Common Reasons Certificate Renewals Fail
SpinupWP automatically tries to renew HTTPS certificates for your sites but sometimes the renewal can fail. In this case, SpinupWP will send you an Error renewing your HTTPS certificate email with an explanation of what happened and the error output from the process.
Sometimes it’s not clear what the error means or how you can fix the issue. Below we’ve outlined some common errors that occur when trying to renew HTTPS certificates and how they can be resolved.
The server could not connect to the client to verify the domain
This normally happens when Let’s Encrypt can’t access the /.well-known file on the server. As part of the Let’s Encrypt validation process, it will generate a file on your server that is available to the public internet. The URL looks something like:
Let’s Encrypt will then try to access this file to verify the domain points to the server.
This can happen when you have a redirect set up that is redirecting the request before it can access the file on the server. For example, when you use Cloudflare for your DNS and have “Always use HTTPS” enabled. The request is redirected from HTTP to HTTPS at the network level before it reaches the server.
To resolve this issue, check your Nginx configs for custom redirects that can override the request or check to see if WordPress is capturing the request and redirecting or blocking it. Also, check to see if there is something at the network level that might be redirecting or blocking requests.
Invalid response from …
This normally happens when something on your server is not working properly or Let’s Encrypt is being blocked for some reason. For example, if PHP is not running and Nginx returns a “504 Gateway Timeout” or Basic Authentication has been set up and is returning a “403 Forbidden” response.
To resolve this issue, make sure your site is working properly and that there are no custom Nginx configs that might be blocking Let’s Encrypt requests to the /.well-known file.
DNS problem: NXDOMAIN looking up A
This normally happens when you’ve updated the DNS for a domain that you had previously added to a SpinupWP site. For example, if you have a site at example1.com and added example2.com as an Alternate Domain. Then, in the future, you’ve updated example2.com to point to another server but not removed the Alternate Domain from SpinupWP.
To resolve this issue, make sure the DNS records for all of your Primary and Additional domains are correctly pointing to your SpinupWP server or remove them from SpinupWP if they need to be removed.
Let’s Encrypt needs to make connections to ports 80 and 443. When renewing your certificate after 60 days, you’ll need to open port 80 again (if it was closed) so you can validate your hostname again.
sudo ufw show added
If Port 80 is not added/open, run the following:
sudo ufw allow http
Let’s Encrypt does not keep a common IP pool, so you can’t whitelist specific IPs towards this.