> Hello Carter,
*> *
> Thank you for contacting us.
*> *
*> I would like to inform you that your order#2567740 is in phishing check and it is not yet issued. As it is phishing check Globalsign team would require further investigation for your order. *
*> *
> Normally, phishing check is required due to a keyword in the domain name or a domain that has been reported to the Anti-Phishing Workgroup as a potential phishing site.
*> *
*> Globalsign vetting team has sent you an email regarding the update at email address "d.singh@cynux.com". You will need to provide a registered phone number, as currently the domain is in phishing. *
*> *
*> I would request you to please check your email address and respond to their email with the necessary details. Once your order has been removed from phishing check your certificate will be issued. *
*> *
> Please feel free to contact us for the same or any other query.
*> *
*> *
> Many Thanks
> Crystal A
> SSL Support Team

So I can respond to Globalsign with a phone bill or whatever else they need, but I’m not sure if it’s necessary to go that route. Would it be better just to start processes A & B referred to earlier in this thread? I have total control over the server that hopecredit.us is hosted on, it’s not shared and I have root.

Hi @carterdavis1

then renew your Letsencrypt wildcard certificate and cancel that order.

May be now manual, that should always work. Then you have 60 - 85 days to find an automated solution.

Check

you need dns validation.

While this is true at face value, Liquidweb just uses normal cPanel APIs for DNS management.

This means you can create a simple shell script:

~/.acme.sh/dnsapi/dns_cpaneldns.sh:

#!/usr/bin/env sh

dns_cpaneldns_add() {
  cpapi2 ZoneEdit add_zone_record domain=hopecredit.us name=_acme-challenge type=TXT txtdata="$2" ttl=1
}

dns_cpaneldns_rm() {
  echo
}

And use it:

chmod +x ~/.acme.sh/dnsapi/dns_cpaneldns.sh
acme.sh --issue -d "hopecredit.us" -d "*.hopecredit.us" --dns dns_cpaneldns
acme.sh --deploy -d hopecredit.us --deploy-hook cpanel_uapi

and it should just work, in a way that supports automatic renewal. At least, I tested it on my dev cPanel server and it works okay.

Ok, I’m going to start with the manual cert renewal from letsencrypt and will post to this thread if I run into any issues or to confirm success. It sounds like that will solve the immediate problem and then I can move on to an automated update solution. Thanks for the direction, I should be able to attempt this in a few hours.

Ah, better yet. So whoever did this was not only dishonest, but also incompetent.

The instructions to renew that were provided by Juergen Auer worked, and now the SSL is current.
Here was the output:

[Mon Sep  9 16:06:35 EDT 2019] Renew: 'hopecredit.us'
[Mon Sep  9 16:06:35 EDT 2019] Multi domain='DNS:hopecredit.us,DNS:*.hopecredit.us'
[Mon Sep  9 16:06:35 EDT 2019] Getting domain auth token for each domain
[Mon Sep  9 16:06:37 EDT 2019] Getting webroot for domain='hopecredit.us'
[Mon Sep  9 16:06:37 EDT 2019] Getting webroot for domain='*.hopecredit.us'
[Mon Sep  9 16:06:37 EDT 2019] Add the following TXT record:
[Mon Sep  9 16:06:37 EDT 2019] Domain: '_acme-challenge.hopecredit.us'
[Mon Sep  9 16:06:37 EDT 2019] TXT value: 'RfLDNc0gBAKQ2DhBCOTTLcf27RkNHzMeptxAxupiu1M'
[Mon Sep  9 16:06:37 EDT 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon Sep  9 16:06:37 EDT 2019] so the resulting subdomain will be: _acme-challenge.hopecredit.us
[Mon Sep  9 16:06:37 EDT 2019] Add the following TXT record:
[Mon Sep  9 16:06:37 EDT 2019] Domain: '_acme-challenge.hopecredit.us'
[Mon Sep  9 16:06:37 EDT 2019] TXT value: 'RxZimlJYyQL3daZXALqbuag82lhJfm4knmJ7Wa7iRIw'
[Mon Sep  9 16:06:37 EDT 2019] Please be aware that you prepend _acme-challenge. before your domain
[Mon Sep  9 16:06:37 EDT 2019] so the resulting subdomain will be: _acme-challenge.hopecredit.us
[Mon Sep  9 16:06:37 EDT 2019] Please add the TXT records to the domains, and re-run with --renew.
[Mon Sep  9 16:06:37 EDT 2019] Please add '--debug' or '--log' to check more details.
[Mon Sep  9 16:06:37 EDT 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Mon Sep  9 16:06:37 EDT 2019] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

Then the output showed success when I used the --renew command:

[root@host ~]# acme.sh --renew -d hopecredit.us \
> --yes-I-know-dns-manual-mode-enough-go-ahead-please
[Mon Sep  9 16:26:06 EDT 2019] Renew: 'hopecredit.us'
[Mon Sep  9 16:26:06 EDT 2019] Multi domain='DNS:hopecredit.us,DNS:*.hopecredit.us'
[Mon Sep  9 16:26:06 EDT 2019] Getting domain auth token for each domain
[Mon Sep  9 16:26:07 EDT 2019] Verifying: hopecredit.us
[Mon Sep  9 16:26:09 EDT 2019] Success
[Mon Sep  9 16:26:09 EDT 2019] Verifying: *.hopecredit.us
[Mon Sep  9 16:26:12 EDT 2019] Success
[Mon Sep  9 16:26:12 EDT 2019] Verify finished, start to sign.
[Mon Sep  9 16:26:12 EDT 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/58696193/1055892507
[Mon Sep  9 16:26:13 EDT 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/0321673cdff3ff9e1fcfeb42102450bdbdb5
[Mon Sep  9 16:26:13 EDT 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFZTCCBE2gAwIBAgISAyFnPN/z/54fz+tCECRQvb21MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA5MDkxOTI2MTJaFw0x
OTEyMDgxOTI2MTJaMBgxFjAUBgNVBAMTDWhvcGVjcmVkaXQudXMwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSd7CQAwNmyt4tKt4RzNF6/OEcNaTSSB75
pI1wMRJ+O7dUqwL8D5q7uRfJDmzZY8SwjT9AjWpLHHmNBq/ztCH1uvZ9yaFnbLcU
l3bLXw8iwzuAWDDsFuUdyP4LCZYgkEfB7YAFkJdxb7suiEzAQiSNPKx+/NZBj+hB
K4809aCWL2v85K2pLORo2otGky8m99tprTq61prIvsrDy/x10lhDUfnxiXkDq+ZI
z1FnV6Flo/ekhmhQFRo0rLTwbEqOlP8/1dWYh35Tp0xijvkkH56B5ZXkv9C2WbUC
o2LPLcjRyYwZAgtdy1PTTrHdxaOsdat6FwrthV7nRLxclsqI9EQxAgMBAAGjggJ1
MIICcTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHZG+rZYn2Pzf4/zLGezc2hZhTQB
MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw
YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y
ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wKQYDVR0RBCIwIIIPKi5ob3BlY3JlZGl0LnVzgg1ob3BlY3JlZGl0LnVzMEwG
A1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEW
Gmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBgYKKwYBBAHWeQIEAgSB9wSB
9ADyAHcA4mlLribo6UAJ6IYbtjuD1D7n/nSI+6SPKJMBnd3x2/4AAAFtF7SRmAAA
BAMASDBGAiEAtTy0O8KRwtj6bl+lQfKs5SjiPOPP4i4AggWy9w7RoSICIQC5paZL
W7SzHw794cbQE6r1b3cx81jBhPdytgQLidAmpgB3AGPy283oO8wszwtyhCdXazOk
jWF3j711pjixx2hUS9iNAAABbRe0kbkAAAQDAEgwRgIhAOrjecP8fgBpZ8dH4lFg
8ITHqGBu0nOpxlJ85HPvEZp2AiEA8843uGiNWG5yCAxa+tgnxMaYwHxNeOzs2xTA
g50xUdcwDQYJKoZIhvcNAQELBQADggEBACwmCFB2Unqm6uaTuJxUq4u2Y9ZeP83/
6JUqr3J1k+3HsiSXZ2glA3bSmE5IzI86MIzFd0hMU/lAAO3FOfVO1/t2/ftD9cpO
GHPsn1cbhuPEXRLsjLty9sGUrp4WehmTpRSa9ByQft6dpkiaaHD0kCc8UODNjsCd
8OCBJRy8IjYojg9zPCwlsfY2DFsWRcyCmYvpKbboHGPXyZmndN4sS+sZR2kk5WeW
JQWMB5sWTfMyTjFYVd8g2mrjaiDIJISJdLEMszD1xfSdOaLW3brNncD087KiRWVF
LR02vRqNrF7zSFeKPduSplsnVrHKkotMLpdy1+tyoSdUIWiHgyKZEc0=
-----END CERTIFICATE-----
[Mon Sep  9 16:26:13 EDT 2019] Your cert is in  /root/.acme.sh/hopecredit.us/hopecredit.us.cer
[Mon Sep  9 16:26:13 EDT 2019] Your cert key is in  /root/.acme.sh/hopecredit.us/hopecredit.us.key
[Mon Sep  9 16:26:13 EDT 2019] The intermediate CA cert is in  /root/.acme.sh/hopecredit.us/ca.cer
[Mon Sep  9 16:26:13 EDT 2019] And the full chain certs is there:  /root/.acme.sh/hopecredit.us/fullchain.cer
[Mon Sep  9 16:26:14 EDT 2019] It seems that you are using dns manual mode. please take care: The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.
[Mon Sep  9 16:26:14 EDT 2019] Call hook error.

