SSL Cert renewal failed on RC2, now updates to 4.0.10 fails because of that


#1

Hi,

i have moved some sites to a v4 server a while ago. 4.0 RC2 was the latest back then and I missed to update. Now I got notifications of my site monitoring service that SSL certs will expire in a few days so looks like renewal failed.

ee site ssl domain.com
Starting SSL verification.
Error: Failed to verify SSL: [malformed] The request message was malformed: Expired authorization (on request "GET https://acme-v02.api.letsencrypt.org/acme/challenge/_GhWfVy6pFW9efV2Ufaasf89puvkpSjRZEoyZYbMih61k/8852626319")

Looks like the time for renewal is already over. Now looks like because of that also the update to the latest ee4 version fails

Any idea how to work around this? I have a few more sites on the server and I think I need to manually renew the LE certs before update will work?


#2

There was a bug in RC2 that prevented it from upgrading to any later version all together. That was a while ago but I think you will need to backup, remove EE and reinstall so you can get future updates. In terms of the SSL fix perhaps someone else here will have a solution for you. If all of your websites are already SSL enabled and you’re looking for an easy solution then I’d say backup every website via the updraftplus plugin, remove ee, install latest version and re-create your sites with SSL flag (and cache if already using cache) then restore.

But before doing that perhaps somebody else here can guide you as to how to manually renew your certificates on RC2.


#3

so you basically say there’s no way of removing and readding SSL without removing the whole site and also no way to update ee without removing all sites?


#4

No sorry I am mistaken. It was RC1 that contained the bug that prevented EE from being able to update to any newer version. Please disregard all my replies and wait for someone with more knowledge in this area to assist you.


#5

@Helmi Please share the following details.

  1. Which version of EasyEngine you are using? (ee cli version)
  2. Are you facing issue using wildcard certificates or non-wildcard certificates?

Also, the logs will help us understand your issue. But since the logs may contain sensitive information, please send the logs(/opt/easyengine/logs/ee.log) to ee@rtcamp.com

CC: @mrrobot47


#6

well Version is RC2 (see above), those are all non-Wildcard certs.

Log is going to be in the mail in a minute.


#7

@mriyam.tamuli

any news on that one? I need to renew the SSL certs of the sites as they are now completely expired. Any chance to remove the certs from the setup and generate some new ones?


#8

It looks like the whole ee update process (at least on RC2) is somehow depending on SSL certs working. I wonder why that is.

Why does it need to curl my own websites to update ee? Is there no way to do that without involving SSL?

Error: Errors were encountered while processing: 20181119091115_site-command_update_ssl_redirects.php
	 cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

#9

We’re taking a look at the logs.

If the logs don’t help, we’ll ask you to add the EasyEngine team’s SSH key to your server so we can log in and take a look.


#10

@Helmi the logs were helpful. A patch for the issue that you were facing has been merged in the nightly build.

Try running ee cli update --nightly. That should fix your update issue. And bring you to the latest nightly build.

If update is successful, it will automatically renew your certificates as well. Also, you can renew them with the new command ee site ssl-renew.


#11

unfortunately this does NOT fix the update problem (see the error message above) i can not update because the SSL certs are expired. I already tried disabling the sites and update then but that didn’t help - only the error message changed.

Any idea how to overcome that? I really want to avoid deleting all the sites.

EDIT to be more precise:


#12

Please add EasyEngine Core Team Support key to your root user. And reply with server details on the Email thread where you sent logs so that this can be looked into.


#14

done that, thanks for helping!


#15

@Helmi We’ve fixed the issue with the server and also updated EasyEngine to the latest version. You can remove the SSH key.

Thanks to you, we’ve also found an issue with our ssl-renew command

I am closing this issue.


#16