1. Home
  2. Security
  3. SSL
  4. Let's Encrypt
  5. Troubleshooting: Let’s Encrypt Keeps Failing on My Domain

Troubleshooting: Let’s Encrypt Keeps Failing on My Domain




WP Enthusiast

WP Professional

WP Professional Plus

The Let’s Encrypt provisioning process is automatic, but can sometimes fail if the domain’s configuration is not set up correctly.  

Your domain isn’t registered at a domain name registry yet

What is it?
In order to use a domain, it must first be registered at a domain name registry. The domain name registry gives you the rights to use the domain. If your domain is not registered to you, Let’s Encrypt will not be able to generate a certificate for it.
Is it happening to me?
If you don’t remember registering your domain name, it is likely that you haven’t gone through the registration process yet.
How to fix
If you think this is the case, head to Pair Domains or your domain registrar of choice and register your chosen domain.

The domain’s DNS doesn’t point to Pair Networks’ hosting servers

What is it?
When you add a domain to the Pair Network’s Account Control Center (ACC), you are given name servers. These name servers must be added to your domain name on your domain registrar’s site. If they are not added, then the domain is not actually being hosted by the hosting account.
Is it happening to me?
Go to your domain registrar and find your domain’s name servers. If you registered a domain with Pair Domains, see our article, Changing Name Servers. Once you have found your domain’s current name servers, go to the ACC, and find the name servers on your hosting account. You can do this by:

  1. Login to the ACC
  2. Click Domains in the left sidebar
  3. Click Manage Your Domain Names in the drop-down
  4. Click the name of your domain
  5. Find the Name Servers section

If the name servers do not match, then this is the reason Let’s Encrypt is not working.

How to fix
You can fix the problem by copying the name servers from the ACC and adding them to the domain in the domain registrar. Once these have been saved and the registrar has applied the change to the domain, retry Let’s Encrypt.

Changes to name servers sometimes take 24 to 48 hours to process. You may have to wait for the name servers to be updated before retrying Let’s Encrypt.

DNS hasn’t propagated, preventing Let’s Encrypt from reaching servers

What is it?
Making changes to your DNS configuration could cause delays in DNS propagation, thus causing Let’s Encrypt to fail. If you only recently set up or moved the domain that Let’s Encrypt failed on, you may have tried to add Let’s Encrypt before the domain’s name servers (DNS) were fully propagated. When DNS are changed, it sometimes takes from 24 to 48 hours for them to update. DNS configuration changes may have occurred without your realization. Changes to certain domain hosting options in the ACC will cause automatic changes to be made to the DNS configuration.
Is it happening to me?
If you tried to add Let’s Encrypt to a domain within 48 hours of changing the DNS on your registrar or making domain hosting changes in the ACC, this may be causing Let’s Encrypt failure.
How to fix
A sure way to fix this problem is to just retry Let’s Encrypt after 48 hours are up. While you can retry Let’s Encrypt before 48 hours, Let’s Encrypt may fail again if the DNS are still not propagated.

Your www domain and non-www domain are separated

What is it?
It is possible to separate the www version of your domain name from the non-www version of your domain name. For example, you may have www.example.com send visitors to a different website than visitors who go to example.com. This can be done by specifically creating a subdomain for the www version of your domain or using DNS. Doing this can complicate the Let’s Encrypt process and ultimately result in a failure to generate a certificate.
Is it happening to me?
If you have separated the www version of a domain from the non-www version, either by DNS or by creating a subdomain, this is the most likely reason for why Let’s Encrypt is not working with your domain.
How to fix
To fix this, you need to contact our support team so that they can manually setup your domain with Let’s Encrypt. You can find our support team’s contact information on our support page.

.htaccess is blocking Let’s Encrypt

.htaccess is not available on WP Hosting packages, so this is not applicable to WP Enthusiast or WP Professional.

What is it?
This is a problem that is more likely to affect customers who have made changes to their .htaccess files. If you have anything in your .htaccess files that affects the .well-known directory, this may cause problems when Let’s Encrypt tries to issues you a certificate. For more information on the .well-known directory, see the IETF’s article about the .well-known URI path and how it should be used.
Is it happening to me?
You can check your .htaccess file and see if any of the contents affects the .well-known directory. Things to look for in particular would be:

  • Redirect that applies to the .well-known directory
  • Password or IP based restrictions on the .well-know directory
  • Rewrites that requests .well-known/* to return a different file, return an error, or run a script
How to fix
How to fix this problem will depend on what is affecting the .well-known directory. A Redirect could be replaced with a RedirectMatch that can turn off in the .well-known directory or a Rewrite, which can also be turned off in the .well-known directory. For the IP or password restrictions, turn off any restrictions that apply to the .well-known directory. Rewrites that request .well-known/* to return something different must be removed. For help dealing with these, or any other .well-known directory problems, please contact our support team. You can find our support contact information on our support page.

Your domain’s DNS is not working properly

What is it?
If you use DNS servers that are not hosted by Pair Networks, your DNS configuration may not be compatible with our Let’s Encrypt automatic issuing process.
Is it happening to me?
If you know your DNS server is not hosted at Pair Networks or suspect that might be the case, this may be the reason Let’s Encrypt is not working on your domain.
How to Fix
If your DNS server is not hosted at Pair Networks, you can use the default Pair Networks DNS settings for your server or contact our support team for help. You can find our support contact information on our support page.

You have custom firewalls set up on your Dedicated or VPS account.

What is it?
If you have a firewall configured that prevents access to the local web server, it may prevent Let's Encrypt from contacting the server. Let's Encrypt uses a web-based Domain Control Validation (DCV), which means that it needs to make contact with the web server in order to validate it. If it is blocked by a firewall, Let's Encrypt will not be able to validate your server and will fail on your domain.
Is it happening to me?
If you know that you have a firewall set up on your server, this could very well be the problem.
How to Fix
It is not possible to issue firewall exceptions for Let's Encrypt to access your server since Let's Encrypt does not publish a list of all IP addresses. This is because providing the IP addresses could cause security issues and the IP addresses are subject to change without notice.

However, there are two possible solutions to remedy firewall blocking: configure your firewall to allow more traffic or get a different kind of certificate.

If you configure your firewall to allow more traffic to the web server, it will allow Let's Encrypt to work on your server. However, if that is not an option for you, you will not be able to use Let's Encrypt on your domain.

In Let's Encrypt's place, you can order a PairSSL certificate. PairSSL uses a DNS-based Domain Control Validation (DCV) instead of web-based DCV, so the certificate will not be deterred by a firewall that blocks all server traffic.


Updated on February 28, 2020

Was this article helpful?

Related Articles

Need Support?
Can't find the answer you're looking for?
Contact Support