[BlueOnyx:22867] Re: Automatic LE Renewal did not happen ** findings **

Michael Stauber mstauber at blueonyx.it
Thu May 2 14:02:06 -05 2019


Hi all,

I just checked and I can confirm that we have a problem with the LE
renewals.

We do have actually two active methods how certs are renewed. One is via
the ACME cronjob:

[root at 5209r]# crontab -l
30 0 * * * /usr/sausalito/acme/acme.sh --cron --home /usr/sausalito/acme
--config-home /usr/sausalito/acme/data > /dev/nul

The second one is through /etc/cron.daily/letsencrypt.cron

On my end renewals DID happen. But in a flawed fashion. Example:
www.aventurin.net. In the GUI it also has the "SSL domain aliases"
aventurin.net configured as well.

But during the last automatic renewal it renewed only for
www.aventurin.net without any domain aliases.

When I look at the ACME config file for that Vsite I see something like
this:

-------------------------------------------------------------------------
[root at sol www.aventurin.net]# cat
/usr/sausalito/acme/certs/www.aventurin.net/www.aventurin.net.conf

Le_Domain='www.aventurin.net'
Le_Alt='no'
Le_Webroot='/home/.acme/'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_Keylength='4096'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/50045692/368835344'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/50045692/368835344'
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04ae14f0cec29de4060f38f525f6b0340a08'
Le_CertCreateTime='1553417101'
Le_CertCreateTimeStr='Sun Mar 24 08:45:01 UTC 2019'
Le_RenewalDays='60'
Le_NextRenewTimeStr='Thu May 23 08:45:01 UTC 2019'
Le_NextRenewTime='1558514701'
Le_RealCertPath='/home/.sites/48/site10/certs/certificate'
Le_RealCACertPath='/home/.sites/48/site10/certs/ca-certs'
Le_RealKeyPath='/home/.sites/48/site10/certs/key'
Le_ReloadCmd=''
Le_RealFullChainPath='/home/.sites/48/site10/certs/nginx_cert_ca_combined'
-------------------------------------------------------------------------

It makes no mention of any domain alias. Just the full FQDN. So it's no
wonder that the ACME cronjob then doesn't renew properly.

When I *do* renew via the GUI, that config file has the line ...

Le_Alt='aventurin.net'

... as expected. But once the ACME cronjob once tries to renew the Cert,
it drops the 'Le_Alt' like a hot potato.

I'll just assume that the ACME cronjob is FUBAR to begin with. So I'll
publish an update that disables and removes it and we fall back to our
separate /etc/cron.daily/letsencrypt.cron cronjob.

Which polls CODB for the aliases and which parses the actual SSL
certificates for their real expiry date.

I'll try to have the updates for this ready by Monday next week.

-- 
With best regards

Michael Stauber



More information about the Blueonyx mailing list