URGENT need to force renew after two failures, ideas?

I will describe how I got into this situation below, but the bottom line is I’ve attempted two renewals today that failed. It is now configured correctly, LetsEncrypt sent me an email, today, saying my certs will be invalidated TOMORROW due to a bug on their part, and now I’ve got a 48hr hold on attempting the renewal again, which will leave me with invalid certs for almost two days.

I went to figure out how to force a renewal (which I figured out you can configure auto renewal down to a day, temporarily, to “force” it). I saw the new version button and foolishly upgraded my CertifyTheWeb software BEFORE I took care of my urgent issue. (I definitely know better, ugh).

Assuming all would be fine, I clicked to renew. I have several domains registered, some use http auth, some DNS auth. My first auth rule had no domains specified, for http-auth. This was the default rule. But after the upgrade, it used this rule even though the next rule specified to use DNS authentication for some of the domains. I fixed this issue by specifying the domain to use http-auth, and, in a rush, tried again. This time it is my encrypted DNS auth-key and secret that could not be decrypted after the upgrade, and so the renewal failed a second time. I fixed that issue by reentering them. This time I used the TEST button. All looked good. But when I clicked to renew, it says I’ve failed twice, and I’m blocked for 24 hours! I urgently need this cert renewed by tomorrow, there must be some way to make an exception?? Should I just start over and use “Request Certificate” instead of renewing? Will that have the same restriction?

I’m really not happy with the upgrade process, but I still love this product. But I really urgently need to override this 48hr waiting period.

Any help, even creative rube-goldberg ones, would be greatly appreciated!. Should I be conversing with LetsEncrypt about this? Is this their restriction, and certifytheweb cannot do anything about it?

Thanks in advance for any and all feedback that can help!

Hi, I’ve replied to your support email but basically:

  • to force renewal sooner, set the renewal intervals days to 1 under Settings, run Renew All, then when all renewed set the interval back to at least every 30 days
  • if the app won’t let you renew due to too many recent failures, create a new managed certificate with the same details (once it works, delete your other one in the certify UI).
  • if you hit a ‘too many certificates issued’ rate limit with Let’s Encrypt you can usually work round it by adding a remote subdomain into the cert (like test.domain.com, it just has to be one the server can validate normally).

Not sure what’s up. I created a new certificate request, identical to the first, and it tested fine. But it’s now failed twice with the following error:
2020-03-03 11:05:11.926 -05:00 [INF] The Let’s Encrypt service did not issue a valid certificate in the time allowed. Failed to finalize certificate order: Error finalizing order :: Rechecking CAA for “server.mydomain.org” and 4 more identifiers failed. Refer to sub-problems for more information

I don’t know where to look for the “sub-problems”. I did check and my domain definitely does not have a CAA record.

Is there a way to ask certifytheweb to use staging so I can continue testing there?

Thank you for this. I am currently renewing 150 certifcates this way. It seems to me like it’s going very slow. It may take a full day to complete. Is this normal?

unfortunately the Certyfy The Web software just crashed. I sent a crash report.

i’m sorry for spamming this topic… i restarted the software, and now its going through the 150 domains one by one… this looks like a better way to get this job done…

I received an email today, saying to renew all certs by tomorrow or they will be invalid. Who knows how many thousands of other users also received this and are trying to renew thousands of certs before tomorrow. That could explain timeouts and crashes, perhaps…

Is the lock after 2 failures and wait 48hrs a carifytheweb thing? Or a LetsEncrypt requirement? It’s not nice… Especially when my latest attempts are failing either at LetsEncrypt or maybe ClarifytheWeb has decided to stop waiting for LetsEncrypt’s response? I’m not certain which.

The 48 hrs thing is circumvented by clicking on the managed certificate itself and clicking Request Certificate (renew and request are the same action ultimately, but renew know to back off when failures are happening).

If are having renewal failures investigate them first otherwise you will start hitting Let’s Encrypt rate limits on failed validation etc.

So I actually found out about this issue about 10 hrs ago and didn’t have any advanced notice. Let’s Encrypt will be renewing up to 26 million revoked certs today.

Some domains will fail to renew in time due to pressure on their API, so work on your most important ones first.

I would also make sure that your specific domains need to be redone. I have maybe 7 certs with LE and only 1 of them appeared in their revoke list.

1 Like

Yes, I mis-spoke. It didn’t say to renew all certs - it said to renew this particular cert. I have others that were not affected.

Eventually last night I tried for the umpteenth time and the cert was created successfully. I believe LetsEncrypt was so busy having told so many users to renew their certs within 24 hrs, and it now does the SAA DNS query in real-time I believe, that it was timing out waiting only 30s for all the DNS queries, and failing. Nothing changed on my part or the DNS server’s part.

Also regarding the title of the question - the “Request Certificate” button will immediately attempt to create the certificate, even if the “renew now” button has it pending for 48hrs. So the short answer to the question how to force the “renewal” is simply to click the “Request Certificate” button instead.

1 Like