Jump to content
Froxlor Forum

snoopotic

Members
  • Posts

    34
  • Joined

  • Last visited

  • Days Won

    1

Posts posted by snoopotic

  1. Hi.

    With this little Workaround to set $cert_mode = issue above L267

    I was able to delete all certs under admin_domains.php?page=sslcertificates and let them regenerate by running the master_cron.

    Now the log is empty of this warnings! :)

    [information] TasksCron: Searching for tasks to do
    [information] Running Let's Encrypt cronjob prior to regenerating webserver config files
    [information] Requesting/renewing Let's Encrypt certificates
    [information] No new certificates or certificates due for renewal found

    I will keep this variable setting until the next update. :P

     

    Also: The issue that my Webserver config is rewritten every 5 minutes the cert-job runs is also over. :)

    But what really the cause was - I have no idea. Thank you for your effort.

  2. Hmm, in DB it looks good.

    in AcmeSh.php

    I placed in Line 320: (

    https://github.com/Froxlor/Froxlor/blob/b162324ff02a3279d2728b722d70acd3ccd59059/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php#L320)

    for testing:

    //FELIX
    echo "GIVE CERTMODE: $cert_mode <-thanks ";

    and got

    [information] Creating certificate for domain.tld
    [information] Adding SAN entry: domain.tld
    [information] Adding SAN entry: www.domain.tld
    GIVE CERTMODE: renew <-thanks [debug] [Sun 10 Nov 2019 11:59:56 AM CET] Renew: 'domain.tld'
    [Sun 10 Nov 2019 11:59:56 AM CET] 'domain.tld' is not a issued domain, skip.
    [error] Could not get Let's Encrypt certificate for domain.tld:
    [Sun 10 Nov 2019 11:59:56 AM CET] Renew: 'domain.tld'
    [Sun 10 Nov 2019 11:59:56 AM CET] 'domain.tld' is not a issued domain, skip.

    then I looked further:

    placed around 

    https://github.com/Froxlor/Froxlor/blob/b162324ff02a3279d2728b722d70acd3ccd59059/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php#L267
    } else {
                                    // FELIX
                                    $cert_mode = 'issue';
                                            $cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Creating certificate for " . $certrow['domain']);
                                    //FELIX
                                    echo "IS IT ISSUE OR NOT $cert_mode <-- ";
                                    }

    then it worked! 

    (as you see I explicitly set cert_mode = issue again - but afaik it's not necessary but you may see it in your code - I wasn't able yet.)

    I now have 2 domains that have new certs...

    Well, after re-running, there domains are also NOT marked to be renewed so there must be a check that sets the renew-cert_mode because of some DB data...!?

    Is there a DB query I might check?

    I guess we're going further. :)

     

    Is it maybe I skipped the 0.10.3 --> 0.10.4 update and did a 0.10.3 --> 0.10.5 update?

    EDIT: AH! 
    as we're in a loop here: 

    https://github.com/Froxlor/Froxlor/blob/b162324ff02a3279d2728b722d70acd3ccd59059/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php#L247
    

    $cert_mode may change (and does in my case) and thus the default in L246 is overridden... So the workaround may be to set it explicitly like I did for recreating... what do you think?

  3. 16 minutes ago, d00p said:

    and? There definetly should be MORE output...way more

    Hmm. The rest of the output looks the same as the attached log files I posted initially.

    So you mean that whole output of "--force --debug" shall have way more information? oO

    I am on

    PHP 7.3.11-1+0~20191026.48+debian10~1.gbpf71ca0 (cli) (built: Oct 26 2019 14:20:37) ( NTS )

    and the git version tagged with 0.10.5: b162324f#0.10.5

     

  4. Hi.

    Yes, of course it was just to tell you that it's not an issue of acme.sh - it CAN get the certs. but froxlor doesn't

    what I did:

    1) delete cert od domain1.tld (not the others) in froxlor

    2) unchecked https-ips and let's encrypt settings in froxlor.

    3) deleted certs by 

    /root/.acme.sh/acme.sh --remove -d domain1.tld

    and also removed the folder

    4) ran php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --debug --tasks twice

    last run: 

    [information] TasksCron: Searching for tasks to do
    [notice] Checking system's last guid

    5) enabled ssl-ips and checked the let's encrypt checkbox in froxlor of domain (assuming this re-eanables reissuing of certsI.

    6) ran php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --debug --tasks twice again

    first run throws the one above (Could not get Let's Encrypt certificate for domain1.tld).

    The second run is the same like in 4).

    5) to make sure ran php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --debug --letsencrypt

    This also throws the "Could not get Let's Encrypt certificate for domain1.tld" from above...

