New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cannot renew Let's Encrypt #702

Closed
kieusonlam opened this Issue Apr 13, 2016 · 10 comments

Comments

Projects
None yet
6 participants
@kieusonlam

kieusonlam commented Apr 13, 2016

Hi all,

My all website is down because Let's Encrypt cannot renew. I have to get from https to http.

  • ee site update domain.com --le=renew
    Here is my log file.
2016-04-13 04:42:36,476 (DEBUG) ee : logging initialized for 'ee' using LoggingLogHandler
2016-04-13 04:42:36,815 (DEBUG) ee : ['/usr/local/bin/ee', 'site', 'update', 'xxxxxxxx.com', '--le=renew']
2016-04-13 04:42:36,815 (DEBUG) ee : collecting arguments/commands for <ee.cli.controllers.base.EEBaseController object at 0x7f339f1faa58>
2016-04-13 04:42:36,818 (DEBUG) ee : collecting arguments/commands for <ee.cli.plugins.site.EESiteController object at 0x7f339f1faf98>
2016-04-13 04:42:36,820 (DEBUG) ee : collecting arguments/commands for <ee.cli.plugins.site.EESiteUpdateController object at 0x7f339f208438>
2016-04-13 04:42:36,825 (INFO) ee : Initializing EasyEngine Database
2016-04-13 04:42:36,836 (DEBUG) ee : �[95mRunning command: date -d "now" +%s�[0m
2016-04-13 04:42:36,842 (DEBUG) ee : �[95mCommand Output: 1460536956
, 
Command Error: �[0m
2016-04-13 04:42:36,842 (DEBUG) ee : �[95mRunning command: date -d "`openssl x509 -in /etc/letsencrypt/live/xxxxxxxx.com/cert.pem -text -noout|grep "Not After"|cut -c 25-`" +%s�[0m
2016-04-13 04:42:36,855 (DEBUG) ee : �[95mCommand Output: 1460969160
, 
Command Error: �[0m
2016-04-13 04:42:36,855 (DEBUG) ee : �[95mChanging directory to /opt/letsencrypt�[0m
2016-04-13 04:42:36,856 (DEBUG) ee : �[95mRunning command: git pull�[0m
2016-04-13 04:42:39,517 (DEBUG) ee : �[95mCommand Output: Already up-to-date.
, 
Command Error: �[0m
2016-04-13 04:42:39,518 (INFO) ee : �[94mRenewing SSl cert for https://xxxxxxxx.com�[0m
2016-04-13 04:42:39,518 (DEBUG) ee : �[95mRunning command: ./letsencrypt-auto --renew certonly --webroot -w /var/www/xxxxxxxx.com/htdocs/ -d xxxxxxxx.com -d www.xxxxxxxx.com --email lam@toamxinh.com --text --agree-tos�[0m
2016-04-13 04:42:40,728 (DEBUG) ee : �[95mCommand Output: Checking for new version...
Requesting root privileges to run letsencrypt...
   /root/.local/share/letsencrypt/bin/letsencrypt --renew certonly --webroot -w /var/www/xxxxxxxx.com/htdocs/ -d xxxxxxxx.com -d www.xxxxxxxx.com --email lam@toamxinh.com --text --agree-tos
, 
Command Error: usage: 
  letsencrypt-auto [SUBCOMMAND] [options] [-d domain] [-d domain] ...

The Let's Encrypt agent can obtain and install HTTPS/TLS/SSL certificates.  By
default, it will attempt to use a webserver both for obtaining and installing
the cert. Major SUBCOMMANDS are:

  (default) run        Obtain & install a cert in your current webserver
  certonly             Obtain cert, but do not install it (aka "auth")
  install              Install a previously obtained cert in a server
  renew                Renew previously obtained certs that are near expiry
  revoke               Revoke a previously obtained certificate
  rollback             Rollback server configuration changes made during install
  config_changes       Show changes made to server config during installation
  plugins              Display information about installed plugins
letsencrypt: error: ambiguous option: --renew could match --renew-by-default, --renew-hook
�[0m
2016-04-13 04:42:40,728 (ERROR) ee : �[91mERROR : Cannot RENEW SSL cert !�[0m
2016-04-13 04:42:40,728 (DEBUG) ee : �[95mRunning command: date -d "now" +%s�[0m
2016-04-13 04:42:40,732 (DEBUG) ee : �[95mCommand Output: 1460536960
, 
Command Error: �[0m
2016-04-13 04:42:40,733 (DEBUG) ee : �[95mRunning command: date -d "`openssl x509 -in /etc/letsencrypt/live/truongtoncorp.com/cert.pem -text -noout|grep "Not After"|cut -c 25-`" +%s�[0m
2016-04-13 04:42:40,741 (DEBUG) ee : �[95mCommand Output: 1460969160
, 
Command Error: �[0m
2016-04-13 04:42:40,742 (DEBUG) ee : �[95mRunning command: date -d "now" +%s�[0m
2016-04-13 04:42:40,745 (DEBUG) ee : �[95mCommand Output: 1460536960
, 
Command Error: �[0m
2016-04-13 04:42:40,745 (DEBUG) ee : �[95mRunning command: date -d "`openssl x509 -in /etc/letsencrypt/live/truongtoncorp.com/cert.pem -text -noout|grep "Not After"|cut -c 25-`" +%s�[0m
2016-04-13 04:42:40,754 (DEBUG) ee : �[95mCommand Output: 1460969160
, 
Command Error: �[0m
2016-04-13 04:42:40,755 (ERROR) ee : �[91mYour current cert will expire within 5 days.�[0m
2016-04-13 04:42:40,755 (DEBUG) ee : �[95mRunning command: date -d "`openssl x509 -in /etc/letsencrypt/live/truongtoncorp.com/cert.pem -text -noout|grep "Not After"|cut -c 25-`" �[0m
2016-04-13 04:42:40,763 (DEBUG) ee : �[95mCommand Output: Mon Apr 18 04:46:00 EDT 2016
, 
Command Error: �[0m
2016-04-13 04:42:40,785 (ERROR) ee : �[91mCheck logs for reason `tail /var/log/ee/ee.log` & Try Again!!!�[0m

By the way please help me redirect all https to http because a lot of link of mine is broken :( I just dont know how to do it.

I did try
ee site edit domain.com
and add to the end

server {
    listen 443 ssl;
    server_name www.domain.com domain.com;
    return 301 http://domain.com$request_uri;
}

but it's seem to be not working.

@iam404

This comment has been minimized.

Show comment
Hide comment
@iam404

iam404 Apr 13, 2016

Hii @kieusonlam

I will test this.

In the meantime you can disable letsencrypt with

ee site update example.com --letsencrypt=off

Before executing please remove any custom code you have added.

iam404 commented Apr 13, 2016

Hii @kieusonlam

I will test this.

In the meantime you can disable letsencrypt with

ee site update example.com --letsencrypt=off

Before executing please remove any custom code you have added.

@kieusonlam

This comment has been minimized.

Show comment
Hide comment
@kieusonlam

kieusonlam Apr 13, 2016

Hii @iam404

I did disable letsencrypt. But i cannot redirect my site from https to http. I added

server {
    listen 443 ssl;
    server_name www.domain.vn domain.vn;
    return 301 http://domain.vn$request_uri;
}

and restart nginx at well.

Here is my full config file

server {

    server_name domain.vn   www.domain.vn;


    access_log /var/log/nginx/domain.vn.access.log rt_cache;
    error_log /var/log/nginx/domain.vn.error.log;


    root /var/www/domain.vn/htdocs;



    index index.php index.html index.htm;


    include common/wpfc.conf;
    include common/wpcommon.conf;
    include common/locations.conf;
    include /var/www/domain.vn/conf/nginx/*.conf;

}

server {
        listen 443 ssl;
        server_name www.domain.vn domain.vn;
        return 301 http://domain.vn$request_uri;
}

kieusonlam commented Apr 13, 2016

Hii @iam404

I did disable letsencrypt. But i cannot redirect my site from https to http. I added

server {
    listen 443 ssl;
    server_name www.domain.vn domain.vn;
    return 301 http://domain.vn$request_uri;
}

and restart nginx at well.

Here is my full config file

server {

    server_name domain.vn   www.domain.vn;


    access_log /var/log/nginx/domain.vn.access.log rt_cache;
    error_log /var/log/nginx/domain.vn.error.log;


    root /var/www/domain.vn/htdocs;



    index index.php index.html index.htm;


    include common/wpfc.conf;
    include common/wpcommon.conf;
    include common/locations.conf;
    include /var/www/domain.vn/conf/nginx/*.conf;

}

server {
        listen 443 ssl;
        server_name www.domain.vn domain.vn;
        return 301 http://domain.vn$request_uri;
}

@iam404 iam404 closed this in 4cebd2b Apr 13, 2016

@s-a-s-k-i-a

This comment has been minimized.

Show comment
Hide comment
@s-a-s-k-i-a

s-a-s-k-i-a Jul 18, 2016

EasyEngine 3.7.x
can not renew letsencrypt.
Receiving this after running letsencrypt=renew on the day of expiration of the certificate, although I set the renewal to auto, it didn't renew automatically:

ERROR : Cannot RENEW SSL cert !
Your current cert already EXPIRED !
Check logs for reason tail /var/log/ee/ee.log & Try Again!!!

ee.log contains this:

Command Error: �[0m
2016-07-18 15:44:37,060 (DEBUG) ee : �[95mRunning command: date -d "openssl x509 -in /etc/letsencrypt/live/domain.de/cert.pem -text -noout|grep "Not After"|cut -c 25-" +%s�[0m
2016-07-18 15:44:37,081 (DEBUG) ee : �[95mCommand Output: 1468843740
,
Command Error: �[0m
2016-07-18 15:44:37,082 (DEBUG) ee : �[95mChanging directory to /opt/letsencrypt�[0m
2016-07-18 15:44:37,082 (DEBUG) ee : �[95mRunning command: git pull�[0m
2016-07-18 15:46:38,776 (DEBUG) ee : �[95mCommand Output: ,
Command Error: error: RPC failed; result=56, HTTP code = 0
fatal: The remote end hung up unexpectedly
�[0m
2016-07-18 15:46:38,778 (INFO) ee : �[94mRenewing SSl cert for https://domain.de�[0m
2016-07-18 15:46:38,778 (DEBUG) ee : �[95mRunning command: ./letsencrypt-auto --renew-by-default certonly --webroot -w /var/www/domain.de/htdocs/ -d domain.de -d www.domain.de --email myemail@me.com --text --agree-tos�[0m
2016-07-18 15:47:40,920 (DEBUG) ee : �[95mCommand Output: Upgrading certbot-auto 0.7.0 to 0.8.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.domain.de
    Type: connection
    Detail: DNS problem: networking error looking up CAA for
    www.domain.de

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    ,
    Command Error: Failed authorization procedure. www.domain.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: networking error looking up CAA for www.domain.de
    �[0m
    2016-07-18 15:47:40,922 (ERROR) ee : �[91mERROR : Cannot RENEW SSL cert !�[0m
    2016-07-18 15:47:40,922 (DEBUG) ee : �[95mRunning command: date -d "now" +%s�[0m
    2016-07-18 15:47:40,938 (DEBUG) ee : �[95mCommand Output: 1468849660
    ,
    Command Error: �[0m
    2016-07-18 15:47:40,939 (DEBUG) ee : �[95mRunning command: date -d "openssl x509 -in /etc/letsencrypt/live/domain.de/cert.pem -text -noout|grep "Not After"|cut -c 25-" +%s�[0m
    2016-07-18 15:47:40,953 (DEBUG) ee : �[95mCommand Output: 1468843740
    ,
    Command Error: �[0m
    2016-07-18 15:47:40,955 (ERROR) ee : �[91mYour current cert already EXPIRED !�[0m
    2016-07-18 15:47:40,956 (DEBUG) ee : �[95mRunning command: date -d "openssl x509 -in /etc/letsencrypt/live/domain.de/cert.pem -text -noout|grep "Not After"|cut -c 25-" �[0m
    2016-07-18 15:47:40,974 (DEBUG) ee : �[95mCommand Output: Mo 18. Jul 14:09:00 CEST 2016
    ,
    Command Error: �[0m
    2016-07-18 15:47:41,158 (ERROR) ee : �[91mCheck logs for reason tail /var/log/ee/ee.log & Try Again!!!�[0m

s-a-s-k-i-a commented Jul 18, 2016

EasyEngine 3.7.x
can not renew letsencrypt.
Receiving this after running letsencrypt=renew on the day of expiration of the certificate, although I set the renewal to auto, it didn't renew automatically:

