Having a problem with the let’s encrypt SSL renewal.
I’ve upgrade to the latest ee. Also apt-get update/upgrade for the server.
ee --version
EE 4.1.1
debug output for the renewal
ee site ssl --debug domain.com
Debug: ----------------------- (0.024s)
Debug: COMMAND: cd /opt/easyengine/services && docker ps -q --no-trunc | grep $(docker-compose ps -q global-nginx-proxy) (0.025s)
Debug: STDOUT: a258c7f19b7e76e91b0149d9584e0c7f478196e7faad958ff9991216beee0584
(0.531s)
Debug: RETURN CODE: 0 (0.531s)
Debug: ----------------------- (0.531s)
Debug: ----------------------- (0.531s)
Debug: COMMAND: docker ps > /dev/null (0.531s)
Debug: RETURN CODE: 0 (0.577s)
Debug: ----------------------- (0.577s)
Debug: ----------------------- (0.577s)
Debug: COMMAND: command -v docker-compose > /dev/null (0.577s)
Debug: RETURN CODE: 0 (0.579s)
Debug: ----------------------- (0.579s)
Debug (bootstrap): Using default global config: /opt/easyengine/config/config.yml (0.581s)
Debug (bootstrap): No project config found (0.581s)
Debug (bootstrap): argv: /usr/local/bin/ee site ssl --debug domain.com (0.581s)
Debug (bootstrap): Running command: site (0.581s)
Debug (bootstrap): Running command: site ssl (0.586s)
Starting SSL verification.
Debug: Loading account keypair (0.599s)
Debug: Starting check with solver http (0.605s)
Debug: Loading the authorization token for domains domain.com … (0.608s)
Debug: Challenge loaded. (0.609s)
Warning: Failed to verify SSL: [malformed] The request message was malformed: Expired authorization (on request “GET https://acme-v02.api.letsencrypt.org/acme/chall-v3/1887857041/0uwrKw”)
Warning: Check logs and retry ee site ssl domain.com once the issue is resolved.
Here’s the data from the ssl-log:
Starting SSL cert renewal
Loading current certificate for staging.domain.com
Loading current certificate for staging.domain.com
Current certificate is valid until 2020-10-24 00:00:24, renewal is not necessary.
Success: SSL renewal completed.
Starting SSL cert renewal
Loading current certificate for domain.com
Loading current certificate for domain.com
Starting SSL verification.
Warning: Challenge Authorization failed. Check logs and check if your domain is pointed correctly to this server.
Re-run ee site ssl www.domain.com after fixing the issue.
PHP Fatal error: Uncaught AcmePhp\Core\Exception\Protocol\ChallengeFailedException: Challenge failed (response: {“type”:“http-01”,“status”:“invalid”,“error”:{“type”:“urn:ietf:params:acme:error:dns”,“detail”:“During secondary validation: DNS problem: query timed out looking up A for www.domain.com”,“status”:400},“url”:"https://acme-v02.api.letsencrypt.org/acme/chall-v3/6239513210/QJE4zw",“token”:“XpCZAHquSMG4_aorXxTiX8-GQT_bcU_1rHTeR1vlmBo”,“validationRecord”:[{“url”:“http://www.domain.com/.well-known/acme-challenge/XpCZAHquSMG4_aorXxTiX8-GQT_bcU_1rHTeR1vlmBo”,“hostname”:“www.domain.com”,“port”:“80”,“addressesResolved”:[“111.222.333.444”],“addressUsed”:“111.222.333.444”},{“url”:“http://domain.com/.well-known/acme-challenge/XpCZAHquSMG4_aorXxTiX8-GQT_bcU_1rHTeR1vlmBo”,“hostname”:“domain.com”,“port”:“80”,“addressesResolved”:[“111.222.333.444”],“addressUsed”:“111.222.333.444”},{“url”:"https://domain.com/.well-known/acme-challenge/XpCZAHquSMG4_a in phar:///usr/local/bin/ee/vendor/acmephp/core/AcmeClient.php on line 195
Warning: An Error occurred. Initiating clean-up.
Warning: Exiting gracefully after rolling back. This may take some time.
Success: Rollback complete. Exiting now.
The hosts file has the correct IP for the domains, not 127.0.0.1 or localhost.
The DNS is setup with an A record for the domain.com, there is a CNAME for www.domain.com. The log is showing the correct IP upon lookup.
Any ideas on why this SSL won’t renew?
The second domain on this server, staging.domain.com is working correctly and was renewed correctly about a month ago. Got this warning for the main domain since it’s set to renew in 8 days and it’s broken/stuck.
During secondary validation: DNS problem: query timed out looking up A for www.domain.com
I’m going to request an A record setup instead of the CNAME and see if that resolves my issue. This domain and this site has auto-renewed before, so this is a new error on a long established site.
Is it possible to docker into the container and run:
sudo certbot renew --dry-run
to test or something else?
I can’t seem to remove the SSL from the account in order to re-install the SSL, but that’s not supported and doesn’t work.
I’ve looked through all SSL related posts, also on github.