Let's Encrypt FAILURE of renewals


#1

Got a string of these, and cannot seem to remember what the fix was last year- manual renewal, or does it catch up eventually?

Automatic Let's Encrypt renewal for ******.***** was attempted and failed.
This certificate expires on 2019-04-12 07:13:44 +0000 UTC.

Unable to renew certificate: Updating challenge for [****.*********.***](http://****.*********.***/): acme: 
error code 400 "urn:ietf:params:acme:error:connection": 
Fetching http://****.*********.***/.well-known/acme-

challenge/AIZz3FmCoIxIdI*************4dA3k4wl6h5oLlj4U:
Connection refused (order URL: https://acme-
###.api.letsencrypt.org/acme/order/********************************)

You can configure/re-install/remove this certificate by logging into 
cPanel, and visiting the Lets Encrypt SSL page.

#2

It’s unlikely to catch up on its own if LE is not able to load a site at that URL. First thing to check is whether there is an issue at that URL (ie is the domain pointed to us, is it loading properly). Let’s Encrypt attempts to load a file from a location within that domain to verify it and that error is indicating it’s not able to. Manual renewal is worth trying. It’s also worth mentioning that cPanel has it’s own SSL cert provisioning that will pick up 15 days out if there isn’t a valid cert on the domain so it should mostly be hands off. Wrote a bit about that all at SSL Everywhere (Again) since I know with different changes to SSL over the years it can get confusing but the TLDR; is that unless there’s an actual issue with resolution of the domain, the server should in most every case have a valid SSL cert for every domain and subdomain we host automatically with automatic renewals.


#3

Thanks. All the ones I got notices for are for domains pointed at Reclaim, and do load fine.

I had been doing my setups for certs via the Let’s Encrypt cpanel tool. Doing a renew did not change the expiry date. I tried deleting one and reinstalling, it just bumped it a day.

I’ll just leave 'em be.


#4

I would recommend setting a reminder to 10 days prior to a cert expiring if you check and SSL > Status is not showing a renewed cert reach out to us in a support ticket. cPanel will automatically pick up a domain’s SSL cert at 15 days out if there isn’t a valid one already in place. If that’s not happening there may be a larger issue at play. But going forward we are slowly moving away from Let’s Encrypt except in rare cases since cPanel handles this in a more automated fashion with fewer illegitimate errors.