ERROR : Cannot RENEW SSL cert !
Your current cert already EXPIRED !
Check logs for reason tail /var/log/ee/ee.log & Try Again!!!

ee.log contains this:

Command Error: �[0m
2016-07-18 15:44:37,060 (DEBUG) ee : �[95mRunning command: date -d "openssl x509 -in /etc/letsencrypt/live/domain.de/cert.pem -text -noout|grep "Not After"|cut -c 25-" +%s�[0m
2016-07-18 15:44:37,081 (DEBUG) ee : �[95mCommand Output: 1468843740
,
Command Error: �[0m
2016-07-18 15:44:37,082 (DEBUG) ee : �[95mChanging directory to /opt/letsencrypt�[0m
2016-07-18 15:44:37,082 (DEBUG) ee : �[95mRunning command: git pull�[0m
2016-07-18 15:46:38,776 (DEBUG) ee : �[95mCommand Output: ,
Command Error: error: RPC failed; result=56, HTTP code = 0
fatal: The remote end hung up unexpectedly
�[0m
2016-07-18 15:46:38,778 (INFO) ee : �[94mRenewing SSl cert for https://domain.de�[0m
2016-07-18 15:46:38,778 (DEBUG) ee : �[95mRunning command: ./letsencrypt-auto --renew-by-default certonly --webroot -w /var/www/domain.de/htdocs/ -d domain.de -d www.domain.de --email myemail@me.com --text --agree-tos�[0m
2016-07-18 15:47:40,920 (DEBUG) ee : �[95mCommand Output: Upgrading certbot-auto 0.7.0 to 0.8.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.domain.de
    Type: connection
    Detail: DNS problem: networking error looking up CAA for
    www.domain.de

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    ,
    Command Error: Failed authorization procedure. www.domain.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: networking error looking up CAA for www.domain.de
    �[0m
    2016-07-18 15:47:40,922 (ERROR) ee : �[91mERROR : Cannot RENEW SSL cert !�[0m
    2016-07-18 15:47:40,922 (DEBUG) ee : �[95mRunning command: date -d "now" +%s�[0m
    2016-07-18 15:47:40,938 (DEBUG) ee : �[95mCommand Output: 1468849660
    ,
    Command Error: �[0m
    2016-07-18 15:47:40,939 (DEBUG) ee : �[95mRunning command: date -d "openssl x509 -in /etc/letsencrypt/live/domain.de/cert.pem -text -noout|grep "Not After"|cut -c 25-" +%s�[0m
    2016-07-18 15:47:40,953 (DEBUG) ee : �[95mCommand Output: 1468843740
    ,
    Command Error: �[0m
    2016-07-18 15:47:40,955 (ERROR) ee : �[91mYour current cert already EXPIRED !�[0m
    2016-07-18 15:47:40,956 (DEBUG) ee : �[95mRunning command: date -d "openssl x509 -in /etc/letsencrypt/live/domain.de/cert.pem -text -noout|grep "Not After"|cut -c 25-" �[0m
    2016-07-18 15:47:40,974 (DEBUG) ee : �[95mCommand Output: Mo 18. Jul 14:09:00 CEST 2016
    ,
    Command Error: �[0m
    2016-07-18 15:47:41,158 (ERROR) ee : �[91mCheck logs for reason tail /var/log/ee/ee.log & Try Again!!!�[0m

@s-a-s-k-i-a

This comment has been minimized.

Show comment
Hide comment
@s-a-s-k-i-a

s-a-s-k-i-a Jul 18, 2016

removed letsencrypt config for the site as well as any ssl conf in nginx vhost for this site.
running ee site update domain.de --letsencrypt gives me this:

Letsencrypt is currently in beta phase.
Do you wish to enable SSl now for domain.de?
Type "y" to continue [n]:y
Please Wait while we fetch SSL Certificate for your site.
It may take time depending upon network.
Unable to setup, Let's Encrypt
Please make sure that your site is pointed to
same server on which you are running Let's Encrypt Client
to allow it to verify the site automatically.

domain ist pointed to the server... I generated the le cert before. why is it not working now? don't get it

s-a-s-k-i-a commented Jul 18, 2016

removed letsencrypt config for the site as well as any ssl conf in nginx vhost for this site.
running ee site update domain.de --letsencrypt gives me this:

Letsencrypt is currently in beta phase.
Do you wish to enable SSl now for domain.de?
Type "y" to continue [n]:y
Please Wait while we fetch SSL Certificate for your site.
It may take time depending upon network.
Unable to setup, Let's Encrypt
Please make sure that your site is pointed to
same server on which you are running Let's Encrypt Client
to allow it to verify the site automatically.

domain ist pointed to the server... I generated the le cert before. why is it not working now? don't get it

@iam404

This comment has been minimized.

Show comment
Hide comment
@iam404

iam404 Jul 19, 2016

@s-a-s-k-i-a
Please verify if www version of the site is also pointed.

iam404 commented Jul 19, 2016

@s-a-s-k-i-a
Please verify if www version of the site is also pointed.

@s-a-s-k-i-a

This comment has been minimized.

Show comment
Hide comment
@s-a-s-k-i-a

s-a-s-k-i-a Jul 19, 2016

@iam404 hi there!
This I checked right when I read the ee.log
But there is a cname entry in that domain's DNS pointing to @ also an asterisk pointing to the server's IP
It is set up just like any other domain on any server of mine.
I also extended the le cert of another domain on another server yesterday. The domain has the same DNS entries as above mentioned domain. And the le extension just went through without any issues at all. at that point of time ee 3.5.5 was running on that server. Afterwards I updated ee version.

Thanks for getting back to me

s-a-s-k-i-a commented Jul 19, 2016

@iam404 hi there!
This I checked right when I read the ee.log
But there is a cname entry in that domain's DNS pointing to @ also an asterisk pointing to the server's IP
It is set up just like any other domain on any server of mine.
I also extended the le cert of another domain on another server yesterday. The domain has the same DNS entries as above mentioned domain. And the le extension just went through without any issues at all. at that point of time ee 3.5.5 was running on that server. Afterwards I updated ee version.

Thanks for getting back to me

@paulosouzainfo

This comment has been minimized.

Show comment
Hide comment
@paulosouzainfo

paulosouzainfo Oct 4, 2016

To renew certificate, try this:
ee site update your-domain --letsencrypt renew

paulosouzainfo commented Oct 4, 2016

To renew certificate, try this:
ee site update your-domain --letsencrypt renew

@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Dec 31, 2016

Had similar problems, and finally resolved all of them by this silly command which had nothing to do with EE.
Just run the following command before renewing your LE SSL.

export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"

If you are into more details, like me, then you can read more about it.

Cheers!

ahmadawais commented Dec 31, 2016

Had similar problems, and finally resolved all of them by this silly command which had nothing to do with EE.
Just run the following command before renewing your LE SSL.

export LC_ALL="en_US.UTF-8"
export LC_CTYPE="en_US.UTF-8"

If you are into more details, like me, then you can read more about it.

Cheers!

@lawsonry

This comment has been minimized.

Show comment
Hide comment
@lawsonry

lawsonry Jan 10, 2017

@ahmadawais That fixed it for me! Thanks!

lawsonry commented Jan 10, 2017

@ahmadawais That fixed it for me! Thanks!

@ahmadawais

This comment has been minimized.

Show comment
Hide comment
@ahmadawais

ahmadawais Jan 10, 2017

ahmadawais commented Jan 10, 2017

@ahmadawais ahmadawais referenced this issue Mar 13, 2017

Closed

Routine for Updating LE SSL is Buggy! #846

4 of 4 tasks complete
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment