[BlueOnyx:22443] Re: LetsEncrypt Automatic Renewals

Chris Gebhardt - VIRTBIZ Internet cobaltfacts at virtbiz.com
Mon Oct 15 10:15:40 -05 2018 

Hi All,

On 10/13/2018 12:43 PM, Colin Jack wrote:
> Yes - it is weird because they are all set to auto renew and used to auto renew.
> Only recently they have stopped, but renew manually fine.

Yeah, the LetsEncrypt functionality is a neat convenience to get free 
HTTPS, but unfortunately it sometimes follows the old adage "you get 
what you pay for."   I've seen this with different implementations of 
LE, as well, not just BlueOnyx.   cPanel implementations can be buggy, 
and the error messages are often either confusing or obfuscating.

My advice:  is it a critical site that's making money?  Pay the few 
bucks for a commercial cert.   Free is great, but my customers don't 
want to hear about "well, this didn't cost anything" when the site is 
broken.

This isn't to say that LE certs don't have their place.  We're using 
them in some situations.   I've found 2 recurring issues with LE certs 
on BlueOnyx to be our main antagonists:

#1:  On 5208R, renewing the certificate for the server (main hostname) 
that runs mail and Admserv GUI will often fail both automated and manual 
because when the CA attempts to fetch the /well-known/pki-validation 
file it will look to the first VSITE in the httpd.conf file.   The only 
"fix" is to comment out all the vsites at the bottom of httpd.conf, 
restart httpd, request the renewal, then un-comment the vsites and 
restart httpd again.

#2: On a VSITE, a failure to confirm the .well-known/pki-validation or a 
DNS problem.   In these cases, the error message that prints to the GUI 
isn't often very helpful and it's better to watch /var/log/messages to 
see what comes of that.    If you know when the automated process failed 
you can go back in time in the logs to see if there's an explanation. 
If the failure is occurring as you manually renew, then watch the log in 
real-time using tail -f /var/log/messages | grep "encrypt"

-- 
Chris Gebhardt
VIRTBIZ Internet Services
Access, Web Hosting, Colocation, Dedicated
www.virtbiz.com | toll-free (866) 4 VIRTBIZ

More information about the Blueonyx mailing list