SSL certificate failure on GoDaddy

Securing a website with an SSL certificate should be very easy and cost-effective. It not only enhances the trust of your website for visitors, it’s essentially required now. As of December 2019, Google’s Chrome browser started blocking all mixed or non-secure content on websites.

Today, most sites serve their content via HTTPS to provide a safer browsing experience for their users, and most hosting companies make it easy to set up and to renew.

Unfortunately, there are still some popular hosting companies that make this process difficult.

This is the story of a website that went offline because a renewed SSL certificate failed to load/activate on the hosting server.

My client’s site is hosted on a GoDaddy managed WordPress server.

The SSL cert in this case cost about $100 a year, and GoDaddy’s process is to renew the SSL cert 2 months prior to expiration.

In this case the SSL cert was renewed but did not install on the server, so at midnight Arizona time, my client’s site went down as the SSL cert expired.

The support process to get this server backup online took a little over 5 hours working with GoDaddy and an additional hour of my own time trouble-shooting the issue. If I were billing my client this would have cost them $600, but my client has a support contract with me, and they are a good client, so they were not billed.

This SSL certificate is a product sold to my client by GoDaddy.

This certificate is installed on the webserver to validate the SSL encryption, the https:// lock required by Google.

Because the “domain” was not hosted by GoDaddy, according to their tech support the certificate is renewed 2 months prior to expiration, so there will be no delay in getting the renewed certificate installed.

In this case, the renewed certificate failed to install on the Deluxe Managed WordPress hosting server and GoDaddy did not check to make sure the certificate was installed correctly.

Time passes and the certificate (renewed two months prior) expired because the renewed certificate was never properly installed.

Like most developers, I’m up late as a habit. Around midnight, I got a notice that the site was down.

After a lengthy troubleshooting process, I noticed that the site was accessible via http:// but not via https://

The “trouble was an SSL issue.” 

Saturday morning, I contacted GoDaddy support and after a lengthy wait they began the discovery process on their servers. Finally, we do get the determination that the SSL cert did not install and they blamed this on the client as the “managed WordPress server” was their old version and the SSL renewal requires that the client manually go into the SSL product management dashboard and manually renew the SSL which should reinstall the certificate. [At this point fumes are slowing escaping from my brain cells]. What a crock of BS.

But responding calmly, I allowed the tech support to walk me through the process and, after waiting an appropriate length of time, we determined that the process failed.

Next: THE UPSELL. The solution that will fix the “problem” involved upgrading to their newest version of WordPress managed hosting.  Of course, I’d have to migrate the site myself or pay an $100 fee for them to migrate. Also this would take a few days to happen.

In my experience, GoDaddy always offers an UPSELL as the solution to most issues.

This new hosting would resolve the issue. Pay us more money for new service and magic happens.

Apparently, there is a new “managed WordPress service” which was put into place because this SSL manual process was such a problem.

A BIG issue for me is that GoDaddy recognized they had a problem with the “old” deluxe managed WordPress hosting and fixed it by creating a “new” deluxe managed hosting, but never a mention to my client, even though this new service was in place prior to the client’s last renewal of service.

The new service included a free SSL certificate, an automated renewal process and the cost would be  significately  less per year.

With this new service at the ready, how does GoDaddy justify having my client renew their “old” hosting plan last year (with known issues) instead of offering the new improved hosting plan? Why was it not made known to the client that there was a better cheaper hosting option prior to renewal, or better yet why didn’t they automatically upgrade the client to the new service.

Hearing about this new hosting plan frustrated me.

My reply- no, thank you, just fix the server.

Also of note, there were no backups listed in the backup dashboard… even though the tech support verified that there were indeed daily backups available on the file server but would require a server admin to restore if needed, a known GoDaddy issue (a software bug) with the backup API (actually a very old issue, as I have seen this before).

A known bug

In addition, the PHP version on this managed server topped out at 7.3. This meant their special “Managed WordPress Hosting” couldn’t even update to the PHP version recommended for WordPress.

We tried several more times to renew the certificate and finally the tech support concluded that he needed to escalate to hosting support admins and transferred my call to them… and after waiting for a response for 40 minutes, I hung up and recalled support.

Again, a lengthy wait, and now a new support person, who basically walked me through the same processes several more times and then got in touch via chat with an admin.

GoDaddy support came to the conclusion that the problem was the use of Cloudflare as the clients name servers and that I needed to add a CAA record (Certification Authority Authorization) to authorize GoDaddy to issue certificates for the domain. Strange that this CAA record was not required previously to issue the certificate for the site or renew in the past. 

        CAA record →   0 issue “godaddy.com” 

The reason given by support was that this GoDaddy CAA record wasn’t in the DNS records as reported by DNS lookup (https://www.whatsmydns.net). Therefore, Cloudflare was the problem. 

Okay, I installed the CAA record, and we attempted the renewal process and another process to alter the verifying authority just in case. Nothing worked.

The tech support determined at this point we had to wait for DNS “propagation” and that I needed to wait an hour for the new DNS CAA record to propagate, then we could try again to renew the certificate.

Keeping my calm, I agreed. At least this support person didn’t attempt to upsell me. A first for GoDaddy support.

I waited two hours and called support again…

This time, we tried the same renewal process (a few times, then another server admin was called. This time the question asked was had I tried re-keying the CSR for the certificate?  Why in the world would I do that? My client paid GoDaddy to manage the SSL, which includes steps like handling the CSR requirements for the SSL certificate.

I was having a hard time understanding why the services the client paid were now my problem and the client’s.

Back to the story, the admin re-keyed the CSR or whatever, a process that was explained to me as “activating the SSL cert”.

The final explanation was that the certificate was never “activated” and so the renewing process did not work. Once the admin activated the SSL cert, and I once again stepped through the manual renewal process, the certificate did indeed install and the site was restored.

It took over 6 hours and 5 support persons to solve this issue. Amazing.

And yes, once again, I got the upsell pitch to solve/prevent the problem by upgrading to the new WordPress managed hosting.  

At this point, I knew I had to move my client to a new hosting service – NOT GoDaddy hosting.

An interesting side note…

When the SSL renewal failed, GoDaddy modified the WordPress settings changing the Home URL and Site URL to http:// instead of https:// thus allowing access to the site without encryption even though the site was set up to force SSL.

Once the SSL was re-installed, GoDaddy restored the home URL and Site URL to https:// and the site was back in business.

Article by Eagle, with editing assistance by Dave Goff…thank you sir.