SSL Cert failed to renew for 1 of 4 sites on webinoly.

Question

I have 4 sites on my server and the SSL certificate expired on one of them.

When I type the command site example.com -ssl=renew the result is:

[ERROR] Invalid value for SSL command!

I was able to renew the cert with site example.com -ssl=force-renewal

I am wondering if there is any log I can check to see why the renewal failed? I don't see anything in /var/log/letsencrypt/letsencrypt.log.

The other 3 sites have been renewing successfully.

I was running Webinoly version 1.13.2. I just updated to 1.14.3.

Is there any way to confirm whether the next renewal will fail or not without waiting for 3 months?

After updating to version 1.14.3 the site -ssl=renew command is still not working. It returns the same error as the previous version 1.13.2.

[ERROR] Invalid value for SSL command!

Comments

After more investigation, here is what I found.

I found some entries in the letsencrypt archived log from May 3, 2021 where it appears that the certificate was renewed successfully.

Further, checking in the /etc/letsencrypt/archive/example.com.

ls -l

total 52

-rw-r--r-- 1 root root 1887 Mar  4 16:25 cert1.pem

-rw-r--r-- 1 root root 1887 May  3 18:52 cert2.pem

-rw-r--r-- 1 root root 1887 Jun 25 14:23 cert3.pem

-rw-r--r-- 1 root root 1586 Mar  4 16:25 chain1.pem

-rw-r--r-- 1 root root 1586 May  3 18:52 chain2.pem

-rw-r--r-- 1 root root 3750 Jun 25 14:23 chain3.pem

-rw-r--r-- 1 root root 3473 Mar  4 16:25 fullchain1.pem

-rw-r--r-- 1 root root 3473 May  3 18:52 fullchain2.pem

-rw-r--r-- 1 root root 5637 Jun 25 14:23 fullchain3.pem

-rw------- 1 root root 1704 Mar  4 16:25 privkey1.pem

-rw------- 1 root root 1704 May  3 18:52 privkey2.pem

-rw------- 1 root root 1704 Jun 25 14:23 privkey3.pem

I initially enabled SSL for this site on Mar 4 and it appears that it was in fact renewed on May 3. However, it was somehow still using the initial cert that expired on June 3 until I did the site ssl=force-renewal today (June 25).

Any idea what could have happened here or what else I can check to further investigate?

---

I found many entries like the ones below in the nginx error logs, which have stopped since I did the site -ssl=force-renew today.

2021/06/16 03:41:14 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/16 03:41:14 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate:"/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/16 03:41:22 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/16 03:41:22 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate:"/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/16 03:41:22 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb20]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org,peer: [2600:1406:1400::b81c:cb20]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/16 03:41:22 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb13]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org,peer: [2600:1406:1400::b81c:cb13]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

---

This is really weird. Looking at the NGINX error logs in more detail I can see that another one of my sites (example2.com) was giving the same errors.

2021/06/25 02:23:07 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:23:07 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:23:14 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:23:14 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:23:14 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb20]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb20]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:23:14 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb13]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb13]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:31:56 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:31:56 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:32:03 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:32:03 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:32:03 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb20]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb20]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 02:32:03 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb13]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb13]:80, certificate: "/etc/letsencrypt/live/example.com/fullchain.pem"

2021/06/25 03:18:33 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

2021/06/25 03:18:33 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.10:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

2021/06/25 03:18:41 [error] 27666#27666: recv() failed (110: Connection timed out) while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

2021/06/25 03:18:41 [error] 27666#27666: OCSP responder prematurely closed connection while requesting certificate status, responder: r3.o.lencr.org, peer: 184.28.220.74:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

2021/06/25 03:18:41 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb20]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb20]:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

2021/06/25 03:18:41 [error] 27666#27666: connect() to [2600:1406:1400::b81c:cb13]:80 failed (101: Network is unreachable) while requesting certificate status, responder: r3.o.lencr.org, peer: [2600:1406:1400::b81c:cb13]:80, certificate: "/etc/letsencrypt/live/example2.com/fullchain.pem"

The logs are filled with these errors for these 2 sites multiple times every day. There are only 15 days of NGINX error logs available so I don't know how long this has been going on but at least 15 days.

Here is the weird part. Since I manually renewed the cert for example.com yesterday, these NGINX errors have completely stopped (for both sites even though I didn't renew the cert for example2.com).

I also have another site example3.com with no entries at all in the NGINX error log.

example.com and example2.com both have an additional site set up on a subdomain, while example3.com does not.

dev.example.com (no ssl)

dev.example2.com (ssl)

These dev sites also don't have any entries in the NGINX error log.

It could be a coincidence, but the only 2 sites with entries in the error log are the 2 domains that have an additional site on the same domain.

The other thing I noticed is that all of these log entries are trying to connect to IPv6 addresses but my VPS does not have IPv6 networking.