0 votes
214 views
by Talented

Got this message from LE today:

Your certificate (or certificates) for the names listed below will expire in 19 days (on 19 Feb 19 01:23 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

I have two questions about this:

1) When should certificates be renewing themselves? I haven't seen anything about the timing of when the renewals attempt to process so I'm unsure if I should be concerned about this or if a renewal attempt is yet to come.

2) If there is an issue with renewal, how do I correct it? Turn SSL off and back on? Or is there some way to force a renewal request?

This cert includes a wildcard domain on it in case that makes any difference.

Thanks for any assistance or info you can provide!

1 Answer

0 votes
by Expert

First of all, try renewing your certs manually:

sudo certbot renew --post-hook "service nginx restart"

You should see a message with "successful".

Now, this is very weird because Webinoly have a redundant process to prevent these issues. Certboot (Let's Encrypt) have an automatic renew process that runs several times a day in your server. Also, as double check, Webinoly runs the renew command once a week and sends an email to the account you have registered the first time you created a cert.

Definitely, something is not working fine in your server, it's almost impossible that both redundant renewing process are failing.

Check the Webinoly renew cron job: sudo crontab -e

Regards.

by Talented
Thanks for the reply. I hadn't gotten a chance to try this again until today, and the above didn't work.

Looks like my issue is related to https://webinoly.com/support/906/problem-renewing-wildcard-ssl

Looking forward to that update
by Expert
Ok. The wildcard issue will be fixed until the next major update.

Did you tried manually renewing as is suggested in the other post? Did it worked?
by Talented
Just saw 1.8 is out on Github - lots of amazing stuff there. Does this fix the issue from this thread?
by Expert

A lot of things were improved in the SSL area, but to be honest I found nothing wrong with the renewal process.

The good news is that now we have more tools and options to fix these issues, for example:

  • You can now manually renew your certs: sudo site ssl=renew
  • Or force-renewal of a specific site: sudo site domain.com -ssl=force-renewal

The last one seems like is working fine even with wildcard certs, I've been testing it and it seems like you don't even need to pass the DNS verification again.

Please, tell me if it works for you.

Regards.

by Talented
Sweet! Yes sudo site domain.com -ssl=force-renewal worked on a wildcard, no DNS re-verification required. Amazing!
by Expert
Now we just have to wait to confirm if the automatic renewal process works fine, too.
by Talented
Still getting some errors during the automated renewal:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/domain.io.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert is due for renewal, auto-renewing...

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

Attempting to renew cert (domain.io) from /etc/letsencrypt/renewal/domain.io.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/domain.io-0001.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not yet due for renewal

All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/domain.io/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:

  /etc/letsencrypt/live/domain.io-0001/fullchain.pem expires on 2019-07-31 (skipped)

All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/domain.io/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1 renew failure(s), 0 parse failure(s)
by Expert

I don't know, my only advice is you just be sure that all your packages are updated, that's the main cause of issues with Let's Encrypt.

sudo apt update && sudo apt upgrade -y

Regards.

by Talented
I ended up just totally trashing all the certs (there were two conf files for some reason - domain.io and domain.io-0001 so IDK if that was causing any issues) and regenerated from scratch.

After successful DNS challenge (for wildcard), I did a -ssl=force-renewal and it's going through so... fingers crossed this time? I'll let you know in September if issues arise :D
Welcome to the Community site for Webinoly.

If you have a question about Webinoly, please ask in English or Spanish.

To report a bug, please ask a question here with the bug tag.

News: Now you can use any external SMTP service in your server. All the server outgoing emails from any of your websites will be sent through this service.

Donations

Webinoly Support Paypal Donations Webinoly Support Bitcoin Donations

Your regular donations is what keep this project moving forward. If you like Webinoly, buy me a coffee or a beer to show support.

Affiliate Links

It is very important that any visitor to the site read the disclaimer, terms of use and privacy and legal statement before start browsing.

...