TOPIC:

I am getting the HTTPS certificates expiration message for my club website www.davietoastmasters.org.
I contacted my domain hosting company but they told me everything is fine on their end, how can I resolve this? Do I need to buy my own certificate and how much will that cost?

Regards,
Price

Fix your DNS settings to comply with our requirements, then let us know so we can trigger the certificate creation/renewal.

support.toastmastersclubs.org/doc/item/dns-settings-overview

It is your DNS settings that are the issue.

According to my domain host "As I can see you have couple of DNS records in your DNS out of which some are pointing to the Website and some to your Email and they are working fine as they are pointing to your Website and which is loading fine. Also your SSl is working perfectly fine. We can only correct any DNS issue if we know which DNs records needs correction. As I can see all are correct."

As you did not provide all the DNS Zone records we can only tell you what is wrong if you want to use the FTH service.

remove
davietoastmasters.org. 3600 IN MX 30 ALT2.ASPMX.L.GOOGLE.COM.
davietoastmasters.org. 3600 IN MX 10 ASPMX.L.GOOGLE.COM.
davietoastmasters.org. 3600 IN MX 40 ASPMX2.GOOGLEMAIL.COM.
davietoastmasters.org. 3600 IN MX 50 ASPMX3.GOOGLEMAIL.COM.
davietoastmasters.org. 3600 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.

add
mail.davietoastmasters.org IN A 50.19.253.65

add
davietoastmasters.org mx mail.davietoastmasters.org

As you can see below your cert will not expire until Jan 2020. We will automatically regen any cert that is properly setup to our specifications.

The email is being host by Google if I remove those records I won't get email. These settings were there from inception with no issues

davietoastmasters.org. 3600 IN MX 30 ALT2.ASPMX.L.GOOGLE.COM.
davietoastmasters.org. 3600 IN MX 10 ASPMX.L.GOOGLE.COM.
davietoastmasters.org. 3600 IN MX 40 ASPMX2.GOOGLEMAIL.COM.
davietoastmasters.org. 3600 IN MX 50 ASPMX3.GOOGLEMAIL.COM.
davietoastmasters.org. 3600 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.

Up to you if you want to use the FTH mail system or not. If you have any issues with mail your on your own.

Thank you Brian.

If your domain DNS records cannot be validated by our automated cert renewal code, your existing cert will be left to expire. Additionally, if the situation persists, the code will eventually remove your domain from our database since we require HTTPS usage with the system.

Therefore, once you have gotten the DNS stuff sorted out, you need to let us know so that we can intervene and make sure you have a cert and are back in the automated loop.

Brian: I don't think I have the renewal loop set up to keep trying over and over for cases like this (at some point it just ditches the domain name)... That is why we may need to initiate a manual cert gen/renewal from our system admin tools.

Okay, for what I understand the issue is website is set to use Google as a mailserver and that setup would not allow for the SSL cert to renew. So, in that case I just delete the Google setting for the purpose of the update and put it right back. Since it's working now there is no reason it shouldn't continue to after the ssl cert renewal. What do you think Steve? By the way Brian and Steve you are awesome!

remove
davietoastmasters.org. 3600 IN MX 30 ALT2.ASPMX.L.GOOGLE.COM.
davietoastmasters.org. 3600 IN MX 10 ASPMX.L.GOOGLE.COM.
davietoastmasters.org. 3600 IN MX 40 ASPMX2.GOOGLEMAIL.COM.
davietoastmasters.org. 3600 IN MX 50 ASPMX3.GOOGLEMAIL.COM.
davietoastmasters.org. 3600 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.

davietoasthost wrote:

Okay, for what I understand the issue is website is set to use Google as a mailserver and that setup would not allow for the SSL cert to renew. So, in that case I just delete the Google setting for the purpose of the update and put it right back. Since it's working now there is no reason it shouldn't continue to after the ssl cert renewal. What do you think Steve? By the way Brian and Steve you are awesome!

remove
davietoastmasters.org. 3600 IN MX 30 ALT2.ASPMX.L.GOOGLE.COM.
davietoastmasters.org. 3600 IN MX 10 ASPMX.L.GOOGLE.COM.
davietoastmasters.org. 3600 IN MX 40 ASPMX2.GOOGLEMAIL.COM.
davietoastmasters.org. 3600 IN MX 50 ASPMX3.GOOGLEMAIL.COM.
davietoastmasters.org. 3600 IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.

We do not actually verify the MX records to ensure they are set for FTH email. We do not require you to use FTH email. In practice though, most clubs do want to use the FTH email, so we include setting the MX record in our guidance so that people get that set correctly for FTH email.

The only thing we really check is the A record to ensure it points to the FTH server. As long as you have an A record pointing to the FTH server you should be fine. We check this by running the Linux "dig +short" command for your custom domain and looking for the FTH server IP address in the result.

Thank you DTM Steve,

Since running the "dig +short" require we have our MX records set to FTH email and in our case we have our own 3rd party solution, other than migration our email from Google to FTH would my previous stated solution work or you have another way to bypass that check. How are other FTH users if any dealing with this issue. I understand we may be unique to have a website hosting, domain hosting and email hosting separate

You are not reading my reply correctly. You have this all wrong.