Problems with Let's encrypt renewal

Discussion in 'Installation/Configuration' started by DavideR, Jun 3, 2020.

  1. DavideR

    DavideR Member HowtoForge Supporter

    Hi all,
    today I've the certificates for my 2 host and relative sites expired. If I try to force the renewal from command line I get an errore and cannot update them. If I remove check on SSL+Let's from ISP panel and remark it i get error. I've try to run command from cron.d but I't show me error.
    If I try to ssh login to machine it show me that not permission to login, very strange.
    Anyone can help me?

    thank's
     
  2. ahrasis

    ahrasis Well-Known Member

    Can't really help if you can't ssh into your machine but, if it is a vps and you got web console as an alternative try to ssh in using it, or if it is a physical server you have access to, try to use normal login or use your distro to bypass then Ƨheck and change its ssh access settings.
     
  3. DavideR

    DavideR Member HowtoForge Supporter

    It's VPS on my datacenter, I can alternatively enter by console.
     
  4. ahrasis

    ahrasis Well-Known Member

  5. DavideR

    DavideR Member HowtoForge Supporter

    Hi,
    1. if I connect ssh to [email protected] I get permission denied, if I connect to IP same thing. If I use [email protected] to login i can login and elevate to root.

    2. for let's encrypt guide I've already checked all step but nothing change. for 1 site hosted I've solved by setup my wildcard domain. but for the other I can use it, and i need to use let's encrypt. what logs you need for find the error?
     
  6. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    I think you have PermitRootLogin set to No in /etc/sshd_config (this is preferable imo)

    You said you received an error, can you share it? The log files can be found in /var/log/letsencrypt (which you would know if you read the Let's Encrypt FAQ, please do)
     
  7. DavideR

    DavideR Member HowtoForge Supporter

    this is the error log
    Code:
    2020-06-03 08:00:12,377:DEBUG:certbot.main:Root logging level set at 20
    2020-06-03 08:00:12,377:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-06-03 08:00:12,378:DEBUG:certbot.main:certbot version: 0.10.2
    2020-06-03 08:00:12,378:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"]
    2020-06-03 08:00:12,378:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
    2020-06-03 08:00:12,388:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-03 08:00:12,391:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-03 08:00:12,393:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-03 08:00:12,395:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-03 08:00:12,398:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-03 08:00:12,400:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-03 08:00:12,403:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-03 08:00:12,405:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-03 08:00:12,405:DEBUG:certbot.renewal:no renewal failures
     
  8. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Those logs do not show any errors, only certificate renewal checks for certificates that don't need renewed. You mentioned 3 different places you got errors in your initial post, what were the errors you got at each point?
     
  9. DavideR

    DavideR Member HowtoForge Supporter

    for example this is One of My Two ISP Hosts. The certificate Are in error :
    Code:
    NET::ERR_CERT_AUTHORITY_INVALID
    Subject: cloud.hkstyle.tech
    
    Issuer: cloud.hkstyle.tech
    
    Expires on: 24 feb 2030
    
    Current date: 3 giu 2020
    
    PEM encoded chain:
    -----BEGIN CERTIFICATE-----
    MIIGETCCA/mgAwIBAgIUO9FTJCkX3VYPjBNghyiHK9JMnN0wDQYJKoZIhvcNAQEL
    BQAwgZcxCzAJBgNVBAYTAkl0MQ4wDAYDVQQIDAVJdGFseTERMA8GA1UEBwwIUHJl
    c2V6em8xGTAXBgNVBAoMEEhrU3R5bGVDT1JQLiBTcmwxCzAJBgNVBAsMAkhRMRsw
    GQYDVQQDDBJjbG91ZC5oa3N0eWxlLnRlY2gxIDAeBgkqhkiG9w0BCQEWEXRlY2hA
    aGtzdHlsZS50ZWNoMB4XDTIwMDIyNzE3NTkxOFoXDTMwMDIyNDE3NTkxOFowgZcx
    CzAJBgNVBAYTAkl0MQ4wDAYDVQQIDAVJdGFseTERMA8GA1UEBwwIUHJlc2V6em8x
    GTAXBgNVBAoMEEhrU3R5bGVDT1JQLiBTcmwxCzA
    ZS50ZWNoMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArtpaBBLGzh9/
    Fpl39B0zcohyMBv80+Cto1BlUGuyEwLgprno6LmLshRtwNFYv8EI4shJF4hDXSbv
    BC1kXsNsP6g9H3eRlOviBhCvyMsaaav0l9PbeVUt1ybidJBxcPM0VMQEfwf6lj+i
    mqB3jxvq85uepeQ2JPSfVtcfdrRgQ86NLDJPWTVJCHHnvmTQKui9KDPb2yRvQfTk
    kazAKQfBtE3hCMwmHQmRHT3GqcxjJT7j4qPDfEX4eBIeEd0e18PD+qhw1/XKyXEQ
    7ylqnmPfEIubNO5do8ohGUEJQZ8Ce8mBVJOod1gM
    -----END CERTIFICATE-----
    this is one site on it and Certificate show NotSecure : https://www.rizzus.tech/

    this morning another site show me certificate Expired and no way to restore, Fortunatly I've a wildcard certificate for me domain and I've setup it on ISP panel. It's on second host. The log are on attachment
     

    Attached Files:

  10. Steini86

    Steini86 Active Member

    What is the output of "sudo certbot certificates"

    The log shows that letsencrypt can not get the DNS information:
    DNS problem: NXDOMAIN looking up A for supporto.hkstyle.it - check that a DNS record exists for this domain

    And in fact, there is no record for that domain. So for a non-existing domain you can not issue a certificate
     
  11. DavideR

    DavideR Member HowtoForge Supporter

    output is little strange:
    all are VALID


    DNS problem in this case in correct because the domain .it aren't configured but for some reason it's search again, it's a refuse config
     
    Last edited: Jun 4, 2020
  12. DavideR

    DavideR Member HowtoForge Supporter

    Nobody can help me?
     
  13. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    https://rizzus.tech/ has no issues for me, and is due for renewal in 4 days. Perhaps you set up a different IP for it in your hosts file?
     
  14. DavideR

    DavideR Member HowtoForge Supporter

    Hi, in my hosts file I've only the Vps fqdn and localhost.
    I've update all possibile on server and no update are available by apt-get upgrade and ipsconfig_update.sh show no update for stable.
    if you see the picture i get not-secure flag when visit my site but if I enter on wp-admin the cert is Perfect.
    [​IMG]
    [​IMG]
    In the past I've open a similar thread, but when cert is returned to work I don't have the error on top.
     

    Attached Files:

    • 1.png
      1.png
      File size:
      2.5 KB
      Views:
      1
    • 2.png
      2.png
      File size:
      2.5 KB
      Views:
      3
  15. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    Try doing a force reload: fn +f5
     
  16. DavideR

    DavideR Member HowtoForge Supporter

    Already take a force reload, removed browser cache, changed browser, incognito mode. Allways same issue
     
  17. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    DavideR likes this.
  18. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    You can also reupload that image over https, I would advice you to do both.
     
  19. DavideR

    DavideR Member HowtoForge Supporter

    Thank's a lot, I've reload Logo Image into theme settings and now all work's correctly.
    One thing solved.

    Thank's
     
    Th0m likes this.
  20. DavideR

    DavideR Member HowtoForge Supporter

    for this problem how to purge this qfdn correctly? Into ISP panel I can find it
     

Share This Page