Forums

Resolved
0 votes
Letsencrypt says my certificiate expires today it is not auto renewing what can I do to troubleshoot?

Can Cloudflare cause an issue?
Friday, September 10 2021, 01:45 PM
Share this post:

Accepted Answer

Friday, September 10 2021, 02:10 PM - #Permalink
Resolved
0 votes
I use Cloudflare for my DNS and it is not an issue, but I do not have proxying turned on. You could try turning it off then running:
/usr/clearos/apps/lets_encrypt/deploy/renew
and see if it renews.

Otherwise have a look at the Let's Encrypt log for errors in /var/log/letsencrypt/letsencrypt.log.
The reply is currently minimized Show
Responses (6)
  • Accepted Answer

    Friday, December 10 2021, 08:41 PM - #Permalink
    Resolved
    0 votes
    The only way I can get the certs to renew is to turn off proxying run the following
    /usr/clearos/apps/lets_encrypt/deploy/renew
    then turn proxying back on
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, September 11 2021, 09:36 AM - #Permalink
    Resolved
    0 votes
    Hmm. I suspect it may not work. Have a look at the Let's Encrypt webconfig and check the certificate's expiry date.

    AFAIK, the ClearOS app works like this:
    1 - check if apache is running and stop it if it is
    2 - Check if port 80 is open. If not, open it
    3 - do the renewal using certbot's own built-in webserver
    4 - close port 80 if it was open before
    5 - restart the web server

    1 and 2 may be in the wrong order, ditto 4 and 5. Also it does a preliminary check to see if renewal is needed.

    I wish it did not work like that. I would have preferred it to not stop apache if it is running and then in step 3 use the apache webserver for validation if it it is running and use the certbot built-in one if not. Unfortunately that would be a big rework for me, and I'd also need to find out why it was done that way.

    Looking at https://community.letsencrypt.org/t/redirect-to-https-causing-problems/60531, they are excluding ^.well-known/acme-challenge/ from the redirect rule which you are not. It may also only come into play when using apache as the webserver for certbot and you are not.

    Based on the Cloudflare article try just running from the command line:
    certbot renew --webroot --webroot-path /var/www/html/ --max-log-backups 200 --preferred-challenges http-01 --renew-hook "/sbin/trigger lets_encrypt -d example.tld -d www.example.tld"
    Change your domains to match repeating the -d as required. Make sure you have http->https redirect disabled (at least for ^.well-known/acme-challenge/). If that works, just set up a job in cron.daily to do it for you and add a -q switch to the command.

    I just use Cloudflare so I can have a wildcard certificate for my domain,so I have my own cron job to renew the wildcard cert. The ClearOS cron job will try and fail to renew it, but it successfully renews my conventional LE certs.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, September 10 2021, 11:44 PM - #Permalink
    Resolved
    0 votes
    Here is what I did

    /etc/letsencrypt/renewal/domainname.conf

    authenticator = webroot

    /var/www/html/.htaccess

    RewriteEngine On

    RewriteRule ^.well-known/ - [L,NC]
    RewriteCond %{SERVER_PORT} 80
    RewriteRule ^(.*)$ https://domainname.com/$1 [R,L]



    /usr/clearos/apps/lets_encrypt/deploy/renew

    Did not get an error did not get anyinfo

    Did it work not sure
    The reply is currently minimized Show
  • Accepted Answer

    Friday, September 10 2021, 11:18 PM - #Permalink
    Resolved
    0 votes
    I think it is /etc/letsencrypt/renewal/domainname.conf
    The reply is currently minimized Show
  • Accepted Answer

    Friday, September 10 2021, 11:14 PM - #Permalink
    Resolved
    0 votes
    Well that did not work but I found this

    https://support.cloudflare.com/hc/en-us/articles/214820528-Validating-a-Let-s-Encrypt-Certificate-on-a-Site-Already-Active-on-Cloudflare

    and this

    https://community.letsencrypt.org/t/redirect-to-https-causing-problems/60531

    Where is this located

    The .conf file the letsencrypt client uses for the renewal has authenticator = webroot specified.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, September 10 2021, 06:44 PM - #Permalink
    Resolved
    0 votes
    When you have cloudflare doing proxy it servers its own certificates, a way around this is to turn off universal ssl and it will sever the one on the webserver I think this was throwing it off.
    The reply is currently minimized Show
Your Reply