Hi,

I have a domain equipped with a certificate from LE. The cert is valid another 2 months. Now I added a domain as an alias of the existing domain, but the certificate isn't updated to have the new domain as its SAN.

How do I trigger getting a new and updated certificate? Should I delete the existing one?

Thanks for helping out.

 

Peter

You can safely delete it from the ssl-certificates list, a new one will be generated automatically with the next cronjob

This doesn't seem to work. I deleted it from the SSL certificates page, but with the next cronjob, it came back exactly as before, with same domains, same creation date and same expiration date.

I even deleted the certificate file from disk in /etc/ssl/froxlor-custom/, but that didn't make any difference as well.

Did you try running the letsencrypt Cron with --debug flag to see what is coming from let's encrypt itself?

This is what I see:

[information] Adding SAN entry: xxx.yyy
[information] Updated Let's Encrypt certificate for xxx.zzz
[information] Let's Encrypt certificates have been updated

The date of the certificate on disk has changed to the current time, but not its size, and not its content. openssl x509 -in xxx.crt -text -noout does not show the new domains.

2 hours ago, peterpan said:

This is what I see:

[information] Adding SAN entry: xxx.yyy
[information] Updated Let's Encrypt certificate for xxx.zzz
[information] Let's Encrypt certificates have been updated

that means nothing happened (or you forget the --debug switch)

5 hours ago, d00p said:

that means nothing happened (or you forget the --debug switch)

This is what I see with the debug switch. Without it, I see no such output.

Then no new certificate is created at all. Try deleting the certificate again, then manually run the letsencrypt Cron with --debug

I put an echo on line 298 in froxlor/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php to see what acme.sh does. When deleting the certificate from the list in Froxlor, it says "Domains not changed" and does nothing. The existing certificate is then copied from /root/.acme.sh to /etc/ssl/froxlor-custom.

When adding a domain (as an alias of the existing domain), the command looks like this:

```

/root/.acme.sh/acme.sh --auto-upgrade 0 --server https://acme-v01.api.letsencrypt.org/directory --renew -d existing_domain.net -d new_domain.net --keylength 4096

```

Since it says '--renew', the new domain is not added to the certificate. The correct switch is '--issue'.

 

It would be helpful to see the output of the acme script when using the --debug switch on the cronjob.

4 minutes ago, peterpan said:

When deleting the certificate from the list in Froxlor, it says "Domains not changed" and does nothing.

hm...okay, interesting, I'll dig into that

4 minutes ago, peterpan said:

Since it says '--renew', the new domain is not added to the certificate. The correct switch is '--issue'.

sure it tries a --renew when nothing changed

4 minutes ago, peterpan said:

It would be helpful to see the output of the acme script when using the --debug switch on the cronjob.

definetly a good idea, I'll check what I can do

1 minute ago, d00p said:

sure it tries a --renew when nothing changed

 

Actually, something did change: I added the new domain as an alias of an existing domain. In the acme.sh command it says '-d new_domain' (correct), so the '--renew' switch is probably not the right choice by your script.

Ah okay, so it did recognize the additional alias....also i think in any case when a certificate gets deleted it should do an --issue and not try a --renew - need to check whether this is froxlor logic or acme.sh - did you - after deletion of the certificate - wait for the cron to remove the certificate from acme-sh itself? see https://github.com/Froxlor/Froxlor/blob/master/lib/Froxlor/Domain/Domain.php#L294

I ran the cronjob from the console with '--letsencrypt --force'.

removing the certificates is "tasks" cronjobs - which runs every 5 minutes so now hard to track whether it did remove the certificate from acme.sh or not

I'll try again.

 

'tasks' outputs nothing about removing the certificate. I can't get my finger behind it, but in some situations the 'renew' switch is used, where it should be 'issue'. In other situations, 'issue' is used correctly.

Also interesting: if an error occurs when getting the certificate (e.g. the domain validation fails), there is no retry for the certificate. At the next run, it says "No new certificates or certificates due for renewal found".

3 hours ago, peterpan said:

'tasks' outputs nothing about removing the certificate.

well did you test with 1) stopping the cron, 2) removing a certificate in froxlor and 3) running the cronjob manually (--force --debug) ?

