Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lego renew with –tls fails silently #816

Closed
silver-bowen-os opened this issue Mar 7, 2019 · 2 comments

Comments

@silver-bowen-os
Copy link

commented Mar 7, 2019

This is a repost of an issue I posted at https://community.bitnami.com/t/lego-renew-with-tls-fails-silently/64519. More info and console output can be found there.

I am using lego 2.1.0. When I stop services and create a new certificate (using --tls flag), all works as expected. However, when I attempt to renew the certificate manually, the command fails silently. Of course, the cron script fails as well. for reference, I'm stopping services and running:

sudo /usr/local/bin/lego --tls --email="example@company.com" --domains="example.company.com" --path="/etc/lego" renew

I'm at my wits end with this one. Can't even get any info out of the system on what the problem is. Thanks for your help.

Follow up responses:

$ ls -lart /opt/bitnami/letsencrypt/lego 
ls: cannot access '/opt/bitnami/letsencrypt/lego': No such file or directory

$ sudo ls -lart /opt/bitnami/letsencrypt
ls: cannot access '/opt/bitnami/letsencrypt': No such file or directory

The certificates were original installed (and have been reinstalled a few times) using the alternative approach at: https://docs.bitnami.com/azure/how-to/generate-install-lets-encrypt-ssl/ I don't have the auto-config script. I have tried variations like sudo lego --path"..." etc. And doing a run command to create new certs works fine, as does list. It's only renewals that are silently failing.

$ sudo lego -v
lego version 2.1.0 linux/amd64

I updated Lego a couple days ago. The certificates were generated with the --tls flag. I have re-updated anyway. Results of re-updating and running commands below. As you can see, the certs were not renewed and no error message was thrown.

$ cd /tmp
$ curl -s https://api.github.com/repos/xenolf/lego/releases/latest | grep browser_download_url | grep linux_amd64 | cut -d '"' -f 4 | wget -i -
--2019-02-07 14:08:28--  https://github.com/xenolf/lego/releases/download/v2.1.0/lego_v2.1.0_linux_amd64.tar.gz
Resolving github.com (github.com)... 140.82.118.3, 140.82.118.4
Connecting to github.com (github.com)|140.82.118.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github-production-release-asset-2e65be.s3.amazonaws.com/37038121/2489ae80-2031-11e9-9881-ada4238d2c4b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190207%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190207T140829Z&X-Amz-Expires=300&X-Amz-Signature=881f6b4b8ec588e819915a414544c3cd7f2a4c451c0f25bb22dc70c7ee2f62fa&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dlego_v2.1.0_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream [following]
--2019-02-07 14:08:29--  https://github-production-release-asset-2e65be.s3.amazonaws.com/37038121/2489ae80-2031-11e9-9881-ada4238d2c4b?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAIWNJYAX4CSVEH53A%2F20190207%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20190207T140829Z&X-Amz-Expires=300&X-Amz-Signature=881f6b4b8ec588e819915a414544c3cd7f2a4c451c0f25bb22dc70c7ee2f62fa&X-Amz-SignedHeaders=host&actor_id=0&response-content-disposition=attachment%3B%20filename%3Dlego_v2.1.0_linux_amd64.tar.gz&response-content-type=application%2Foctet-stream
Resolving github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)... 52.216.21.251
Connecting to github-production-release-asset-2e65be.s3.amazonaws.com (github-production-release-asset-2e65be.s3.amazonaws.com)|52.216.21.251|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7567526 (7.2M) [application/octet-stream]
Saving to: ‘lego_v2.1.0_linux_amd64.tar.gz’

lego_v2.1.0_linux_amd64.tar.gz                 100%[==================================================================================================>]   7.22M  11.8MB/s    in 0.6s    

2019-02-07 14:08:30 (11.8 MB/s) - ‘lego_v2.1.0_linux_amd64.tar.gz’ saved [7567526/7567526]

FINISHED --2019-02-07 14:08:30--
Total wall clock time: 1.6s
Downloaded: 1 files, 7.2M in 0.6s (11.8 MB/s)
$ tar xf lego_v2.1.0_linux_amd64.tar.gz
$ sudo mv lego /usr/local/bin/lego
$ sudo /usr/local/bin/lego --tls --email="example@company.com" --domains="example.company.com" --path="/etc/lego" renew           
$ sudo ls -lart /etc/lego/certificates
total 28
drwx------ 2 root root 4096 Jan 29 15:42 .lego
-rw------- 1 root root 1679 Feb  5 16:05 example.company.com.key
-rw------- 1 root root  251 Feb  5 16:05 example.company.com.json
-rw------- 1 root root 1648 Feb  5 16:05 example.company.com.issuer.crt
-rw------- 1 root root 3600 Feb  5 16:05 example.company.com.crt
drwx------ 3 root root 4096 Feb  5 16:05 .
drwx------ 5 root root 4096 Feb  7 14:11 ..