Then we had to restart apache and also change the location of where Apache was looking for the cert. by using a WHM tool " Install an SSL Certificate on a Domain". After that, it worked.

So now I am good for 90 days and am going to implement the solution form danb35 to have it automatically renew.

I realize what happened now with the original 2 year cert. It ran into validation issues because they wanted me to send in a phone bill. The developer that I hired used letsencrypt because he knew it was free and didn't require the documentation delay. He got the SSL to work, got paid, and then vanished without telling me that the 2 year still needed documenation.

So… there’s a lot of threads here where a “developer” or “tech dude” hoses their clients somehow. (Im not linking to them all)They have no conscience… They take their money… and walk.

We are stuck aren’t we?.. It’s not right. And even some new threads here are asking “why should i use letsencrypt” when i can pay for a fancy cert that makes no difference but makes my “tech” happy? … It is because the “developers and techs” are relying on the upstream support to do it for them. They don’t have to know. I understand. I was there.

And the upstream providers are advertising that customers have 24/7 SUPPORT! So “spend the money” and you can encrypt your site. What a joke.

“The proof is in the pudding”. (So to speak) If you look at your own thread, you will see this community has come to your defense and helped you… INSTANTLY! This is the way it should be. And it is.

@_az has removed his reply, but I’ll bet it was more pointed than mine. I would tell my developer to stick to whatever he does well and leave the rest alone. (OR TAKE A HIKE) This community is here to help you as they have helped me… and thousands of others in our shoes.

No commercial organization would provide us the in-depth support that we get here. So the support argument is mute. It’s not about the money. It’s about securing the web.

You “have root”. Use it! And you have a certificate also… use it too!
I’m guessing there’s likely 3 or 4 Engineers here working their hearts out to to accomplish a humongous task. Think about that. It is unbelievable.

Stick with us.

Welcome to the community!

Rip

[rant mode on]

I looked up “free vs non-free ssl certificates” and found an awful lot of articles, authored by various certificate vendors, that were rather obviously self-serving. They all made some rather nebulous claims about “support”, “EV” certificates, “search engine rankings”, and a raft of other stuff. Almost every article also admitted that the actual encryption was no better, or worse, for a “paid certificate”. They got that part right.

I also noticed that many of the commercial certificate vendors are offering certificates at much more competitive prices than were being offered only a couple of years ago.

Unless you are representing a true enterprise network entity, I respectfully suggest that most of the articles are just blowing smoke.

If you are willing to accept the technical challenge of dealing with automatic renewal (it really isn’t a terrible burden!) and can accept the comparatively few limitations of a domain validated certificate, you should be happy enough with the LE arrangement.

The only really valid argument I have been able to find is that the LE system does represent a “single point of failure” for what is now a rather large segment of the Internet. If something catastrophic happened to LE, sufficient to put them out of business, a lot of us would have to do some fast scrambling.

That being said, the LE folks have obviously thought about it, and the service that LE has promulgated is beyond value. The support community represented by this forum is remarkable, and at least as effective as most commercial support. If you are an enterprise, with a staff of network engineers at your beck and call, then you can afford to tell some new kid to just deal with the dang certificate. The rest of us need such a forum as this.

For most of us, the learning curve is not as steep as having to deal with a remote company via telephone! (Heck, have YOU tried to call the phone company lately ?)

Sorry - I second Rip’s point. My post is too long.
[rant mode off]

Happy to read that your one-time-manual-solution has worked.

Now you have a valid certificate. And enough time to find a working solution.

There is a test system you can use. So you can check if your configuration works without hitting the productive limit.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.