-
Notifications
You must be signed in to change notification settings - Fork 382
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error during secondary validation #846
Comments
Do you block access by geographic region or countries? Because Let's Encrypt recently added two additional remote validation server locations. The "secondary validation" points to a problem with one of the 4 secondary sites (the 5th validation center is in the USA) |
That was the exact problem. I have spent days trying to track this down, and there is zero chance I would ever have considered this as the issue. Thanks so much for responding! |
That did resolve the specific error, but now I'm getting:
|
Where do you see that error? If your last good cert was before Feb8 of this year I would guess that the system reporting the error does not have ISRG Root X1 certificate in its CA store. Is it an older system? On Feb8 the default chain from Let's Encrypt no longer includes the cross-signed DST Root CA X3 and so systems must trust ISRG Root X1. Temporarily you can request the older "long chain" but this will soon be gone anyway. If this sounds possible see below. |
The expired certificate was issued in January 2024. "system reporting the error does not have ISRG Root X1 certificate in its CA store." Using the long chain option below didn't change the getssl output:
That's an error from getssl. Full text below:
|
The error is coming from cPanel. I am not expert at cPanel but you could try copy/paste the cert, chain, and private key yourself into your cPanel screen. You may need to take that up with your hosting service if that fails. The message is a little puzzling in that it suggests adding the Root certificate to the chain. I didn't think modern cPanel systems require the root cert in the chain. I might be wrong or yours might need it. The other possibility is the script you use to update cPanel needs updating. Perhaps it is manipulating the chain.pem file wrongly now that it is shorter than before. Maybe someone else here will be able to help. Or, try the Let's Encrypt community forum. |
I tried copy/pasting the certs into cpanel, but it basically throws the same error. The script being used to update cpanel is the one in the repo cpanel_cert_upload. I'll try over in the LE forum also. Thanks again for you help here. |
UPDATE: removing the existing chain, fullchain, and DOMAIN.com.crt files from .gettssl/DOMAIN.com resolved the issue. Not entirely sure why, but once I did that everything worked and updated cpanel. |
Version: 2.49
OS: Debian
Started receiving this error when trying to renew a domain cert:
The well-known file is viewable from a browser.
Detail log extract:
The text was updated successfully, but these errors were encountered: