# SSL Certificates' FAQ

# How to enable SSL certificate for a domain

There is a button on the domains page "Issue SSL-certificate". When you click it, the certificate will be issued within 30 minutes.

Button is avaliable only when the domain has an active A-record with server's IP and responds without HTTPS (Column State - Connected)

Issuing SSL-certificate is available only for approved installations beginning with version 2.12 (Maintenance -> Status -> Installation method)

# How to enable SSL certificate for a domain from server command line

You can install SSL certificate for your domains with the following command:

kctl-enable-ssl -D domain1.com,domain2.com,domain3.com

The script will not work if the server was not configured by the script of single-click installation.

Important! Make sure the domain has an active a-record with the server's ip.

# SSL certificate isn't issued in Keitaro

  1. Check which IP-address your domain has an A-record with:
  • go to the domain registrator you bought your domain from, and check DNS records - there should be only one A-record. The Ip of this A-record should be the one as Keitaro is installed on.
  • there shouldn't be any AAAA DNS-records.

You can use any DNS-checker to check your records, an example. Or you can run the following commands in any terminal:

  • dig A yourdomain.com +short

This command will show all A-records for yourdomain.com.

  • dig AAAA yourdomain.com +short

This command will show all AAAA-records for yourdomain.com.

  1. Check the installation version method at Maintennace - Status. The version in Installation Method line should be 2.21.0 and higher. If the version is lower, upgrade your server.

  2. Make sure you selected Full or Flexible certificate settings on CloudFlare in case you use CloudFlare.

  3. Check Maintenance - Logs - SSL Certificates, there's an information there about issuing SSL certificates. Correct an error if you can do it yourself, or reach out our suppoer team, we will help out.

  4. If all the steps above are done but the certificate isn't issued - delete the domain and add it once again. Important: if there's a campaign parked to the domain, it wouldn't work until the doamin is added again.

  5. If all the requirements are met (only one A-record, no AAAA-records) but the certificate can't be issued, log in to your server via SSH and try to issue a certificate in a terminal.

  6. If nothing from above steps helped reach out our support team.

# How to enable SSL for a domain with CloudFlare

You need to enable SSL on CloudFlare if the domain is integrated with CloudFlare.

# Delete SSL certificates

To delete ssl certificate, you can use following command:

kctl-disable-ssl -D domain1.com,domain2.com,domain3.com

All certificates and their files, their keys, and configuration files of nginx of the selected domains will be deleted.

The script will not work if the server was not configured by the script of single-click installation.

# Limits

Let’s Encrypt has some limits.

# Request limits exceeded

There can be only 5 unsuccessful tries to issue a certificate during an hour. You’ll see “Request limits exceeded” error after 5 tries. You need to wait for an hour to try an issue certificate again.

# Certificate issue is blocked

After 25 tries we block the domain for certificate issue. If you see this error, upgrade your server, delete the domain from the tracker and add it again. Wait for a new certificate.

Last Updated: 1/12/2021, 7:05:42 AM