     

    expectation: this workflow regenerates certs in first run of 6)

     

     

  5. Hmm.

    now it throws:

    [information] Creating certificate for domain1.tld
    [information] Adding SAN entry: domain1.tld
    [information] Adding SAN entry: www.domain1.tld
    [debug] [Sun 10 Nov 2019 08:55:25 AM CET] Renew: 'domain1.tld'
    [Sun 10 Nov 2019 08:55:25 AM CET] 'domain1.tld' is not a issued domain, skip.
    [error] Could not get Let's Encrypt certificate for domain1.tld:
    [Sun 10 Nov 2019 08:55:25 AM CET] Renew: 'domain1.tld'
    [Sun 10 Nov 2019 08:55:25 AM CET] 'domain1.tld' is not a issued domain, skip.
    [information] No new certificates or certificates due for renewal found

    But

    ./acme.sh --issue -d domain1.tld -w /var/www/froxlor

    works if you need to know that. Sadly froxlor does not recognize 😕

  6. Hi.

    I went from 0.10.2 over 0.10.3

    by missing 0.10.4 over to 0.10.5

    since the upgrade from 0.10.3 to 0.10.5 every 5 minutes the lets encrypt cron runs and throws:

    Could not get Let's Encrypt certificate for <domain>: [Fri 08 Nov 2019 10:50:06 PM CET] Renew: '<domain>' [Fri 08 Nov 2019 10:50:06 PM CET] Skip, Next renewal time is: Wed 01 Jan 2020 11:05:25 PM UTC [Fri 08 Nov 2019 10:50:06 PM CET] Add '--force' to force to renew.

    for every domain.

    This also causes continuously:

    "Neuerstellung der Webserver-Konfiguration" task in froxlor and also every 5 minutes my apache config gets renewed... meh

    I am on git  @b162324f#0.10.5

     

    running "php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt --force --debug"

    is weird as it does not look bad but still keeps:

    [error] Could not get Let's Encrypt certificate for <domain>:
    [Sat 09 Nov 2019 07:21:15 PM CET] Renew: '<domain>'
    [Sat 09 Nov 2019 07:21:15 PM CET] Skip, Next renewal time is: Thu 02 Jan 2020 11:03:17 PM UTC
    [Sat 09 Nov 2019 07:21:15 PM CET] Add '--force' to force to renew.

    ...

    Any ideas how to look deeper?

    I walked through 450 pages of the system log in froxlor and found that this messages appear since the upgrade to 0.10.5

  7. Hi,

    Today I struggled with an ssl cert issue I got fixed later. (my froxlor virtual host cert could not get renewed for days. after deleting the cert and making some entry changes to force the regeneration of the certs it worked.

    But within my changes there was somehow an froxlor.org outage. And sadly this also caused opening "System Admin Settings page not to be opened. Instead I hat to wait until a timeout comes and then I got:
    spacer.pngspacer.png(picture follows but upload fails)
    - picture says: "Curl Error: Failed to connect version.froxlor.org port 443: Connection timed out

    SO somehow in the code there seems a version check that causes timeouts. Maybe this check can be made optional? :)

    regards

  8. @Tealk yup, after that pages went back with new valid certs.

     

    Well, maybe I found a bug but I will search for corresponding logs but maybe reporting the use case is quicker:

    - Create E-Mail Address -> ok

    - Create E-Mail Account -> fails with:

    Fehlermeldung
    Die E-Mail-Adresse "" enthält ungültige Zeichen oder ist nicht vollständig.

    looks like a typo as the address is already "known" ... :)

    shall I look further or is this possibly a case? :)

    (I just upgraded my Debian 9 to 10 maybe it's a cross over thingy but I don't think so other things work)

     

    EDIT: Oh Noes. Horses back: Entering an alternate E-Mail is mandatory xD

  9. Yeah. Just did it.

    First view: looks good, good job! :)

    One thing I like to mention:

    In my Environment I use a lot of LE-Certs. On Upgrade the ALL get renewed. By default it's a 5 minute cron for each webserver-change and each LE-renewal run...
    This means: after Upgrade all certs get deleted and thus web server configfiles recreated with HOSTS default certs. within this webserver-recreation all LE certs get recreated. If they are not fully recreated within 5 minutes the following job: webserver-renewal with the LE-cert paths may take another 5 minutes. For me: My sites were 15 minutes without invalid certs ;) (not that ugly as I have not that highly visited pages :P)

    Maybe we can add a hint that it may mean up to a 10-15 minutes "possible outage" on upgrade!?

×
×
  • Create New...