Webinoly is just the perfect tool for NGINX experts. Give it a try!
0 votes
1.2m views
by Talented

Got this message from LE today:

Your certificate (or certificates) for the names listed below will expire in 19 days (on 19 Feb 19 01:23 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their total lifetime left. For Let's Encrypt's current 90-day certificates, that means renewing 30 days before expiration. See https://letsencrypt.org/docs/integration-guide/ for details.

I have two questions about this:

1) When should certificates be renewing themselves? I haven't seen anything about the timing of when the renewals attempt to process so I'm unsure if I should be concerned about this or if a renewal attempt is yet to come.

2) If there is an issue with renewal, how do I correct it? Turn SSL off and back on? Or is there some way to force a renewal request?

This cert includes a wildcard domain on it in case that makes any difference.

Thanks for any assistance or info you can provide!

by Rookie

I had a situation today where a certificate didn't renew. The domain uses the ".network" TLD. When I tried 

sudo certbot renew --post-hook "service nginx restart"

I got

Cert is due for renewal, auto-renewing...

Plugins selected: Authenticator webroot, Installer None

Renewing an existing certificate

Performing the following challenges:

http-01 challenge for [domain].network

http-01 challenge for www.[domain].network

Cleaning up challenges

Attempting to renew cert ([domain].network) from /etc/letsencrypt/renewal/[domain].network.conf produced an unexpected error: Missing command line flag or config entry for this setting:

Input the webroot for [domain].network:. Skipping.

and then...

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not yet due for renewal

All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/[domain].network/fullchain.pem (failure)

But then I tried forcing the renewal with

sudo site [domain].network -ssl=force-renewal

And it worked. I wonder if it could be related to the ".network" TLD.

1 Answer

0 votes
by Expert

First of all, try renewing your certs manually:

sudo certbot renew --post-hook "service nginx restart"

You should see a message with "successful".

Now, this is very weird because Webinoly have a redundant process to prevent these issues. Certboot (Let's Encrypt) have an automatic renew process that runs several times a day in your server. Also, as double check, Webinoly runs the renew command once a week and sends an email to the account you have registered the first time you created a cert.

Definitely, something is not working fine in your server, it's almost impossible that both redundant renewing process are failing.

Check the Webinoly renew cron job: sudo crontab -e

Regards.

by Talented
Thanks for the reply. I hadn't gotten a chance to try this again until today, and the above didn't work.

Looks like my issue is related to https://webinoly.com/support/906/problem-renewing-wildcard-ssl

Looking forward to that update
by Expert
Ok. The wildcard issue will be fixed until the next major update.

Did you tried manually renewing as is suggested in the other post? Did it worked?
by Talented
Just saw 1.8 is out on Github - lots of amazing stuff there. Does this fix the issue from this thread?
by Expert

A lot of things were improved in the SSL area, but to be honest I found nothing wrong with the renewal process.

The good news is that now we have more tools and options to fix these issues, for example:

  • You can now manually renew your certs: sudo site ssl=renew
  • Or force-renewal of a specific site: sudo site domain.com -ssl=force-renewal

The last one seems like is working fine even with wildcard certs, I've been testing it and it seems like you don't even need to pass the DNS verification again.

Please, tell me if it works for you.

Regards.

by Talented
Sweet! Yes sudo site domain.com -ssl=force-renewal worked on a wildcard, no DNS re-verification required. Amazing!
by Expert
Now we just have to wait to confirm if the automatic renewal process works fine, too.
by Talented
Still getting some errors during the automated renewal:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/domain.io.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert is due for renewal, auto-renewing...

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)

Attempting to renew cert (domain.io) from /etc/letsencrypt/renewal/domain.io.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.

The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Processing /etc/letsencrypt/renewal/domain.io-0001.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Cert not yet due for renewal

All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/domain.io/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:

  /etc/letsencrypt/live/domain.io-0001/fullchain.pem expires on 2019-07-31 (skipped)

All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/domain.io/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

1 renew failure(s), 0 parse failure(s)
by Expert

I don't know, my only advice is you just be sure that all your packages are updated, that's the main cause of issues with Let's Encrypt.

sudo apt update && sudo apt upgrade -y

Regards.

by Talented
I ended up just totally trashing all the certs (there were two conf files for some reason - domain.io and domain.io-0001 so IDK if that was causing any issues) and regenerated from scratch.

After successful DNS challenge (for wildcard), I did a -ssl=force-renewal and it's going through so... fingers crossed this time? I'll let you know in September if issues arise :D
Welcome to the Community site for Webinoly.

Our Optimized LEMP Web Server is a powerful set of commands for doing just about anything you could wish.

With Webinoly you can set up your NGINX web server in just one step.

* * * * * * *

To report a bug, please create a new issue on GitHub or ask a question here with the bug tag.
Webinoly Support Paypal Donations

PayPal · GitHub Sponsors · Bitcoin

It is very important that any visitor to the site read the disclaimer, terms of use and privacy and legal statement before start browsing.

...