Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Authorization challenge expired [solution?] #71

Closed
TheJoin95 opened this issue Jun 29, 2017 · 29 comments

Comments

Projects
None yet
@TheJoin95
Copy link

commented Jun 29, 2017

Hi guys,

we have a problem to renew certificates, because we get an authorization errors.
The real issue is that let's encrypt has changed (in January) the expire date of the authorization challenges from 60days to 30days (according to this: https://community.letsencrypt.org/t/upcoming-api-changes/17947).

Acutally, let's encrypt send us an email 10days before our certificate expire, but if we renew the certificate only 10days before with acmephp we get an error saying that we don't have authorization.
So we need to re-run the whole authorization process and get a new certificate.

You can try to see your active authorization in .acmephp/master/private/yourdomain.com/authorization_challenge.json.
Try to make a request to the url that you find in the "url" key: if you get a 404, you need to re-run the authorization, otherwise, you can make a renew.

What we can do?
Run the renew each month, when the authorization is still valid.

It's sound strange that let's encrypt (with 100.000.000 certs) can't get an authorization more than 30days, but I think that the problem we got to renew a certificate is this one.

@tgalopin

This comment has been minimized.

Copy link
Member

commented Jun 30, 2017

Hello @TheJoin95,

I was pretty sure the problem was coming from something like this but I didn't have time to find the real issue, so: thank you very much, and I really mean it :) !

I will work on changing when authorization should be done in the code as soon as possible.

Thanks!

@tgalopin

This comment has been minimized.

Copy link
Member

commented Jun 30, 2017

Actually this seems a bigger task than I expected, as AcmePHP now needs to be able to automate the authorization process. I'm in vacations next week, I will try to find time to work on this :) .

In the meantime, running the full process work so this can be a temporary solution.

@babblo

This comment has been minimized.

Copy link

commented Sep 15, 2017

Hi @tgalopin, any updates on this issue?

@sakumatto

This comment has been minimized.

Copy link

commented Oct 11, 2017

Hi @tgalopin, any updates on this issue? Many of my cert just expired because I'd cronned them in July :(

@jmorganmartin

This comment has been minimized.

Copy link

commented Nov 29, 2017

@tgalopin A potential solution/add-on would be to add a configuration to set a path to the .well-known/acmechallenge directory for each domain. This would make authorizing as easy to set up and repeat as getting new certificates.

@tgalopin tgalopin referenced this issue Jan 21, 2018

Closed

Release ? #83

@MatG01

This comment has been minimized.

Copy link

commented Feb 15, 2018

Hi @tgalopin,
A honest question, not a complaint (I appreciate your work on that tool, I use it for 20+ domains):
As you are still making releases, I wonder how you use the tool yourself, because this issue makes it pretty unusable for me. The need to manually re-authorization each domain after a month defeats the purpose of Let's Encrypt and of acmephp for me.
My question: do you have a workaround for that problem, and if so I would very much appreciate to learn how that works.

@babblo

This comment has been minimized.

Copy link

commented Feb 15, 2018

@MatG01 as a workaround you can renew the certs every 20 days or so, that way you don't need to re-authorize the domains. Let's Encrypt has limits far beyond that amounts, don't worry.

@MatG01

This comment has been minimized.

Copy link

commented Feb 15, 2018

@babblo I tried that once and it didn't work for me. The domains still expired. But if you say that that's the way to do it, then I assume I made a mistake and I will try again. Thanks.

@babblo

This comment has been minimized.

Copy link

commented Feb 15, 2018

@MatG01 be sure you --force the updates.

@MatG01

This comment has been minimized.

Copy link

commented Feb 15, 2018

@babblo that sound like a good hint. Thanks a lot.

@jderusse

This comment has been minimized.

Copy link
Member

commented Mar 22, 2018

did you try to call the "auth" command to regenerate a new challenge?

I suggest to use the new "run" command to perform everything automatically

@alexwilczewski

This comment has been minimized.

Copy link

commented Apr 2, 2018

I run a cron once per week $ php acmephp.phar request --force
It was successfully renewing my multi-domain certificates for the first month, then I was receiving the authorization errors. I am using version 1.0.0-beta5.

