Expiring membership will SCREW YOU

Has anyone else experienced this? My membership expired on 9/4/2023. On 9/5/2023, we noticed that one SSL that expired that day wasn’t updating. Come to find out, the membership for Certify The Web had expired on the 4th. But the issue was, the stupid CertifyTheWeb application KEPT REQUESTING certificates for the domain 14 days in advance, then RECEIVE the certificate, then DELETE it because the membership expired. The problem is, now the cert authority says that it requested too many certs in a short time, so now we have to WAIT A WEEK!?!?! HOW are we supposed to do that? Shut down the business? This is a MAJOR BUG in this system. If the membership expires, IT SHOULD NOT CONTINUE TO REQUEST CERTIFICATES AND TRASH THEM.

Chris, I have responded to your support ticket now. The issue has nothing to do with app license key expiry as renewals will continue as they were before. The most likely cause of the original problem (before you hit the CA rate limit) is a change in CA root/intermediate certificate causing the PFX to fail to build in an old version of the app.

For anyone seeing similar problems, please contact us if you need help:

Your license key just unlocks the app limits for new managed certificates, it has no negative effect on renewals and the app will continue to function the same even if your license key expires.

As an immediate fix for your problem you can switch your certificate to use a different certificate authority such as Let’s Encrypt: Certificate Authorities | Certify The Web Docs

To switch CA (e.g. Let’s Encrypt):

  • Add a CA account contact for the correct CA under Settings > Certificate Authorities, if you don’t have one setup already.
  • Either change the default CA at the app Settings level (if you want all certs to change) or set it in the managed certificate that’s having problems under Certificate > Advanced > Certificate Authority instead of the default Auto setting.
  • Save your managed certificate and click Request Certificate

Another workaround for rate limit problems is to add an additional hostname, so if you are currently getting a cert for example.com and www.example.com you could add temp.example.com (and point temp to your host in DNS) then order your cert again - this will be counted as a new cert by the CA rate limits.

Regarding the behaviour that causes the app to keep attempting to renew certificates - after the first few failures by default our app will send a status report to our API which triggers a notification to you. The email address used is the under under Settings > Certificate Authorities. You should ensure this email address is monitored and that the app has outgoing https access in order to communicate problems to our API.

If a cert fails to properly renew it will eventually back-off to attempting every 48hrs. You should also review your Settings for renewal frequency, we now recommend 75% of certificate lifetime, very early versions of the app had short renewal frequency set by default.

In v6.x onwards we have a new CA fallback feature where if you define multiple accounts with different CAs and a cert order is failing with one it will automatically try one of the other CA accounts.

If you do find that the app encounters a problem renewing a certificate please also look at the managed certificate log file, which you can also send through to us as part of any support request. The log file is easiest to access from the Status tab of your managed certificate. For anyone sending us a log, please send the whole file and not a screenshot of notepad.