SSL doesnt update

Today visited one of site based on server with EE, “red” SSL.
Tried to update

ee site ssl-renew site.com --force
Starting SSL cert renewal
Loading current certificate for site.com
Starting SSL verification.
PHP Fatal error:  Uncaught GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) in phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:186
Stack trace:
#0 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(149): GuzzleHttp\Handler\CurlFactory::createRejection(Object(GuzzleHttp\Handler\EasyHandle), Array)
#1 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(102): GuzzleHttp\Handler\CurlFactory::finishError(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory))
#2 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(43): GuzzleHttp\Handler\CurlFactory::finish(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory))
#3 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): Guz in phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php on line 186
Warning: An Error occurred. Initiating clean-up.
Warning: Exiting gracefully after rolling back. This may take some time.
Success: Rollback complete. Exiting now.

Again and again v4 version cant update certs… What can I do here?

And more of that - command ssl-renew --force doesnt work even for working domains :sob:

ee site ssl-renew site2.com --force
Starting SSL cert renewal
Loading current certificate for site2.com
Current certificate is valid until 2019-07-09 19:23:20, renewal is not necessary.
Success: SSL renewal completed.

Here’s the solution: SSL Renewal Error PHP Fatal error: Uncaught GuzzleHttp

This is not solution, cause it works 50/50.
And what about renewing - every time I need to rename cert?
Why —force command doesn’t update working certs?

This is because you let the certificate expire… after that you just need to make sure the crontab has the right entry for automatic renewal. You’re welcome!

In start topic I show example of answer on —force command. It doesn’t renew in any way! Even with valid certificate.

Dude, it’s right there in the error message you pasted:

Blockquote
PHP Fatal error: Uncaught GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) in phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:186

Rename the old cert files and re-run the command.

As for force renewal you can run the command in crontab to renew at the right time.

Great. How about someone tell us what command to use exactly when creating cron for automatic renewal?

1 Like

Man, you ignoring second part of my message in start topic. Why you do this? :slight_smile:
Tried again command ssl-renew with –force key. And again “renewal” is not necessary. Great…
screenshot

tried to add to cron --all, but still it doesnt update certificates. On new clear server. Please help, what me to do?
*installed last version ee on ubuntu 16.04.6

Add it to the root user’s cron.
Use sudo crontab -e to edit and add the line:

0 12 * * * ee site ssl-renew --all 2> /dev/null # Renew letsencrypt SSL cert. Set by EasyEngine V4

tried right now this command and EE says next:

root@server:~# ee site ssl-renew --all --force
Starting SSL cert renewal
Loading current certificate for site1.com
Current certificate is valid until 2019-07-09 19:23:20, renewal is not necessary.
Loading current certificate for site2.com
Current certificate is valid until 2019-08-02 20:25:44, renewal is not necessary.
Loading current certificate for site3.com
Current certificate is valid until 2019-08-06 12:01:59, renewal is not necessary.
Loading current certificate for site4.com
Current certificate is valid until 2019-08-07 20:38:57, renewal is not necessary.
Success: SSL renewal completed.

And please explain me, how I can update my certs if EE decline update with reason “renewal is not necessary” even with --force? When it will be necessary?

It won’t renew certificates until there’s less than 25 days left on the certificate, so that’s working as intended.

The --force flag is supposed to renew regardless of time remaining so that is a genuine bug.

Do you need to force renewal for some reason?

The suggested work around only worked for one site for me. I realize the error is obvious that the certificate has expired, but I dont see why this is an error in renewing the certificate. An expired certificate is the only reason I can really see to be manually renewing the certificate. Why is checking for an expired certificate part of renewing it?

Also this was a fresh install so not sure why the auto renew is not working.

In EE4, cron is handled through its own Docker container. This is explained in some detail here https://easyengine.io/handbook/cron and should clear up some confusion as to why some cron jobs don’t run properly on individual containers.

As to adding a cron entry to the root of the host, I have had all sorts of errors using that method. As soon as I used the included cron commands, all has worked flawlessly for me with respect to renewals. Check here for all the commands used https://easyengine.io/commands/cron

My exact command used is

sudo ee cron create host --command='/usr/local/bin/ee site ssl-renew --all' --schedule='@weekly'

Typing ‘sudo ee cron list --all’ shows the following for me on one server.

And then typing ‘sudo ee cron run-now 2’ runs the ssl-renew script and verifies that it is working properly.

I use this on 5 different Easyengine instances and do not have any renewal issues and all is automated. Please note that your Easyengine executable may be in a different location on your server.

A quick ‘which ee’ or ‘whereis ee’ should return the exact location and you should substitute that location for the /usr/local/bin location you see in my command above. Also, when testing, note that your ID number for the cron command you want to test may be different than 2. You should always run the cron list command and reference the correct id for the cron you wish to test with the run-now command.

2 Likes

After a few renewal cycles I need to add some additional comments and observations to my previous post. I have found that domains with --wildcard SSL’s do NOT renew automatically with the above solution. Those renewals are still a manual process. I have also discovered that the support for Cloudflare still need work as I have had very spotty auto renewal results. I suppose that on wildcard and Cloudflare sites that adding renewals to the containers crontab might be the better solution.

Is anyone else using the above cron method? And if so, what have you found?

Thank you! Its works like a sharme.

I can’t get ofelia to run my command, or it does, and doesn’t log anything, and just fails.

This is my command I setup:
ee cron create host --command=‘ee site ssl-renew --all’ --schedule=’@weekly

I noticed in yours, you listed the path to ee /usr/local/bin/
I didn’t add that, but when I run ee cron list --all it shows my id for my new command, in this case 3.

If I manually run the ee cron with:
ee cron run-now 3
it works and completes correctly.

My SSL is 10 days away from expiration, and for the past couple of weeks, I can’t tell why this is not running. It should have renewed by now, but like last renewal, even up to 1 day till expiration, I had to manually run ee cron run-now 3 to get the SSL to renew.

So I have been messing with cron as root and as the user that installed ee, all to no success. Something like this just fails.
0 12 * * * ee site ssl-renew --all
Error is:
/bin/sh: 1: ee: not found
If I set my shell in crontab like:
SHELL=/bin/bash
and even include the root user’s bashrc like:
BASH_ENV="/root/.bashrc"
same issues, can’t find ee
/bin/bash: ee: command not found
when I path to EE in crontab I get ee trying to do an update, but not issuing the full command.
/usr/local/bin/ee like this in cron:
/usr/local/bin/ee site ssl-renew --all
I get this error:
Error: EasyEngine requires docker-compose.

The only way I have had success is to manually log into the box via ssh and kick off the ee cron run-now 3 command :frowning:

I am on ee 4.0.17

@cm896 I have experienced the same levels of inconsistency as you and as I updated above. Seems like this method works at times, but not others. And seemingly with no explanations.

I have stopped using the above method entirely. It was too frustrating. Since I was always able to successfully get the script working by typing directly into the command line I have reverted to placing the command in the host’s cron. Needed to add not only the explicit SHELL env variable, but also the PATH variable. So far I seem to be getting logged updates as scheduled on every single instance I have this in use - which is promising. I won’t be able to confirm full operations until I get about 2 more months into use but for now I can share the following:

  1. Open crontab for root user. If promoted for an editor, select your favorite
sudo crontab -e
  1. Add Shell and Path env variables to cron
SHELL=/bin/bash
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  1. Add explicit renew command. Note that I added some redirection to log the output to a file for later review. You can obviously name the log anything you want or put it anywhere on your file system. I kept it with all the other easyengine logs for convenience.
0 1 */5 * * /usr/local/bin/ee site ssl-renew --all >> /opt/easyengine/logs/cron.log 2>&1

As you can see I run this script every 5 days at 0100 hours. Please set this to your own needs. If you need help formatting your cron entries, there are many crontab generators that you can google and use.

I’ll repost an update once I know this is in fact working to renew certs as required. If anyone else can contribute positive or negative results, that would be great. Would live to find one single method that works on all installed instances for all types of sites.

Thanks for the quick reply.
I was missing the PATH being added in crontab - thank you - that worked for me.
Now the command at least fires without errors.

To test, I set it to run every 5 minutes, and confirmed in the logs that the command was running, and also checking the SSLs. Even though I manually renewed yesterday, at least it’s getting checked and running now.

thank you very much. I am also monitoring out till June now, so will keep an eye out.
Any idea why the ofelia / cron container isn’t running the recommended command?