@jderusse I am looking into your recent changes. I didn't know there was an "auth" or "run" command.

@tgalopin

This comment has been minimized.

Copy link
Member

commented Apr 2, 2018

@alexwilczewski Temporarily, you can redo the authroization process manually. It will fix the problem in short term, but I suggest indeed to use the run command for a better solution.

@alexwilczewski

This comment has been minimized.

Copy link

commented Apr 3, 2018

I used the run command. It is useful and convenient.

In regards to the run command:
I tried creating a multi-domain certificate by listing subject_alternative_names. However, my alternative domain names route to separate directories on my webserver. This caused problems when using the solver, because only 1 directory can be used for http-file.

In regards to the current version:
I ran into the following errors while using request with the -a option.
In Repository.php line 373:
Loading of domains , certificate order failed
In Filesystem.php line 386:
File not found at path: var//68b1e75f4239736f58668aacff1381fddf9e3fe8/certificate_order.json

Version 1.0.0-beta5 does not produce this error.

@sakumatto

This comment has been minimized.

Copy link

commented Apr 29, 2018

Hi all. I wrote into a post my method of renewing with AcmePHP: https://sslowner.com/lets-encrypt-and-acmephp-for-free-certificates-automatic-renewal-with-dns-challenge.html

I use DNS challenge. Hope this helps us all who have been having problems to automate the process.

@PK232

This comment has been minimized.

Copy link

commented May 15, 2018

I looked sakumatto’s renwal script referenced in the URL (….with-dns-challenge.html) above and it appears that the active part that does the renewal is the standard means of forcing a renewal from the command line as shown below.

php /home/user/acmephp.phar request --force $domain -a $www

Am I missing something in the script that makes it more than being an automatic renewal script that can be run from cron?

The reason I ask is that I have been fighting the problem of having Let’s Encrypt indicate that my certificates had expired before I could renew them for months. At first I wrote a script to force a renewal on the first of each month. I tested it by running it manually two days after I wrote it and the renewal succeeded. It also succeeded when cron ran it on the following first of the month about two weeks later. When it ran on the first of the next month however, it failed, and I had to start the whole process over again.

My next attempt was to modify my renewal script to run every 14 days using modulo. That script worked well for weeks two and four, but on week six it again failed, which is why I am surprised sakumatto’s renewal script works and why I am asking if I missed something in what his script does. My last test seemed to indicate that failing to renew after a month is independent of the number of times you renew or when you renew during the month.

Unfortunately I did not keep any notes on what I did so I am going to try my scripts again to see if the results repeat and also so I can keep better notes and answer any questions on exact error messages etc.. Perhaps I did something wrong. We can always hope.

@alexwilczewski

This comment has been minimized.

Copy link

commented May 15, 2018

@PK232 I think you may run into the same problem again. It appears that the force script never "renews" something that is necessary for LetsEncrypt. (I don't know what that is.) I wrote a script that runs through the full renewal process and it has been working well for a few months now. I do not have them on hand, but I will outline the process below.

Notes:

  • I can run my script on the server where I host my files.
  • I satisfy LetsEncrypt's challenge through html -- mydomain.com/.well-known/acme-challenge/...
  • I create a multi-domain certificate.

Script outline:
0) I pass in the domains and their directory paths into my script.

  1. For each domain I run: php acmephp.phar authorize mydomain.com
    1.1) I parse this output with a regular expression and create a file in the proper location in the file system.
  2. For each domain I run: php acmephp.phar check mydomain.com
  3. I create the argument list for each domain and I run: php acmephp.phar request mydomain.com -a mydomain2.com ...

I run this script through cron each week and I do not run into the renewal problem upon the apparent 1 month expiry.

@PK232

This comment has been minimized.

Copy link

commented May 15, 2018

@alexwilczewski

If I am reading your comment right, when you renew you start over as if you never had a certificate before, except for registering, and have automated that whole process using a script. If that is the case I suspect cron could run it every two months since it is only the ability to renew that only lasts 30 days. Thanks for the heads up. It saved me waiting six weeks to find out I was back to square one. I think I can cobble together a script to do what you suggest. It probably won't be the most elegant, but it should work. Thanks again.

