[BlueOnyx:19333] Re: Let's Encrypt certificate generation/renewal problem.

[Michael Stauber]

Hi DD,

> I have several sites using Let's Encrypt ever since it was added to BO. 
> Today I discovered that one of them has expired despite being set to 
> auto-renew.
> 
> In the Let's Encrypt section for the vsite, attempting to renew the 
> certificate manually gives:
> 
>    "The following error occured during the
>     SSL certificate request: The installation
>     path for the certificates could not be
>     determined."
> 
> Anyone have any ideas?

There is a daily cronjob that checks the expiry and does the renewal:

/etc/cron.daily/letsencrypt.cron

It basically runs this script (with the "-a" flag):

/usr/sausalito/sbin/letsencrypt_autorenew.pl -a

You can run it manually if you wish. It'll tell you if a cert needs
renewal and will perform the renewal if required.

I also did run into a couple renewal glitches myself and am still trying
to work out the details.

During the renewal Let's Encrypt needs to make a callback to each FQDN
that the SSL certificate is valid for. So if your Vsite is named
"www.company.com" and has the alias "company.com" it'll access both to
see if it can access the "/.well-known/acme-challenge/...." file is
reachable there. That's the path where the Let's Encrypt renewal client
puts a temporary file needed for this validation.

If your web server aliases are not working, then this will fail. As this
is known to happen from time to time on a BlueOnyx this would naturally
cause the renewal to fail, too.

On 5209R usage of PHP-FPM also seems to cause issues with automated SSL
renewal.

With that in mind: If you want to test it, create the subdirectories
/.well-known/acme-challenge/ in your /web directory, fix the UID/GID and
see if it's reachable from the outside in a browser when you call it
using the FQDN (and all web aliases!) of the Vsite. If that works, then
the renewal will work as well.

-- 
With best regards

Michael Stauber