I had this thing working perfectly for our certificate for a number of months. Then something changed with the update and it did not notify me there was a problem or failure. I just found out, and our certificate expires in 4 days! We have not changed anything with our firewall or configs since April. So this report that it is our Firewall is not correct.
When I try to run it manually it blocks me and says “Previous renewals failed : 101 , will try again in 48hrs” - we don’t have 48 hours to spare to fix this. What is it that changed so dramatically with the code to break it like this ? What is it expecting now that it never wanted before?
It says among other things in the log
During secondary validation: Fetching http://(our site)/.well-known/acme-challenge/(a key file name it generated): Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection
In a desperately bad situation now. After trying to fix whatever this issue is from the new version, I have now hit a rate limit.
There is no documentation that describes how to use Certify The Web to set it up for communicating with the Staging destination instead so that I can at least continue trying to fix this.
Please… someone help. If our cert dies, we are in the midst of a fundraiser with many visitors to our site, and that will throw everything out the window if they start seeing invalid certificate warnings.
EXTREMELY frustrated - Why didn’t this thing give us any notice it was failing like it was supposed to?! It ran perfectly for April, May, June, July and then suddenly died from some kind of change to the way things are running.
Edit - just tried DNS manual method to try to get something working… still no success.
Hi, please send an email with your domain details to support at certifytheweb.com if you can’t share them here. This forum is not the priority support channel for customers.
On your managed certificate, click ‘Test’ this will run a check to see if your website can be contacted over http (not https). http is tcp port 80, if you have blocked that (which it sounds like you have) then http validation cannot be used. Try a reboot of your server.
To be clear, it’s highly likely you or someone else changed something in your networking configuration (firewall etc), there are hundreds of thousands of other users validating millions of sites with the current version of this app.
By default the app will send failure status notifications to the certifytheweb.com API, which in turn will send an email to whatever email address is set in the app (under Settings > Certificate Authorities). If you didn’t use a monitored email address for that then you won’t be getting the emails. Some systems also filter these emails out if they don’t trust the SendGrid email service.
Let’s Encrypt will also send warning about certificate expiry to the same email address.
Ok this is insane. It SUCCEEDS , then re-does the whole thing again and fails - of course it would! After it did the process once and shows it succeeded, it deleted it’s own temp files. So then why does it go back and look for them all over again after they were deleted?
Why is it doing this? It makes no sense at all.
There is only 1 certificate with a few names in it. It worked perfectly for 4 months.
2021-09-28 21:34:51.553 -04:00 [INF] ---- Beginning Request [JHS] ----
2021-09-28 21:34:51.553 -04:00 [INF] Certify/5.5.5.0 (Windows; Microsoft Windows NT 10.0.17763.0)
2021-09-28 21:34:51.563 -04:00 [INF] Beginning Certificate Request Process: JHS using ACME Provider:Certes
2021-09-28 21:34:51.563 -04:00 [INF] Requested identifiers to include on certificate: my.(SANITIZEDwebsite2);(SANITIZEDwebsite1).ca;mail.(SANITIZEDwebsite4).on.ca;(SANITIZEDwebsite3).ca;mail.(SANITIZEDwebsite2);www.(SANITIZEDwebsite3).ca;www.(SANITIZEDwebsite1).ca
2021-09-28 21:34:51.563 -04:00 [INF] Beginning certificate order for requested domains
2021-09-28 21:34:51.777 -04:00 [INF] BeginCertificateOrder: creating/retrieving order. Retries remaining:2
2021-09-28 21:34:52.297 -04:00 [INF] Created ACME Order: https://acme-v02.api.letsencrypt.org/acme/order/126034917/27967507770
2021-09-28 21:34:52.423 -04:00 [INF] Fetching Authorizations.
2021-09-28 21:34:52.797 -04:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/30476635100/3cn6RQ
2021-09-28 21:34:53.193 -04:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/30476635110/ZHGXLw
2021-09-28 21:34:53.560 -04:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/33201495650/gBnwZQ
2021-09-28 21:34:53.948 -04:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/35265583340/lkQQYw
2021-09-28 21:34:54.074 -04:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/35265583340/DaoPLw
2021-09-28 21:34:54.330 -04:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/35265583350/4M9c8A
2021-09-28 21:34:54.461 -04:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/35265583350/TmIPwQ
2021-09-28 21:34:54.787 -04:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/35265583360/jnXU1w
2021-09-28 21:34:54.909 -04:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/35265583360/brY20w
2021-09-28 21:34:55.168 -04:00 [INF] Got http-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/35265583370/uAwpDg
2021-09-28 21:34:55.301 -04:00 [INF] Got dns-01 challenge https://acme-v02.api.letsencrypt.org/acme/chall-v3/35265583370/7j3XeQ
2021-09-28 21:34:56.321 -04:00 [INF] Http Challenge Server process unavailable.
2021-09-28 21:34:56.321 -04:00 [INF] Attempting Domain Validation: my.(SANITIZEDwebsite2)
2021-09-28 21:34:56.321 -04:00 [INF] Registering and Validating my.(SANITIZEDwebsite2)
2021-09-28 21:34:56.321 -04:00 [INF] Authorization already valid for my.(SANITIZEDwebsite2)
2021-09-28 21:34:57.345 -04:00 [INF] Http Challenge Server process unavailable.
2021-09-28 21:34:57.345 -04:00 [INF] Attempting Domain Validation: (SANITIZEDwebsite1).ca
2021-09-28 21:34:57.345 -04:00 [INF] Registering and Validating (SANITIZEDwebsite1).ca
2021-09-28 21:34:57.346 -04:00 [INF] Authorization already valid for (SANITIZEDwebsite1).ca
2021-09-28 21:34:58.374 -04:00 [INF] Http Challenge Server process unavailable.
2021-09-28 21:34:58.374 -04:00 [INF] Attempting Domain Validation: mail.(SANITIZEDwebsite4).on.ca
2021-09-28 21:34:58.374 -04:00 [INF] Registering and Validating mail.(SANITIZEDwebsite4).on.ca
2021-09-28 21:34:58.374 -04:00 [INF] Authorization already valid for mail.(SANITIZEDwebsite4).on.ca
2021-09-28 21:34:59.404 -04:00 [INF] Http Challenge Server process unavailable.
2021-09-28 21:34:59.404 -04:00 [INF] Attempting Domain Validation: (SANITIZEDwebsite3).ca
2021-09-28 21:34:59.404 -04:00 [INF] Registering and Validating (SANITIZEDwebsite3).ca
2021-09-28 21:34:59.404 -04:00 [INF] Performing automated challenge responses ((SANITIZEDwebsite3).ca)
2021-09-28 21:34:59.404 -04:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://(SANITIZEDwebsite3).ca/.well-known/acme-challenge/wgNIk86PgXsWi6NWm-N20Gx75ZD1AoiLLSyMYYVYzL0 with content wgNIk86PgXsWi6NWm-N20Gx75ZD1AoiLLSyMYYVYzL0.2XKSjO4wuYLWsCdV4sQgE2kr1ERuAuvaAgNOvqzrtoc
2021-09-28 21:34:59.404 -04:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2021-09-28 21:34:59.404 -04:00 [INF] Using website path C:\apache\htdocs(SANITIZEDwebsite3).ca\public_html\wp
2021-09-28 21:34:59.405 -04:00 [INF] Checking URL is accessible: http://(SANITIZEDwebsite3).ca/.well-known/acme-challenge/wgNIk86PgXsWi6NWm-N20Gx75ZD1AoiLLSyMYYVYzL0 [proxyAPI: True, timeout: 5000ms]
2021-09-28 21:35:00.741 -04:00 [INF] URL is accessible. Check passed.
2021-09-28 21:35:00.741 -04:00 [INF] Requesting Validation: (SANITIZEDwebsite3).ca
2021-09-28 21:35:01.775 -04:00 [INF] Http Challenge Server process unavailable.