3 hours ago, peterpan said:

Also interesting: if an error occurs when getting the certificate (e.g. the domain validation fails),

domain validation should be done way before trying to get a certificate (when adding the domain)

On 9/9/2019 at 4:58 PM, d00p said:

domain validation should be done way before trying to get a certificate (when adding the domain)

Yes, sure, but there are situations where the domain is not available afterwards, such as not-responsive DNS or a domain that doesn't exist anymore. Not always sure that the domain is removed from Froxlor in that case.

Ok, so I debugged a bit. Changes to domains/aliases/etc. set the expiration-date to NULL which in the former let's encrypt implementation was enough to trigger a re-issue. Acme.sh on the other side displays an error:

Quote

Domain key exists, do you want to overwrite the key?
Add '--force', and try again.
Create domain key error.

Could you test the following changes to see if the certificate issue is now done properly when changing a domain alias?

diff --git a/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php b/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php
index e0967ca0..32d7fae1 100644
--- a/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php
+++ b/lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php
@@ -62,7 +62,7 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
                        SELECT
                                domssl.`id`,
                                domssl.`domainid`,
-                               domssl.expirationdate,
+                               domssl.`expirationdate`,
                                domssl.`ssl_cert_file`,
                                domssl.`ssl_key_file`,
                                domssl.`ssl_ca_file`,
@@ -221,9 +221,14 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
                        // Only renew let's encrypt certificate if no broken ssl_redirect is enabled
                        if ($certrow['ssl_redirect'] != 2) {
 
-                               if (! empty($certrow['ssl_cert_file'])) {
+                               $do_force = false;
+                               if (! empty($certrow['ssl_cert_file']) && !empty($certrow['expirationdate'])) {
                                        $cert_mode = 'renew';
                                        $cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Updating certificate for " . $certrow['domain']);
+                               } else if (! empty($certrow['ssl_cert_file']) && empty($certrow['expirationdate'])) {
+                                       // domain changed (SAN or similar)
+                                       $do_force = true;
+                                       $cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Re-creating certificate for " . $certrow['domain']);
                                } else {
                                        $cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_INFO, "Creating certificate for " . $certrow['domain']);
                                }
@@ -252,7 +257,7 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
                                        }
                                }
 
-                               self::runAcmeSh($certrow, $domains, $cert_mode, $cronlog, $changedetected);
+                               self::runAcmeSh($certrow, $domains, $cert_mode, $cronlog, $changedetected, $do_force);
                        } else {
                                $cronlog->logAction(FroxlorLogger::CRON_ACTION, LOG_WARNING, "Skipping Let's Encrypt generation for " . $certrow['domain'] . " due to an enabled ssl_redirect");
                        }
@@ -270,7 +275,7 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
                }
        }
 
-       private static function runAcmeSh($certrow = array(), $domains = array(), $cert_mode = 'issue', &$cronlog = null, &$changedetected = 0)
+       private static function runAcmeSh($certrow = array(), $domains = array(), $cert_mode = 'issue', &$cronlog = null, &$changedetected = 0, $force = false)
        {
                if (! empty($domains)) {
 
@@ -295,6 +300,9 @@ class AcmeSh extends \Froxlor\Cron\FroxlorCron
                        if (Settings::Get('system.letsencryptca') == 'testing') {
                                $acmesh_cmd .= " --staging";
                        }
+                       if ($force) {
+                               $acmesh_cmd .= " --force";
+                       }
 
                        $acme_result = \Froxlor\FileDir::safe_exec($acmesh_cmd);
 

 

When I run 'git apply' on this, it says:

Quote

error: patch failed: lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php:62
error: lib/Froxlor/Cron/Http/LetsEncrypt/AcmeSh.php: patch does not apply

although it says "SELECT" at line 62.

I am on the latest version:

Quote

 

# git status

On branch master

Your branch is up-to-date with 'origin/master'.

nothing to commit, working tree clean

 

 

0001-re-create-certificate-if-SAN-list-or-domain-changes.patch

On 9/12/2019 at 12:35 PM, d00p said:

0001-re-create-certificate-if-SAN-list-or-domain-changes.patchUnavailable

was this meant for me? The file is not available.

sure it was meant for you. Hmm, what do you mean with not available? can you give me an error message? users should be able to download attachments