[BlueOnyx:22615] Re: Let's Encrypt - updates are public
Michael Stauber
mstauber at blueonyx.it
Thu Jan 24 09:02:17 -05 2019
Hi Dirk,
> I cannot see an error but certificate is not renewed.
> Can you please advise what to do?
Open /usr/sausalito/handlers/base/ssl/le_install.pl in an editor and
find the line ...
$DEBUG = "0";
.. and change that to this:
$DEBUG = "1";
Then run "tail -f /var/log/messages" while you do another renewal via
the GUI.
It will show you a lot more info about what's going on during the
renewal. It will also show you which exact command the GUI was using to
try the renewal.
It will look somewhat like this:
/usr/sausalito/acme/acme.sh --apache --issue -d 5209r2.smd.net -w
/home/.sites/143/site2/web --keylength 4096 --days 60 --cert-file
/home/.sites/143/site2/certs/certificate --key-file
/home/.sites/143/site2/certs/key --fullchain-file
/home/.sites/143/site2/certs/nginx_cert_ca_combined --ca-file
/home/.sites/143/site2/certs/ca-certs --auto-upgrade 1 --accountemail
mstauber at blueonyx.it --force
Copy that command and all parameters and run it manually.
For testing purpose add "--staging --debug" to it. The --staging will
run the command against the Let's Encrypt testing sandbox so that you
don't exhaust your amount of tries against the life system. And the
"--debug" produces a more verbose diagnostic output.
Please note: If run with "--staging" you will get a certificate as well,
but it'll not be a trusted certificate.
One of the more likely causes of ACME failing (same as with CertBot) is
that your certificate request was for a domain name and multiple
aliases. And Let's Encrypt was unable to connect to
http://<alias>/.acme/<verification-file> because either you had "Web
Alias Redirects" ticked for that Vsite, a .htaccess did a redirect or
the DNS A Record for that alias wasn't working.
If (by a rare chance) you're missing /usr/sausalito/acme/acme.sh then
please do the following:
rpm -e --nodeps blueonyx-le-acme
yum reinstall blueonyx-le-acme
Let me know what a manual run of acme.sh with the renewal parameters
yields if you can't get it working.
--
With best regards
Michael Stauber
More information about the Blueonyx
mailing list