2021-09-28 21:35:01.775 -04:00 [INF] Attempting Domain Validation: mail.(SANITIZEDwebsite2)
2021-09-28 21:35:01.775 -04:00 [INF] Registering and Validating mail.(SANITIZEDwebsite2)
2021-09-28 21:35:01.775 -04:00 [INF] Performing automated challenge responses (mail.(SANITIZEDwebsite2))
2021-09-28 21:35:01.776 -04:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://mail.(SANITIZEDwebsite2)/.well-known/acme-challenge/S66Z0orMpwXG7of5H-eONx2b1ovwQg-WMtFIWVXNkP8 with content S66Z0orMpwXG7of5H-eONx2b1ovwQg-WMtFIWVXNkP8.2XKSjO4wuYLWsCdV4sQgE2kr1ERuAuvaAgNOvqzrtoc
2021-09-28 21:35:01.776 -04:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2021-09-28 21:35:01.776 -04:00 [INF] Using website path C:\apache\htdocs(SANITIZEDwebsite4).on.ca\public_html
2021-09-28 21:35:01.785 -04:00 [INF] Checking URL is accessible: http://mail.(SANITIZEDwebsite2)/.well-known/acme-challenge/S66Z0orMpwXG7of5H-eONx2b1ovwQg-WMtFIWVXNkP8 [proxyAPI: True, timeout: 5000ms]
2021-09-28 21:35:02.462 -04:00 [INF] URL is accessible. Check passed.
2021-09-28 21:35:02.463 -04:00 [INF] Requesting Validation: mail.(SANITIZEDwebsite2)
2021-09-28 21:35:03.509 -04:00 [INF] Http Challenge Server process unavailable.
2021-09-28 21:35:03.509 -04:00 [INF] Attempting Domain Validation: www.(SANITIZEDwebsite3).ca
2021-09-28 21:35:03.509 -04:00 [INF] Registering and Validating www.(SANITIZEDwebsite3).ca
2021-09-28 21:35:03.509 -04:00 [INF] Performing automated challenge responses (www.(SANITIZEDwebsite3).ca)
2021-09-28 21:35:03.510 -04:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://www.(SANITIZEDwebsite3).ca/.well-known/acme-challenge/PMdoZMgEQBJNhT9ptdxRLVuoGubIAiTvtp6NCjxgYws with content PMdoZMgEQBJNhT9ptdxRLVuoGubIAiTvtp6NCjxgYws.2XKSjO4wuYLWsCdV4sQgE2kr1ERuAuvaAgNOvqzrtoc
2021-09-28 21:35:03.510 -04:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2021-09-28 21:35:03.510 -04:00 [INF] Using website path C:\apache\htdocs(SANITIZEDwebsite3).ca\public_html\wp
2021-09-28 21:35:03.510 -04:00 [INF] Checking URL is accessible: http://www.(SANITIZEDwebsite3).ca/.well-known/acme-challenge/PMdoZMgEQBJNhT9ptdxRLVuoGubIAiTvtp6NCjxgYws [proxyAPI: True, timeout: 5000ms]
2021-09-28 21:35:04.836 -04:00 [INF] URL is accessible. Check passed.
2021-09-28 21:35:04.837 -04:00 [INF] Requesting Validation: www.(SANITIZEDwebsite3).ca
2021-09-28 21:35:05.861 -04:00 [INF] Http Challenge Server process unavailable.
2021-09-28 21:35:05.861 -04:00 [INF] Attempting Domain Validation: www.(SANITIZEDwebsite1).ca
2021-09-28 21:35:05.861 -04:00 [INF] Registering and Validating www.(SANITIZEDwebsite1).ca
2021-09-28 21:35:05.861 -04:00 [INF] Performing automated challenge responses (www.(SANITIZEDwebsite1).ca)
2021-09-28 21:35:05.862 -04:00 [INF] Preparing challenge response for the issuing Certificate Authority to check at: http://www.(SANITIZEDwebsite1).ca/.well-known/acme-challenge/xcra9t4hiLnXU65pse1AFLJwsxijj-hxHhsBL4Toyz0 with content xcra9t4hiLnXU65pse1AFLJwsxijj-hxHhsBL4Toyz0.2XKSjO4wuYLWsCdV4sQgE2kr1ERuAuvaAgNOvqzrtoc
2021-09-28 21:35:05.862 -04:00 [INF] If the challenge response file is not accessible at this exact URL the validation will fail and a certificate will not be issued.
