Letsencrypt says my certificiate expires today it is not auto renewing what can I do to troubleshoot?
Can Cloudflare cause an issue?
Can Cloudflare cause an issue?
Share this post:
Accepted Answer
I use Cloudflare for my DNS and it is not an issue, but I do not have proxying turned on. You could try turning it off then running:
Otherwise have a look at the Let's Encrypt log for errors in /var/log/letsencrypt/letsencrypt.log.
/usr/clearos/apps/lets_encrypt/deploy/renew
and see if it renews.Otherwise have a look at the Let's Encrypt log for errors in /var/log/letsencrypt/letsencrypt.log.
Responses (6)
-
Accepted Answer
-
Accepted Answer
Hmm. I suspect it may not work. Have a look at the Let's Encrypt webconfig and check the certificate's expiry date.
AFAIK, the ClearOS app works like this:
1 - check if apache is running and stop it if it is
2 - Check if port 80 is open. If not, open it
3 - do the renewal using certbot's own built-in webserver
4 - close port 80 if it was open before
5 - restart the web server
1 and 2 may be in the wrong order, ditto 4 and 5. Also it does a preliminary check to see if renewal is needed.
I wish it did not work like that. I would have preferred it to not stop apache if it is running and then in step 3 use the apache webserver for validation if it it is running and use the certbot built-in one if not. Unfortunately that would be a big rework for me, and I'd also need to find out why it was done that way.
Looking at https://community.letsencrypt.org/t/redirect-to-https-causing-problems/60531, they are excluding ^.well-known/acme-challenge/ from the redirect rule which you are not. It may also only come into play when using apache as the webserver for certbot and you are not.
Based on the Cloudflare article try just running from the command line:
Change your domains to match repeating the -d as required. Make sure you have http->https redirect disabled (at least for ^.well-known/acme-challenge/). If that works, just set up a job in cron.daily to do it for you and add a -q switch to the command.certbot renew --webroot --webroot-path /var/www/html/ --max-log-backups 200 --preferred-challenges http-01 --renew-hook "/sbin/trigger lets_encrypt -d example.tld -d www.example.tld"
I just use Cloudflare so I can have a wildcard certificate for my domain,so I have my own cron job to renew the wildcard cert. The ClearOS cron job will try and fail to renew it, but it successfully renews my conventional LE certs. -
Accepted Answer
Here is what I did
/etc/letsencrypt/renewal/domainname.conf
authenticator = webroot
/var/www/html/.htaccess
RewriteEngine On
RewriteRule ^.well-known/ - [L,NC]
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://domainname.com/$1 [R,L]
/usr/clearos/apps/lets_encrypt/deploy/renew
Did not get an error did not get anyinfo
Did it work not sure -
Accepted Answer
-
Accepted Answer
Well that did not work but I found this
https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare
and this
https://community.letsencrypt.org/t/redirect-to-https-causing-problems/60531
Where is this located
The .conf file the letsencrypt client uses for the renewal has authenticator = webroot specified. -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »