[BlueOnyx:22868] Re: Automatic LE Renewal did not happen ** findings **
Dirk Estenfeld
dirk.estenfeld at blackpoint.de
Fri May 3 10:24:18 -05 2019
Hallo Michael,
thank you for the update.
If you do change something in the crontab for root please remember that your
lines are not the only ones!!
So if you remove something please only remove your lines. All other entries
in the contab for root should persist!!
Thank you and best regards,
Dirk
---
blackpoint GmbH – Friedberger Straße 106b – 61118 Bad Vilbel
-----Ursprüngliche Nachricht-----
Von: Blueonyx <blueonyx-bounces at mail.blueonyx.it> Im Auftrag von Michael
Stauber
Gesendet: Donnerstag, 2. Mai 2019 21:02
An: blueonyx at mail.blueonyx.it
Betreff: [BlueOnyx:22867] Re: Automatic LE Renewal did not happen **
findings **
Hi all,
I just checked and I can confirm that we have a problem with the LE
renewals.
We do have actually two active methods how certs are renewed. One is via the
ACME cronjob:
[root at 5209r]# crontab -l
30 0 * * * /usr/sausalito/acme/acme.sh --cron --home /usr/sausalito/acme
--config-home /usr/sausalito/acme/data > /dev/nul
The second one is through /etc/cron.daily/letsencrypt.cron
On my end renewals DID happen. But in a flawed fashion. Example:
www.aventurin.net. In the GUI it also has the "SSL domain aliases"
aventurin.net configured as well.
But during the last automatic renewal it renewed only for www.aventurin.net
without any domain aliases.
When I look at the ACME config file for that Vsite I see something like
this:
-------------------------------------------------------------------------
[root at sol www.aventurin.net]# cat
/usr/sausalito/acme/certs/www.aventurin.net/www.aventurin.net.conf
Le_Domain='www.aventurin.net'
Le_Alt='no'
Le_Webroot='/home/.acme/'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_Keylength='4096'
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/5004569
2/368835344'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/50045692/36883
5344'
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04ae14f0cec29de4
060f38f525f6b0340a08'
Le_CertCreateTime='1553417101'
Le_CertCreateTimeStr='Sun Mar 24 08:45:01 UTC 2019'
Le_RenewalDays='60'
Le_NextRenewTimeStr='Thu May 23 08:45:01 UTC 2019'
Le_NextRenewTime='1558514701'
Le_RealCertPath='/home/.sites/48/site10/certs/certificate'
Le_RealCACertPath='/home/.sites/48/site10/certs/ca-certs'
Le_RealKeyPath='/home/.sites/48/site10/certs/key'
Le_ReloadCmd=''
Le_RealFullChainPath='/home/.sites/48/site10/certs/nginx_cert_ca_combined'
-------------------------------------------------------------------------
It makes no mention of any domain alias. Just the full FQDN. So it's no
wonder that the ACME cronjob then doesn't renew properly.
When I *do* renew via the GUI, that config file has the line ...
Le_Alt='aventurin.net'
... as expected. But once the ACME cronjob once tries to renew the Cert, it
drops the 'Le_Alt' like a hot potato.
I'll just assume that the ACME cronjob is FUBAR to begin with. So I'll
publish an update that disables and removes it and we fall back to our
separate /etc/cron.daily/letsencrypt.cron cronjob.
Which polls CODB for the aliases and which parses the actual SSL
certificates for their real expiry date.
I'll try to have the updates for this ready by Monday next week.
--
With best regards
Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5526 bytes
Desc: not available
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20190503/2ee7dcd5/attachment.p7s>
More information about the Blueonyx
mailing list