Fail to renew letsencrypt SSL certificate


#1

Hi,

Setting up SSL was straightforward, as I’ve come to expect from EasyEngine. :slight_smile: I’ve set up our website with the lentsencrypt SSL certificate and the Really Simple SSL plugin.

The automatic renewal must have failed, so I’ve tried to manually renew the certificate. However, this failed as well. I’ve also tried this with the Really Simple SSL plugin disabled, same result.

Here is some output:

I hope someone has an answer for me :slight_smile:

Kind regards, Francis


#2

I’m having the same problem. As a quick fix I’ll try to completely remove the Let’s Encrypt config manually and set it up again.

Here are my sever logs


#3

Any luck @muehlio?


#4

Yes I fixed it with a very easy approach.

  1. sudo apt-get update
  2. sudo apt-get upgrade
  3. service nginx stop
  4. /opt/letsencrypt/letsencrypt-auto renew
  5. service nginx start

---- This are the steps I took to find the solution…

Not really. Tried the following and it successfully removed the Let’s Encrypt config. Can’t reinstall it though.

Code to reproduce:

  1. cd /var/www/[put domain here]/conf/nginx
  2. mv ssl.conf ssl.conf.bkp
  3. mv letsencrypt/ letsencrypt-bkp
  4. ee site update [put domain here] --le=off
  5. ee site update [put domain here] --le=on

Last command results in the following error:

sudo ee site update muehl.io --le=on
Letsencrypt is currently in beta phase.
Do you wish to enable SSl now for muehl.io?
Type "y" to continue [n]:y
Please Wait while we fetch SSL Certificate for your site.
It may take time depending upon network.
Unable to setup, Let's Encrypt
Please make sure that your site is pointed to
same server on which you are running Let's Encrypt Client
 to allow it to verify the site automatically.

The builtin command of Let’s Encrypt doesn’t work either /opt/letsencrypt/letsencrypt-auto renew just intsalls a bunch of ap-get packages.

– update: after running sudo apt-get update and sudo apt-get upgrade the builtin command worked: new certificate deployed without reload, fullchain is /etc/letsencrypt/live/muehl.io/fullchain.pem

After cert renewal need to service nginx restart


Let's Encrypt SSL can't renew – no clear error
Let's encrypt renewal failed
#5

I was able reproduce your results and get it working again. Thanks for your comment!


#6

my issue was the /.well-known/acme-challenge error because NGINX was not config to allow access to this location.

editing my nginx config /etc/nginx/sites-available/mydomain.conf and add in the location to allow access.

server {
listen 80;
listen [::]:80;
server_name example.net example.org;

location ‘/.well-known/acme-challenge’ {
default_type “text/plain”;
root /tmp/letsencrypt-auto;
}
…other configuration stuff…
}

This solve letsencrypt renewal fail due to unable to access /.well-known/acme-challenge/ this path.


#7

Neither of the solutions above worked for me. I even tried to fix that acme-challenge @davidteosk but unfortunately didn’t worked.

/opt/letsencrypt/letsencrypt-auto renew says me something is wrong over acme-challenge and it is unable to get some files from that URL.

Any idea guys?


#8

@f4.animesh Did you update EasyEngine to 3.5.5 yet? They seem to have fixed this issue:

Let’s Encrypt Auto-renewal fix

A small change to Let’s Encrypt API broke auto-renewal of SSL certificates. This EasyEngine release also fixes that.

The concern issue is on Github at https://github.com/EasyEngine/easyengine/issues/702. If you faced any issue aroud Let’s Encrypt certificate auto-renewals, you likely benefit from this minor fix.


#9

Had similar problems, and finally resolved all of them by this silly command which had nothing to do with EE. Just run the following command before renewing your LE SSL.

export LC_CTYPE="en_US.UTF-8"```

If you are into more details, like me, then you can [read more about it](https://github.com/certbot/certbot/issues/2883#issuecomment-216427925).

Cheers!

#10