$ time sudo /usr/local/bin/lego --tls --email="example@company.com" --domains="example.company.com" --path="/etc/lego" renew

real    0m2.393s
user    0m0.091s
sys     0m0.040s

$ sudo ls -l /usr/local/bin/lego*

-rwxr-xr-x 1 bitnami bitnami 24585760 Jan 24 22:34 /usr/local/bin/lego

$ lego -v

lego version 2.1.0 linux/amd64

Full command line transcript below. Running lego run did indeed create new folder. Subsequently running renew against the new certs failed silently, as has been the case. I also gave a try at running the renewal script, which also failed silently.

$ sudo ls -lart /etc/lego/
total 28
drwx------   4 root root 4096 Aug  9  2018 accounts
-rwxr-xr-x   1 root root  235 Jan 29 16:08 renew-certificate.sh.save
drwx------   2 root root 4096 Feb  5 16:04 archives
drwx------   3 root root 4096 Feb  5 16:05 certificates
-rwxr-xr-x   1 root root  468 Feb 20 19:36 renew-certificate.sh
drwx------   5 root root 4096 Feb 20 19:45 .
drwxr-xr-x 105 root root 4096 Feb 21 06:40 ..

$ sudo mv /etc/lego/certificates /etc/lego/certificates.old

$ sudo /opt/bitnami/ctlscript.sh stop apache
Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd stopped

$ sudo /usr/local/bin/lego --tls  --email="example@company.com" --domains="example.company.com" --path="/etc/lego" run
2019/02/22 14:46:25 [INFO] [example.company.com] acme: Obtaining bundled SAN certificate
2019/02/22 14:46:26 [INFO] [example.company.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz/PiErx0w_TwoeES_ufUAx-hx-LqiHBo65oO8CkVZI3lA
2019/02/22 14:46:26 [INFO] [example.company.com] acme: authorization already valid; skipping challenge
2019/02/22 14:46:26 [INFO] [example.company.com] acme: Validations succeeded; requesting certificates
2019/02/22 14:46:28 [INFO] [example.company.com] Server responded with a certificate.

$ sudo ls -lart /etc/lego/                                 
total 32
drwx------   4 root root 4096 Aug  9  2018 accounts
-rwxr-xr-x   1 root root  235 Jan 29 16:08 renew-certificate.sh.save
drwx------   2 root root 4096 Feb  5 16:04 archives
drwx------   3 root root 4096 Feb  5 16:05 certificates.old
-rwxr-xr-x   1 root root  468 Feb 20 19:36 renew-certificate.sh
drwxr-xr-x 105 root root 4096 Feb 21 06:40 ..
drwx------   6 root root 4096 Feb 22 14:46 .
drwx------   2 root root 4096 Feb 22 14:46 certificates

$ sudo /usr/local/bin/lego --tls  --email="example@company.com" --domains="example.company.com" --path="/etc/lego" renew

$ sudo ls -lart /etc/lego/
total 32
drwx------   4 root root 4096 Aug  9  2018 accounts
-rwxr-xr-x   1 root root  235 Jan 29 16:08 renew-certificate.sh.save
drwx------   2 root root 4096 Feb  5 16:04 archives
drwx------   3 root root 4096 Feb  5 16:05 certificates.old
-rwxr-xr-x   1 root root  468 Feb 20 19:36 renew-certificate.sh
drwxr-xr-x 105 root root 4096 Feb 21 06:40 ..
drwx------   6 root root 4096 Feb 22 14:46 .
drwx------   2 root root 4096 Feb 22 14:46 certificates

$ sudo /etc/lego/renew-certificate.sh     
Unmonitored apache
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : apache not running
Syntax OK
/opt/bitnami/apache2/scripts/ctl.sh : httpd started at port 80
Monitored apache
@ldez

This comment has been minimized.

Copy link
Member

commented Mar 7, 2019

By default lego renew only cert when the 30 days before expiration date of the certificate or lower.
It's the Let's Encrypt recommendation: https://letsencrypt.org/docs/integration-guide/#when-to-renew

If you want to override this behavior, you have to pass a --day

lego --email="foo@bar.com" --domains="example.com" --http renew --days 60
@silver-bowen-os

This comment has been minimized.

Copy link
Author

commented Mar 8, 2019

Idez, thank you. This indeed turned out to be the problem. It's a shame that there isn't some sort of feedback provided by lego to indicate that the certs weren't renewed because they are still valid for more than the default number of days.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.