Letsencrypt Official acmetool.sh testing thread for Centmin Mod 123.09beta01

auto renewals via cron based renewals only replace the ssl certs in /usr/local/nginx/conf/ssl/domain.com/* which is paths set in your vhost for the site, so as long as vhost set path remains the same, it shouldn't renew with minimal impact

---

as to acmetool.sh manual runs for reissue/renewal they should be the same as auto renewal cronjobs from what I coded. Unless they change the options i.e. if you issued with test ssl cert and http + https and then try reissue with live ssl cert by https default - then yes vhost changes will happen. Latest updates try to preserve your existing vhost and just touch the ssl stuff. But needs folks to test and report feedback and bugs. Hence, why recommended to do on test server

 

It won't renewal if it hasn't expired and within the auto renewal time which for addons/acmetool.sh is right now 21 days during beta instead of 60 days after acmetool.sh goes stable.

what's the domain name ?

How was the initial letsencrypt ssl certificate obtained ? Which method ?

• Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
• Via centmin.sh menu option 2, 22, /usr/bin/nv ?
• If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
  Code (Text):

  -------------------------------------------------------------
  Setup full Nginx vhost + Wordpress + WP Plugins
  -------------------------------------------------------------
  
  Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
  
  Create a self-signed SSL certificate Nginx vhost? [y/n]: n
  Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
  
  You have 4 options:
  1. issue staging test cert with HTTP + HTTPS
  2. issue staging test cert with HTTPS default
  3. issue live cert with HTTP + HTTPS
  4. issue live cert with HTTPS default
  Enter option number 1-4: 1
  

• Via addons/acmetool.sh ? which specific command ? examples
  Code (Text):

  ./acmetool.sh issue acme.domain.com
  

  Code (Text):

  ./acmetool.sh issue acme.domain.com live
  

  Code (Text):

  ./acmetool.sh issue acme.domain.com d
  

  Code (Text):

  ./acmetool.sh issue acme.domain.com lived
  

• What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

Troubleshooting

There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.

• acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
  Code (Text):

  ls -lahrt /root/centminlogs

  .
• For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
• Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
  
  Code (Text):

  ACMEDEBUG='y'

Without the answers to above questions and logs, there is nothing to help troubleshoot for initial issuance or figuring out how you originally got your letsencrypt ssl cert.

Then for renewal

what's output for command

Code (Text):

/usr/local/src/centminmod/addons/acmetool.sh checkdates

for example my mysqlmymon.com domain used addons/acmetool.sh for letsencrypt issuance and output

Code (Text):

addons/acmetool.sh checkdates

-------------------------------------------------
acmetool.sh is in beta testing phase
please read & provide bug reports &
feedback for this tool via the forums
https://centminmod.com/acmetool
-------------------------------------------------

continue [y/n] ? y
----------------------------------------------
nginx installed
----------------------------------------------

/usr/local/nginx/conf/ssl/mysqlmymon.com/mysqlmymon.com-acme.cer
SHA1 Fingerprint=663D4311FCBFD214075E66EC7399CE6B8E9F0E55
certificate expires in 52 days on 19 Feb 2017

----------------------------------------------
acme.sh obtained
----------------------------------------------

/root/.acme.sh/mysqlmymon.com/mysqlmymon.com.cer
SHA1 Fingerprint=663D4311FCBFD214075E66EC7399CE6B8E9F0E55
[ below certifcate transparency link is only valid ~1hr after issuance ]
https://crt.sh/?sha1=663D4311FCBFD214075E66EC7399CE6B8E9F0E55
certificate expires in 52 days on 19 Feb 2017

check acme.sh client cronjob is added via grep of cronjob list output

Code (Text):

crontab -l | grep acme

example

Code (Text):

crontab -l | grep acme
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

check cronjob log via grep of /var/log/cron log for acme.sh keyword and using sed to rewrite hostname shortform to = hostname to mask hostname

Code (Text):

grep 'acme.sh' /var/log/cron | sed -e "s|$(hostname -s)|hostname|"

example

Code (Text):

grep 'acme.sh' /var/log/cron* | sed -e "s|$(hostname -s)|hostname|"
Dec 26 00:00:01 hostname CROND[5520]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
Dec 27 00:00:01 hostname CROND[15068]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)
Dec 28 00:00:01 hostname CROND[4561]: (root) CMD ("/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null)

daily run of acme.sh client working

are you behind cloudflare ?

