peterpan
Members-
Posts
15 -
Joined
-
Last visited
Everything posted by peterpan
-
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
I found the following line in the output: [Sun Sep 15 15:13:43 CEST 2019] Sign failed: "detail":"Error creating new cert :: too many certificates already issued for exact set of domains: xxxxxxx.ca,xxxxxxx.de,xxxxxxx.es,xxxxxxx.fr,xxxxxxx.it,xxxxxxx.net,xxxxxxx.nl,xxxxxxx.us,cron.xxxxxxx.net,webhook.xxxxxxx.net,www.xxxxxxx.ca,www.xxxxxxx.de,www.xxxxxxx.es,www.xxxxxxx.fr,www.xxxxxxx.it,www.xxxxxxx.net,www.xxxxxxx.nl,www.xxxxxxx.us: see https://letsencrypt.org/docs/rate-limits/" As a result, I seem to get a faulty cert from LE, instead of no cert at all. Then, when restarting Apache, it fails with "Configuration failed". -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
It seems to work. When I add a domain as an alias, a new certificate is created. But the certificate is not good: # openssl x509 -in /etc/ssl/froxlor-custom/xxxxxxx.net.crt -text -noout unable to load certificate 140135579193600:error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag:../crypto/asn1/tasn_dec.c:1130: 140135579193600:error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error:../crypto/asn1/tasn_dec.c:290:Type=X509 140135579193600:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:../crypto/pem/pem_oth.c:33: The content of the certificate is: -----BEGIN CERTIFICATE----- ewogICJ0eXBlIjogInVybjphY21lOmVycm9yOnJhdGVMaW1pdGVkIiwKICAiZGV0 YWlsIjogIkVycm9yIGNyZWF0aW5nIG5ldyBjZXJ0IDo6IHRvbyBtYW55IGNlcnRp ZmljYXRlcyBhbHJlYWR5IGlzc3VlZCBmb3IgZXhhY3Qgc2V0IG9mIGRvbWFpbnM6 IGNhbXBpYW5vLmRlLGNhbXBpYW5vLmVzLGNhbXBpYW5vLmZyLGNhbXBpYW5vLml0 LGNhbXBpYW5vLm5ldCxjYW1waWFuby5ubCxjcm9uLmNhbXBpYW5vLm5ldCx3ZWJo b29rLmNhbXBpYW5vLm5ldCx3d3cuY2FtcGlhbm8uZGUsd3d3LmNhbXBpYW5vLmVz LHd3dy5jYW1waWFuby5mcix3d3cuY2FtcGlhbm8uaXQsd3d3LmNhbXBpYW5vLm5l dCx3d3cuY2FtcGlhbm8ubmw6IHNlZSBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9k b2NzL3JhdGUtbGltaXRzLyIsCiAgInN0YXR1cyI6IDQyOQp9 -----END CERTIFICATE----- which seems quite short. -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
-
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
was this meant for me? The file is not available. -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
When I run 'git apply' on this, it says: although it says "SELECT" at line 62. I am on the latest version: -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
Yes, sure, but there are situations where the domain is not available afterwards, such as not-responsive DNS or a domain that doesn't exist anymore. Not always sure that the domain is removed from Froxlor in that case. -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
'tasks' outputs nothing about removing the certificate. I can't get my finger behind it, but in some situations the 'renew' switch is used, where it should be 'issue'. In other situations, 'issue' is used correctly. Also interesting: if an error occurs when getting the certificate (e.g. the domain validation fails), there is no retry for the certificate. At the next run, it says "No new certificates or certificates due for renewal found". -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
I'll try again. -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
I ran the cronjob from the console with '--letsencrypt --force'. -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
Actually, something did change: I added the new domain as an alias of an existing domain. In the acme.sh command it says '-d new_domain' (correct), so the '--renew' switch is probably not the right choice by your script. -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
I put an echo on line 298 in froxlor/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php to see what acme.sh does. When deleting the certificate from the list in Froxlor, it says "Domains not changed" and does nothing. The existing certificate is then copied from /root/.acme.sh to /etc/ssl/froxlor-custom. When adding a domain (as an alias of the existing domain), the command looks like this: ``` /root/.acme.sh/acme.sh --auto-upgrade 0 --server https://acme-v01.api.letsencrypt.org/directory --renew -d existing_domain.net -d new_domain.net --keylength 4096 ``` Since it says '--renew', the new domain is not added to the certificate. The correct switch is '--issue'. It would be helpful to see the output of the acme script when using the --debug switch on the cronjob. -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
This is what I see with the debug switch. Without it, I see no such output. -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
This is what I see: [information] Adding SAN entry: xxx.yyy [information] Updated Let's Encrypt certificate for xxx.zzz [information] Let's Encrypt certificates have been updated The date of the certificate on disk has changed to the current time, but not its size, and not its content. openssl x509 -in xxx.crt -text -noout does not show the new domains. -
How to trigger renewal of certificate?
peterpan replied to peterpan's question in General Discussion
This doesn't seem to work. I deleted it from the SSL certificates page, but with the next cronjob, it came back exactly as before, with same domains, same creation date and same expiration date. I even deleted the certificate file from disk in /etc/ssl/froxlor-custom/, but that didn't make any difference as well. -
Hi, I have a domain equipped with a certificate from LE. The cert is valid another 2 months. Now I added a domain as an alias of the existing domain, but the certificate isn't updated to have the new domain as its SAN. How do I trigger getting a new and updated certificate? Should I delete the existing one? Thanks for helping out. Peter