[BlueOnyx:21972] Let's encrypt not renewing *** solved ***

Michael Stauber mstauber at blueonyx.it
Mon Apr 23 11:40:22 -05 2018 

Hi Robert,

> I have a couple of vsites using LE certs and not renewing. The GUI shows
> expired. I looked at the LE log and found nothing since March 15, then I
> found and ran the following...
> 
> /usr/sausalito/letsencrypt/letsencrypt-auto renew
> 
> It upgraded LE and found all the sites needed renewed and deployed new
> certs but the GUI still reports the cert expired. What else can I do to
> fix and make sure this is automated?

I can confirm that an update released three weeks ago broke the
autorenew. I just published a fix to the 5209R YUM repository. Please
run "yum clean all" and "yum update" to get the latest base-ssl that
fixes it.

Here is how it generally works:

There is a daily cronjob (/etc/cron.daily/letsencrypt.cron) that runs
this command every day:

/usr/sausalito/sbin/letsencrypt_autorenew.pl -a

You can run that command on the command line as well and it will tell
you the state of the renewals. Example:

-----------------------------------------------------------------
]# /usr/sausalito/sbin/letsencrypt_autorenew.pl -a
##############################################################
# letsencrypt_autorenew.pl: Renew 'Let's Encrypt!' SSL certs #
##############################################################

NOT renewing SSL certificate for 'AdmServ' as it's still good.
(expiration date: 2018-06-29T20:08:31)

NOT renewing SSL certificate for '5209r1.smd.net' as it's still good.
(expiration date: 2018-07-06T19:57:59)
Vsite '5209r3.smd.net' is not using a Let's Encrypt certificate. Skipping.
NOT renewing SSL certificate for '5209r2.smd.net' as it's still good.
(expiration date: 2018-07-09T17:14:29)

Done!
-----------------------------------------------------------------

Additionally (so far only on 5209R) the daily cronjob will also send
emails now which inform you about auto-renewals. It will email you in
case an auto-renewal succeeded or failed. If there is nothing to report
(no auto-renewal was done because all certs were still good) it will not
send any emails.

I'll try to backport this to 5207R/5208R as well, but this is a bit
complicated due to the extra Perl-modules I need for this, which aren't
present on EL6. So I'll have to build RPMs for them as well. However, I
should be able to release this sometime later today.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list