 

in general when https ssl cert expires, visitors get a pop-up in browser saying issue with ssl certificate and allows visitors to view the error i.e. cert expired.

For letsencrypt ssl in context of acmetool.sh addon, cronjob runs daily and auto renews only if not within preset threshold which is during beta 21 days or stable 60 days. So if cronjob auto renews and the letsencrypt ssl cert is only 14 days old, it's within 21 days so still valid and cron skips auto renewal.

If cronjob checks again on 22nd day of ssl cert, it seem it's 22>21 so auto renews. So it auto renews 90-21 = ~69 days before expiry. Once acmetool.sh is stable, i will change threshold from 21 to 60 days. So auto renew cronjob only renews once ssl cert is 61 days old or 90-61 = ~29-30 days before expiry.

acmetool.sh and underlying acme.sh client should never have a situation where visitors are served expired ssl cert due to cronjob auto renewal if it is working properly. If end user deletes the acme.sh cronjob, then that would break auto renewal or of cron service is stopped or disabled, that would break auto renewal too.

So check if cron is working too

 

example3.com is the one that expired ? from the output it looks like it never was issued as letsencrypt failed to verify the domain due to improper DNS i.e. ip for example3.com not pointing to server ip

auto renewal cronjobs won't renew a failed domain validated example3.com. You would need to try issuing example.com letsencrypt ssl cert again

 

from checkdates output they're still valid till 25-27 Feb 2017 and not expired though checkdates_output · GitHub

Code (Text):

----------------------------------------------
nginx installed
----------------------------------------------

/usr/local/nginx/conf/ssl/example.com/example.com-acme.cer
SHA1 Fingerprint=F36B7C65CE7DCCFF41B6972612DD0226162254FF
certificate expires in 60 days on 27 Feb 2017

/usr/local/nginx/conf/ssl/example2.com/example2.com-acme.cer
SHA1 Fingerprint=9C0617423202A361020162664E80209DEF0F7AB3
certificate expires in 58 days on 25 Feb 2017

----------------------------------------------
acme.sh obtained
----------------------------------------------

/root/.acme.sh/example.com/example.com.cer
SHA1 Fingerprint=F36B7C65CE7DCCFF41B6972612DD0226162254FF
[ below certifcate transparency link is only valid ~1hr after issuance ]
https://crt.sh/?sha1=F36B7C65CE7DCCFF41B6972612DD0226162254FF
certificate expires in 60 days on 27 Feb 2017

/root/.acme.sh/example2.com/example2.com.cer
SHA1 Fingerprint=9C0617423202A361020162664E80209DEF0F7AB3
[ below certifcate transparency link is only valid ~1hr after issuance ]
https://crt.sh/?sha1=9C0617423202A361020162664E80209DEF0F7AB3
certificate expires in 58 days on 25 Feb 2017

Though i see what you mean i think as i set to renew every 21 days instead of 60 days but it's not renewing until later. Same happened for mysqlmymon.com and i think it's because of underlying acme.sh client

manual run of cronjob acme.sh command output

Code (Text):

"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
[Wed Dec 28 21:19:27 UTC 2016] Renew: 'mysqlmymon.com'
[Wed Dec 28 21:19:27 UTC 2016] Skip, Next renewal time is: Fri Feb 10 00:00:21 UTC 2017
[Wed Dec 28 21:19:27 UTC 2016] Add '--force' to force to renew.
[Wed Dec 28 21:19:27 UTC 2016] Skipped mysqlmymon.com

 

see my previous post might of just missed it

 

delete the directory at /root/.acme.sh/example3.com

yes that works if you want

 

@RB1 seems it is a bug in my addons/acmetool.sh tool i asked on acme.sh client issue tracker --days working properly ? · Issue #498 · Neilpang/acme.sh · GitHub so it looks like an update for addons/acmetool.sh is coming soon

 

addon/acmetool.sh updates do come from centmin mod code base updates via centmin.sh menu optio 23 submenu option 2