@alexwilczewski

This comment has been minimized.

Copy link

commented May 15, 2018

I execute the renew script as an executable. This is my entrypoint for my cronjob. It's main purpose is to add an acme executable to the $PATH.

If you look at the renew script, I add php-bin to my path before running the php renewal script. Inside my php-bin directory, I have a symlink acme that points to the acme.phar.

I have attached things to get you going. I hope it's useful. You can find the actual renewal script at the following github url: https://github.com/alexwilczewski/acmephp-renew-html-challenge

Download links (Github wanted them as .txt files)
config.default.json.txt
renew.txt
renew.php.txt

  • Note: The script creates the .well-known/acme-challenge directory with 0777 permissions and does not clean up the directory.
@PK232

This comment has been minimized.

Copy link

commented May 16, 2018

@alexwilczewski
Thanks for taking the time to be so helpful. I am more of a sys. admin/network person than a programmer and have used bash for years to solve small problems on my servers. As a result I am very comfortable with bash and will try using it along with your previous guide posts to find a solution before my current certificates expires. If it doesn’t work out, I will give your latest suggestions a try and will in all likelihood be back as my only non bash programming experience has been with MS Quick Basic and Borland’s Turbo C++ many years ago. Thanks again.

@tgalopin

This comment has been minimized.

Copy link
Member

commented Oct 14, 2018

The run command should now fix this, as it launches the full renew process including authorization challenge. Don't hesitate to answer here if you still have issues!

@tgalopin tgalopin closed this Oct 14, 2018

@alexwilczewski

This comment has been minimized.

Copy link

commented Oct 14, 2018

@tgalopin Thanks for the persistence and work on this project! 😄

@bpolaszek

This comment has been minimized.

Copy link
Contributor

commented Oct 15, 2018

Sounds great! Can you please document the new run command and how to configure domains / wildcards?

@tgalopin

This comment has been minimized.

Copy link
Member

commented Oct 15, 2018

I will work on that indeed, the documentation is lacking.

@tgalopin

This comment has been minimized.

Copy link
Member

commented Oct 27, 2018

I just deployed a new version of the documentation, including explanations on how to use the run command: https://acmephp.github.io/documentation/getting-started/2-obtain-certificate-easy.html.

This should help here :) . Don't hesitate to ping me if needed!

@netvillage

This comment has been minimized.

Copy link

commented Jan 25, 2019

I am slightly confused on using the new RUN command for renewals handling the 'Authorization expired' issue. The docs on the 'setup automatic renewal' looks like it uses the 'request' command, but it seems like the thing to do is just call the run command again each night. Is that correct?

And when it expires and renews is it going to create a NEW ownership token file in the acme-challenge folder? Meaning I'll have to parse the output for this new name and create a file each month?

@jderusse

This comment has been minimized.

Copy link
Member

commented Jan 25, 2019

the thing to do is just call the run command again each night. Is that correct

Yes, the run command is more like register + authorize + check + request when needed.
Calling run periodically is right thing to do.

note: running it every day seems overkill to me, because the certificat is valid 90 days. I personally run it once per week with --delay=30 to get 30 days to solve issue if the renewal didnt worked.

Meaning I'll have to parse the output for this new name and create a file each month

No, the file name and location is always the same. The previous certificate's file is replaced by the new one.

A backup of the previous files is stored in the backup folder (check the parameter enable_backup)

@netvillage

This comment has been minimized.

Copy link

commented Jan 28, 2019

ok, i will try it and see. thank you!

@netvillage

This comment has been minimized.

Copy link

commented May 14, 2019

I've automated by ssl script renewal on windows with a nightly call like this:

php acmephp.phar run config.yml

renewals work fine, except after 60 days, it starts looking for a different challenge authorization file.

"Solving challenge for domain mydomain.com...
Create a text file accessible on URL http://mydomain.com/.well-known/acme-challenge/nI27pIwtgajBU.....ect... containing the following content:"

Is that the normal behavior? It seems problematic to use this for automated renewals, unless I mod my scripts to look for this and create the files and such. I'd rather avoid doing that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.