How to fix Let’s Encrypt automatic extension error

Let's Encrypt is one of the most popular SSL types available today. This is because it is of good quality (compatible with all popular web browsers) and is especially free. However, the lifecycle of a Let's Encrypt certificate is quite short, lasting only 3 months. This means that every 3 months, you must conduct Let's Encrypt extension for your domain name. On hosting using cPanel / DirectAdmin, most of the service providers have equipped the auto-install feature for Let's Encrypt. But for some reason, the system cannot proceed automatically.

Let's Encrypt automatic extension error

Below is a picture of an email announcing cPanel's AutoSSL feature that can't automatically renew Let's Encrypt:

This error may stem from one of the following causes:

1. Your domain name is pointing to another IP

One of the required requirements before installing Let's Encrypt with AutoSSL (SSL / TLS Status) in cPanel is that your domain name must be pointed to the correct IP of the host. After the installation is successful, if you accidentally or intentionally point the domain name to another IP address, the system will get an error when renewing automatically.

2. Your domain name is redirecting to another domain

If you install Let's Encrypt on subdomains and set up 301 redirect (by .htaccess file for example) to the main domain, this will also lead to an auto-renewable error Let's Encrypt on subdomains.

3. You are using CloudFlare CDN

Using CloudFlare as a CDN means that the IP address of the host will be automatically replaced by the IP address of CloudFlare. This leads to the system determining if the domain name is not pointing to the host's IP and cannot proceed with SSL renewal.

Let's Encrypt automatic extension error

From the above reasons, we can fix Let's Encrypt extension error by following simple methods:

1. Point the domain name to the correct IP of the host

If you are pointing the domain name to another IP address, check it and point it to the correct IP of the host. You can use tools like intoDNS or IP Checker to check the IP address that the domain name is pointing to.

If you are using CloudFlare, temporarily turn off its CDN feature, by accessing the CloudFlare account => select the corresponding domain name => select DNS tab => Click on the orange clouds in the Statuscolumn to convert it to gray.

Wait for the system to successfully renew SSL, repeat the steps above to convert the gray clouds to orange (re-enable CloudFlare CDN).

2. Disable domain redirect

If you are redirecting the domain you want to renew Let's Encrypt to another domain, disable the redirect feature until the renewal is successful. For example, I am redirected domain name wpcanban.net to domain name wpcanban.com by file .htaccess,will disable this feature by renaming files .htaccessto .htaccess_old.

Check out Let's Encrypt extension

To know if domain names have been renewed Let's Encrypt is successful or not, for cPanel hosting with AutoSSL, you can access SSL / TLS Status to see the results. In the example below, my wpcanban.netdomain has been extended for 3 months: