URGENT - Letsencrypt not working after expired?


#1

Hi,

I have been running letsencrypt for some time and have only just ran into an issue with it not working only with one domain name. It was working fine but then didn’t auto renew.

I am running EE v3.7.4.

I am not using Cloudflare and have a CNAME www.

I have tried --letsencrypt=renew but all I get is

Letsencrypt is currently in beta phase.
Do you wish to enable SSl now for domain.com.au?
Type "y" to continue [n]:y
You already have an existing certificate for the domain requested.
(ref: /etc/letsencrypt/renewal/domain.com.au.conf)
Please select an option from below?
	1: Reinstall existing certificate
	2: Keep the existing certificate for now
	3: Renew & replace the certificate (limit ~5 per 7 days)

Type the appropriate number [1-3] or any other key to cancel: 3
Please Wait while we renew SSL Certificate for your site.
It may take time depending upon network.
Unable to setup, Let's Encrypt
Please make sure that your site is pointed to
same server on which you are running Let's Encrypt Client
 to allow it to verify the site automatically.

I backed up my site deleted it and created another blank site e.g.

ee site create mydomain.com.au --php7 --wpfc --letsencrypt

But still got the same error with LE. Checked my DNS and all still looks fine.

I am only running 1 other site on the same server which has a normal (non LE) SSL cert. Though now when I go to the domain in question I am still getting th SSL warning as its using the other domains SSL.

Any ideas?

tail -50 /var/log/ee/ee.log

2017-02-02 10:42:57,898 (DEBUG) ee : Command Output: IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: domain.com.au
   Type:   unauthorized
   Detail: Invalid response from
   http://domain.com.au/.well-known/acme-challenge/alDS99GavEzSsdRFitDSxIv69CAttNb4o65pycAe-xg:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: www.domain.com.au
   Type:   unauthorized
   Detail: Invalid response from
   http://www.domain.com.au/.well-known/acme-challenge/9smAOL0padQP9DtXrGWLLOPh8vCKLzbaeUQhc0WA0Uk:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
,
Command Error: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for domain.com.au
http-01 challenge for www.domain.com.au
Using the webroot path /var/www/domain.com.au/htdocs for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. domain.com.au (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com.au/.well-known/acme-challenge/alDS99GavEzSsdRFitDSxIv69CAttNb4o65pycAe-xg: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>", www.domain.com.au (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com.au/.well-known/acme-challenge/9smAOL0padQP9DtXrGWLLOPh8vCKLzbaeUQhc0WA0Uk: "<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

2017-02-02 10:42:57,899 (ERROR) ee : Unable to setup, Let's Encrypt
2017-02-02 10:42:57,900 (ERROR) ee : Please make sure that your site is pointed to
same server on which you are running Let's Encrypt Client
 to allow it to verify the site automatically.

#3

This is generally caused due to some bugs at your DNS end. Is it fixed now @rexi88?


#4

Hi,

No still having this issue, now it’s happening to other domains on different hosting as well. I am assuming a update has broken something.


#5

Try running renew command with sudo like so:

sudo ee site update example.com --le=renew


#6

No luck:

root@prod:~# ee site update domian.com.au --le=renew
Renewing SSl cert for https://domain.com.au
ERROR : Cannot RENEW SSL cert !
Your current cert already EXPIRED !
Check logs for reason `tail /var/log/ee/ee.log` & Try Again!!!
root@prod:~# tail /var/log/ee/ee.log
2017-02-20 16:13:23,419 (DEBUG) ee : Running command: date -d "`openssl x509 -in /etc/letsencrypt/live/domain.com.au/cert.pem -text -noout|grep "Not After"|cut -c 25-`" +%s
2017-02-20 16:13:23,449 (DEBUG) ee : Command Output: 1486882440
,
Command Error:
2017-02-20 16:13:23,449 (ERROR) ee : Your current cert already EXPIRED !
2017-02-20 16:13:23,449 (DEBUG) ee : Running command: date -d "`openssl x509 -in /etc/letsencrypt/live/domain.com.au/cert.pem -text -noout|grep "Not After"|cut -c 25-`"
2017-02-20 16:13:23,459 (DEBUG) ee : Command Output: Sun Feb 12 16:54:00 AEST 2017
,
Command Error:
2017-02-20 16:13:23,530 (ERROR) ee : Check logs for reason `tail /var/log/ee/ee.log` & Try Again!!!

#8

I have this problem too. I need to remove the SSL and enable it again to let it work.


#9

How did you remove it?

Just delete the SSL certificates?


#10

No, use following command:

ee site update example.com --letsencrypt=off

and then

ee site update example.com --letsencrypt


#11

Hey,

I thought I tried that but will give it another go.

Thanks


#12

Didn’t work for me (:

ee site update domain.com.au --le=renew
Renewing SSl cert for https://domain.com.au
ERROR : Cannot RENEW SSL cert !
Your current cert already EXPIRED !
Check logs for reason `tail /var/log/ee/ee.log` & Try Again!!!

#13

First, I doubt this is an ee or letsencrypt not working issue… Instead you probably didn’t setup the cron job and you can’t renew a cert after it expires. You have to create a new and there isn’t a clear way to delete the old one in ee or le.

My recommendation is manually delete the certs as rbrich suggestion here.

rm -rf /etc/letsencrypt/live/YOURDOMAIN rm /etc/letsencrypt/renewal/YOURDOMAIN.conf

Now you can try to use ee options to install a new one…

If that won’t work… You need more hands-on control so I would try install and new cert with certbot.

Once that’s done don’t forget to add the cron job so you don’t have same problem again. :slight_smile:


#14

Hey thanks I will take a look.

I didn’t install it manuall I just used ee install stack and then use --le to activate it.

I had it running on numerous servers for months fine and then all of a sudden they all stopped working. The only thing I can put it down too was updating the server.

Considering EE v3 hasn’t be getting many updates as v4 is around the corner which is why I thought there was an issue.


#15

I was facing the same issues for an expired SSL certificate on EasyEngine 3.7.4, but I managed to fix it after completely removing any traces of the expired SSL cert related to the problematic domain.

Just as a reference, let’s say the domain is mydomain.com

When trying to renew the cert with ee site update mydomain.com --letsencrypt=renew I was getting all sorts of prompts.

The first prompt I got was the following:

ERROR : Cannot RENEW SSL cert ! Your current cert already EXPIRED ! Check logs for reason tail /var/log/ee/ee.log & Try Again!!!

Inspecting the logs with tail /var/log/ee/ee.log returned the following:

Running command: date -d “openssl x509 -in /etc/letsencrypt/live/mydomain.com/cert.pem -text -noout|grep "Not After"|cut -c 25-” +%s

Really? I don’t even know what that means!

So I went forward and checked the logs with tail -n100 /var/log/ee/ee.log, which revealed a few more issues such as:

...
2017-02-22 03:53:34,650 (DEBUG) ee : Command Output: IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.mydomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.mydomain.com/.well-known/acme-challenge/g99I-Ss0xTJ939kjhfdcoprMqPo5DAFteluYL98qObW-zRI:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   Domain: mydomain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://mydomain.com/.well-known/acme-challenge/A1I5BLoh5-Ls-1FdVTwy7uhgspSPdjmfDMncB1e7AYG4:
   "<html>
   <head><title>404 Not Found</title></head>
   <body bgcolor="white">
   <center><h1>404 Not Found</h1></center>
   <hr><center>"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.
...

What?! I had no such issue with DNS records, nor with the nginx config files for the specified domain… It was really pis*ing me off…

So by following @jwogrady tip, I searched all SSL configs related to the problematic domain in order to manually remove those.

I ended up doing the following:

I completely removed all SSL related stuff for the specified domain by firing up the commands bellow:

sudo rm -rf /etc/letsencrypt/live/mydomain.com

sudo rm /etc/letsencrypt/renewal/mydomain.com.conf

sudo rm -rf /etc/letsencrypt/archive/mydomain.com

sudo rm /var/www/mydomain.com/conf/nginx/ssl.conf

sudo rm /etc/nginx/conf.d/force-ssl-mydomain.com.conf

With all the SSL stuff for the specified domain wiped out, simply restart ee stack or restart nginx alone, both might do the trick:

ee stack restart

or

ee stack restart --nginx

And finally

Reinstalled Let’s encrypt SSL certificate as usual with:

ee site update mydomain.com --letsencrypt

Notice: I did not renewed it, I simply installed it as it was the first time setting up the SSL for the specified domain.

And EE successfully created a fresh SSL certificate for the domain

Letsencrypt is currently in beta phase. Do you wish to enable SSl now for mydomain.com? Type “y” to continue [n]: y Please Wait while we fetch SSL Certificate for your site. It may take time depending upon network. Let’s Encrypt successfully setup for your site Your certificate and chain have been saved at /etc/letsencrypt/live/mydomain.com/fullchain.pem Configuring Nginx SSL configuration Adding /var/www/mydomain.com/conf/nginx/ssl.conf Adding /etc/nginx/conf.d/force-ssl-mydomain.com.conf Added HTTPS Force Redirection for Site http://mydomain.com Creating Cron Job for cert auto-renewal

Bonus

Some peeps might be serving their website from a different root directory other than the htdocs. Somewhere in the middle of the process of cleaning up all SSL related stuff for the problematic domain, it came to me I was running mydomain.com under a directory named public_html instead.

I’ve created the public_html so I could serve a static HTML site from this folder and serve WordPress under the htdocs default folder.

This also enlightened me about the /.well-known/ related issue I inspected earlier in the logs.

Not sure if that helped me or not, but I created a symlink between my custom public_html directory and the /.well-known/ thing by doing as follows:

sudo ln -s /var/www/mydomain.com/htdocs/.well-known /var/www/mydomain.com/public_html


Cloudflare setup making problem with letsencrypt
SSL problem
#16

Hi, this worked for me. Thanks. :hamburger:


#17

Thank you very much for the detailed guide, @monecchi

I removed all the traces and restarted the ee stack as well as nginx.

And when i run the command to install LE, it didn’t work.

It says that my domain is not pointed to the server, which is crazy.

I checked the DNS stats using http://www.kloth.net/services/dig.php and it shows up properly.

The tail of error message is the same one you have added in your post.

Is there anything to do with the wordpress files inside htdocs folder which might be causing http to https redirection of some sort? (because within our wordpress settings, we inserted the site url as htts://mydomain.com while setting up the site, right?) … just a speculation…

Update: I also edited my /etc/hostname file and added the following (just in case): 12.34.56.786 mydomain.com sitename

@portofacil and @virtubox have anything to say? (you guys help me all the time)

Thanks


#18

You can try to use letsencrypt manually :

cd /opt
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly --webroot -w /var/www/yourdomain.com/htdocs -d www.yourdomain.com -d yourdomain.com --email  your@email.net --text --agree-tos

If it doesn’t work, add this in your domain nginx configuration :

{
alias /var/www/html/.well-known;
}

And then use again the previous command and set the -w to /var/www/html


#19

This is what I did:

Removed all the traces of SSL/letsencrypt :

sudo rm -rf /etc/letsencrypt/live/mydomain.com
sudo rm /etc/letsencrypt/renewal/mydomain.com.conf
sudo rm -rf /etc/letsencrypt/archive/mydomain.com
sudo rm /var/www/mydomain.com/conf/nginx/ssl.conf
sudo rm /etc/nginx/conf.d/force-ssl-mydomain.com.conf

(Thanks to @monecchi for the handy list)

This is to do a fresh install of LE instead of trying to renew (because once its expired, it can’t be renewed that easily).

Then tried installing LE using: sudo ee site update mysite.com --letsencrypt

No luck!

Next…

Edited /etc/nginx/sites-enabled/mysite.com to add the following lines inside the server block:

location ~ /.well-known {
    allow all;
    root /var/www/mysite.com/htdocs;
}

Resulting file:

server {

    server_name mysite.com   www.mysite.com;

    access_log /var/log/nginx/mysite.com.access.log rt_cache_redis;
    error_log /var/log/nginx/mysite.com.error.log;

    root /var/www/mysite.com/htdocs;

    location ~ /.well-known {
        allow all;
        root /var/www/mysite.com/htdocs;
    }

    index index.php index.html index.htm;

    include  common/redis-php7.conf;

    include common/wpcommon-php7.conf;
    include common/locations-php7.conf;
    include /var/www/mysite.com/conf/nginx/*.conf;
}

Checked nginx conf for syntax errors and reload:

sudo nginx -t
sudo systemctl restart nginx.service

Then i once again tried: sudo ee site update mysite.com --letsencrypt

Again, no luck! (same error)

Next…

Manual Installation:

cd /opt
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt

And then ran the installation script:

./letsencrypt-auto certonly --webroot -w /var/www/html -d mysite.com -d www.mysite.com --email yourmail@gmail.com --text --agree-tos

Yay!! Installation successful!

Now ran again:

sudo ee site update mysite.com —letsencrypt

A dialog with 3 choices appear. Choose #2 (keep the current certificate) and hit Enter. Now EasyEngine correctly identifies the LE installation and generates ssl.conf and force-ssl-mysite.com.conf in the appropriate directories.

And that’s it.

As usual, @virtubox to the rescue :slight_smile: Thanks man…


#22

That’s great!


#23

That’s good to hear you’ve sorted it out! I’m gonna keep this bookmarked.

I’ve never really got EE + LetsEncrypt to auto renew successfully. It seems LetsEncrypt support needs a tuneup!


#27

I was having the same problem. My case was settled like this.