2021-09-28 21:35:05.862 -04:00 [INF] Using website path C:\apache\htdocs(SANITIZEDwebsite1).ca\public_html
2021-09-28 21:35:05.862 -04:00 [INF] Checking URL is accessible: http://www.(SANITIZEDwebsite1).ca/.well-known/acme-challenge/xcra9t4hiLnXU65pse1AFLJwsxijj-hxHhsBL4Toyz0 [proxyAPI: True, timeout: 5000ms]
2021-09-28 21:35:07.260 -04:00 [INF] URL is accessible. Check passed.
2021-09-28 21:35:07.260 -04:00 [INF] Requesting Validation: www.(SANITIZEDwebsite1).ca
2021-09-28 21:35:07.263 -04:00 [INF] Attempting Challenge Response Validation for Domain: my.(SANITIZEDwebsite2)
2021-09-28 21:35:07.263 -04:00 [INF] Registering and Validating my.(SANITIZEDwebsite2)
2021-09-28 21:35:07.263 -04:00 [INF] Domain already has current authorization, skipping verification: my.(SANITIZEDwebsite2)
2021-09-28 21:35:07.263 -04:00 [INF] Attempting Challenge Response Validation for Domain: (SANITIZEDwebsite1).ca
2021-09-28 21:35:07.264 -04:00 [INF] Registering and Validating (SANITIZEDwebsite1).ca
2021-09-28 21:35:07.264 -04:00 [INF] Domain already has current authorization, skipping verification: (SANITIZEDwebsite1).ca
2021-09-28 21:35:07.264 -04:00 [INF] Attempting Challenge Response Validation for Domain: mail.(SANITIZEDwebsite4).on.ca
2021-09-28 21:35:07.264 -04:00 [INF] Registering and Validating mail.(SANITIZEDwebsite4).on.ca
2021-09-28 21:35:07.264 -04:00 [INF] Domain already has current authorization, skipping verification: mail.(SANITIZEDwebsite4).on.ca
2021-09-28 21:35:07.264 -04:00 [INF] Attempting Challenge Response Validation for Domain: (SANITIZEDwebsite3).ca
2021-09-28 21:35:07.264 -04:00 [INF] Registering and Validating (SANITIZEDwebsite3).ca
2021-09-28 21:35:07.265 -04:00 [INF] Checking automated challenge response for Domain: (SANITIZEDwebsite3).ca
THEN RIGHT HERE - this is where it does it all over again and starts to fail!
2021-09-28 21:35:18.134 -04:00 [INF] Domain validation failed: (SANITIZEDwebsite3).ca
During secondary validation: Fetching http://(SANITIZEDwebsite3).ca/.well-known/acme-challenge/wgNIk86PgXsWi6NWm-N20Gx75ZD1AoiLLSyMYYVYzL0: Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection
2021-09-28 21:35:18.613 -04:00 [INF] Attempting Challenge Response Validation for Domain: mail.(SANITIZEDwebsite2)
2021-09-28 21:35:18.613 -04:00 [INF] Registering and Validating mail.(SANITIZEDwebsite2)
2021-09-28 21:35:18.613 -04:00 [INF] Checking automated challenge response for Domain: mail.(SANITIZEDwebsite2)
2021-09-28 21:35:29.358 -04:00 [INF] Domain validation completed: mail.(SANITIZEDwebsite2)
2021-09-28 21:35:29.358 -04:00 [INF] Attempting Challenge Response Validation for Domain: www.(SANITIZEDwebsite3).ca
2021-09-28 21:35:29.358 -04:00 [INF] Registering and Validating www.(SANITIZEDwebsite3).ca
2021-09-28 21:35:29.358 -04:00 [INF] Checking automated challenge response for Domain: www.(SANITIZEDwebsite3).ca
2021-09-28 21:35:40.034 -04:00 [INF] Domain validation failed: www.(SANITIZEDwebsite3).ca
During secondary validation: Fetching http://www.(SANITIZEDwebsite3).ca/.well-known/acme-challenge/PMdoZMgEQBJNhT9ptdxRLVuoGubIAiTvtp6NCjxgYws: Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection
2021-09-28 21:35:40.549 -04:00 [INF] Attempting Challenge Response Validation for Domain: www.(SANITIZEDwebsite1).ca
2021-09-28 21:35:40.549 -04:00 [INF] Registering and Validating www.(SANITIZEDwebsite1).ca
2021-09-28 21:35:40.550 -04:00 [INF] Checking automated challenge response for Domain: www.(SANITIZEDwebsite1).ca
2021-09-28 21:35:51.304 -04:00 [INF] Domain validation failed: www.(SANITIZEDwebsite1).ca
During secondary validation: Fetching http://www.(SANITIZEDwebsite1).ca/.well-known/acme-challenge/xcra9t4hiLnXU65pse1AFLJwsxijj-hxHhsBL4Toyz0: Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection
2021-09-28 21:35:52.225 -04:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: www.(SANITIZEDwebsite1).ca
