SSL doesnt update

Today visited one of site based on server with EE, “red” SSL.
Tried to update

ee site ssl-renew site.com --force
Starting SSL cert renewal
Loading current certificate for site.com
Starting SSL verification.
PHP Fatal error:  Uncaught GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) in phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:186
Stack trace:
#0 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(149): GuzzleHttp\Handler\CurlFactory::createRejection(Object(GuzzleHttp\Handler\EasyHandle), Array)
#1 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(102): GuzzleHttp\Handler\CurlFactory::finishError(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory))
#2 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(43): GuzzleHttp\Handler\CurlFactory::finish(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory))
#3 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): Guz in phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php on line 186
Warning: An Error occurred. Initiating clean-up.
Warning: Exiting gracefully after rolling back. This may take some time.
Success: Rollback complete. Exiting now.

Again and again v4 version cant update certs… What can I do here?

And more of that - command ssl-renew --force doesnt work even for working domains :sob:

ee site ssl-renew site2.com --force
Starting SSL cert renewal
Loading current certificate for site2.com
Current certificate is valid until 2019-07-09 19:23:20, renewal is not necessary.
Success: SSL renewal completed.

Here’s the solution: SSL Renewal Error PHP Fatal error: Uncaught GuzzleHttp

This is not solution, cause it works 50/50.
And what about renewing - every time I need to rename cert?
Why —force command doesn’t update working certs?

This is because you let the certificate expire… after that you just need to make sure the crontab has the right entry for automatic renewal. You’re welcome!

In start topic I show example of answer on —force command. It doesn’t renew in any way! Even with valid certificate.

Dude, it’s right there in the error message you pasted:

Blockquote
PHP Fatal error: Uncaught GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) in phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:186

Rename the old cert files and re-run the command.

As for force renewal you can run the command in crontab to renew at the right time.

Great. How about someone tell us what command to use exactly when creating cron for automatic renewal?

1 Like

Man, you ignoring second part of my message in start topic. Why you do this? :slight_smile:
Tried again command ssl-renew with –force key. And again “renewal” is not necessary. Great…
screenshot

tried to add to cron --all, but still it doesnt update certificates. On new clear server. Please help, what me to do?
*installed last version ee on ubuntu 16.04.6

Add it to the root user’s cron.
Use sudo crontab -e to edit and add the line:

0 12 * * * ee site ssl-renew --all 2> /dev/null # Renew letsencrypt SSL cert. Set by EasyEngine V4

tried right now this command and EE says next:

root@server:~# ee site ssl-renew --all --force
Starting SSL cert renewal
Loading current certificate for site1.com
Current certificate is valid until 2019-07-09 19:23:20, renewal is not necessary.
Loading current certificate for site2.com
Current certificate is valid until 2019-08-02 20:25:44, renewal is not necessary.
Loading current certificate for site3.com
Current certificate is valid until 2019-08-06 12:01:59, renewal is not necessary.
Loading current certificate for site4.com
Current certificate is valid until 2019-08-07 20:38:57, renewal is not necessary.
Success: SSL renewal completed.

And please explain me, how I can update my certs if EE decline update with reason “renewal is not necessary” even with --force? When it will be necessary?

It won’t renew certificates until there’s less than 25 days left on the certificate, so that’s working as intended.

The --force flag is supposed to renew regardless of time remaining so that is a genuine bug.

Do you need to force renewal for some reason?

The suggested work around only worked for one site for me. I realize the error is obvious that the certificate has expired, but I dont see why this is an error in renewing the certificate. An expired certificate is the only reason I can really see to be manually renewing the certificate. Why is checking for an expired certificate part of renewing it?

Also this was a fresh install so not sure why the auto renew is not working.

In EE4, cron is handled through its own Docker container. This is explained in some detail here https://easyengine.io/handbook/cron and should clear up some confusion as to why some cron jobs don’t run properly on individual containers.

As to adding a cron entry to the root of the host, I have had all sorts of errors using that method. As soon as I used the included cron commands, all has worked flawlessly for me with respect to renewals. Check here for all the commands used https://easyengine.io/commands/cron

My exact command used is

sudo ee cron create host --command='/usr/local/bin/ee site ssl-renew --all' --schedule='@weekly'

Typing ‘sudo ee cron list --all’ shows the following for me on one server.

And then typing ‘sudo ee cron run-now 2’ runs the ssl-renew script and verifies that it is working properly.

I use this on 5 different Easyengine instances and do not have any renewal issues and all is automated. Please note that your Easyengine executable may be in a different location on your server.

A quick ‘which ee’ or ‘whereis ee’ should return the exact location and you should substitute that location for the /usr/local/bin location you see in my command above. Also, when testing, note that your ID number for the cron command you want to test may be different than 2. You should always run the cron list command and reference the correct id for the cron you wish to test with the run-now command.

2 Likes

After a few renewal cycles I need to add some additional comments and observations to my previous post. I have found that domains with --wildcard SSL’s do NOT renew automatically with the above solution. Those renewals are still a manual process. I have also discovered that the support for Cloudflare still need work as I have had very spotty auto renewal results. I suppose that on wildcard and Cloudflare sites that adding renewals to the containers crontab might be the better solution.

Is anyone else using the above cron method? And if so, what have you found?

Thank you! Its works like a sharme.