[BlueOnyx:26740] Re: SSL/LE
Taco Scargo
taco at blueonyx.nl
Tue Jan 30 02:52:20 -05 2024
Issues I have seen with LetsEncrypt renewal failing are sometimes also related to a .htaccess file redirecting all requests (including the LetsEncrypt callback).
In this case the httpd service restarts properly though.
@Michael, it might make sense to see if the LetsEncrypt “path” that is used for the Domain checks can somehow be forced and not overridden with .htaccess files.
Or maybe document what needs to be added to the .htaccess file to exclude the path that is used for LetsEncryp.
Best regards,
Taco
> On 30 Jan 2024, at 03:12, Michael Stauber via Blueonyx <blueonyx at mail.blueonyx.it> wrote:
>
> Hi Herbert,
>
>> This issue is related to Let's Encrypt. The process is failing to get a renewal of the certificate. I believe there is a strange catch-22. It rewrites the vhosts/site2 file in some damaged way.
>> Then httpd does not properly restart. Then letsencrypt fails obviously and we are in a down webserver state.
>> This is happening over and over again because of the expired certificate.
>> Jan 29 12:04:58 d06 pperld /usr/sau[1802823]: pperld /usr/sausalito/handlers/base/ssl/le_install.pl <http://le_install.pl <http://le_install.pl/>>: : WARNING: CertFail: 1 - NO VALID CERT WAS GENERATED!!
>> Jan 29 12:04:58 d06 cced(smd)[1802819]: client 5:handlers/base/ssl/le_install.pl <http://le_install.pl <http://le_install.pl/>>: SET 49 . SSL LEclientRet = "{\"Error\":\"[[base-ssl.LE_CA_Request_Error]]\",\"Status\":\"1\",\"ErrMsg\":\"
>
> There may be an issue with your SSL key file for that Vsite. Typically the key is re-used (if present) when a new certificate is being requested.
>
> Try this:
>
> In the GUI go to the Vsite in question and turn off SSL for it.
>
> Then (as root and from SSH) find the "certs" directory of the Vsite in question. It should be something like this:
>
> 5209R:
> /home/sites/<FQDN>/certs/
>
> 5210R/5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20240130/70bc6adc/attachment.html>
More information about the Blueonyx
mailing list