During secondary validation: Fetching http://www.(SANITIZEDwebsite1).ca/.well-known/acme-challenge/xcra9t4hiLnXU65pse1AFLJwsxijj-hxHhsBL4Toyz0: Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection
2021-09-28 21:35:52.225 -04:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: www.(SANITIZEDwebsite1).ca
During secondary validation: Fetching http://www.(SANITIZEDwebsite1).ca/.well-known/acme-challenge/xcra9t4hiLnXU65pse1AFLJwsxijj-hxHhsBL4Toyz0: Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection
2021-09-28 21:35:52.225 -04:00 [INF] Performing Post-Request (Deployment) Tasks…
2021-09-28 21:35:52.225 -04:00 [INF] Task [Deploy to Apache] :: Task is enabled but will not run because primary request unsuccessful.
2021-09-28 21:35:52.225 -04:00 [INF] Task [Wait For N Seconds…] :: Task is enabled but will not run because primary request unsuccessful.
2021-09-28 21:35:52.225 -04:00 [INF] Task [Restart hMailServer] :: Task is enabled but will not run because primary request unsuccessful.
2021-09-28 21:35:52.225 -04:00 [INF] Task [Restart Apache] :: Task is enabled but will not run because primary request unsuccessful.
2021-09-28 21:35:52.225 -04:00 [INF] Deploy to Apache :: Task is enabled but will not run because primary request unsuccessful.
2021-09-28 21:35:52.225 -04:00 [INF] Wait For N Seconds… :: Task is enabled but will not run because primary request unsuccessful.
2021-09-28 21:35:52.225 -04:00 [INF] Restart hMailServer :: Task is enabled but will not run because primary request unsuccessful.
2021-09-28 21:35:52.225 -04:00 [INF] Restart Apache :: Task is enabled but will not run because primary request unsuccessful.
2021-09-28 21:35:52.225 -04:00 [INF] Validation of the required challenges did not complete successfully. Domain validation failed: www.(SANITIZEDwebsite1).ca
During secondary validation: Fetching http://www.(SANITIZEDwebsite1).ca/.well-known/acme-challenge/xcra9t4hiLnXU65pse1AFLJwsxijj-hxHhsBL4Toyz0: Timeout during connect (likely firewall problem) BadRequest urn:ietf:params:acme:error:connection
Log sequence is not necessarily in the exact order you expect because some operations are async.
I can see 4 of your domains are validating and 3 are failing. When Let’s Encrypt tries to connect to these websites it gets a timeout during connection.
Are you using any kind of IP filtering or Geographic filtering? Let’s Encrypt will attempt validation from multiple geographic locations.
But these were IPs we blocked back in May - two months before a problem arose. We still see attacks from those places (Russia, China, Iran, Iraq, South America) so I had to manually disable the policy, run the cert, then manually enable them again.
I then searched for a list of LetsEncrypt IPs but they seem to think its great to never give those out, making it impossible to add them as white listed sources to the router. Idiotic! How the hell are admins supposed to count on this system if can never know the addresses to trust ?! At this rate we may be better to go back to paying for a cert with GoDaddy to know it will always work, and give us warning if it isn’t. We have the settings in place on the account, and nothing for spam blockers to stop it from coming through. Checked the mail logs - nothing from SendGrid. I realize this is work by alot of volunteers out there but crap, it needs to work reliably. It absolutely has to, or what’s the point?
Yes, you can also use Certify The Web will ZeroSSL, BuyPass Go and SSL.com, all of which are commercial organisation.
If you don’t want port 80 open or want to do geoblocking, you can switch to using DNS validation, either through your domain DNS (if we support your provider) or using Certify DNS (a commercial service from us, currently in beta DNS Validation (dns-01) | Certify The Web Docs).