Hello,
I'm having a strange problem. I have a website created using Tomcat 8.0.3 / openjdk1.8.0_382 on Ubuntu 22.04. I generated a certificate for my domain via acme.sh by following these steps:

curl https://get.acme.sh | sh
acme.sh --register-account -m example@gmail.com
acme.sh --set-default-ca --server letsencrypt
export Namesilo_Key="redacted"
acme.sh --issue --dns dns_namesilo -d example.com -d www.example.com --dnssleep 2000
acme.sh --set-notify --notify-level 1
acme.sh --set-notify --notify-mode 0
export CALLMEBOT_YOUR_PHONE_NO="example"
export CALLMEBOT_API_KEY="redacted"
acme.sh --set-notify --notify-hook callmebotWhatsApp

Everything was working fine, but after 90 days the certificate was not automatically renewed and I had to do it manually. Now another 90 days have passed and again the automatic renewal did not work. If this was the only problem I wouldn't bother you, but now I can't even renew manually. More precisely, my renewal does not affect the website.
When I check, I see that the certificate is active:

acme.sh --list
Main_Domain KeyLength SAN_Domains CA Created Renew
example.com "ec-256" www.example.com LetsEncrypt.org 2024-05-07T01:43:28Z 2024-07-05T01:43:28Z

But the old expired certificate is still active on the website.
I also tried these: First I completely uninstalled acme.sh. Then I reinstalled it and created the certificate again, but the result did not change. Restarting Tomcat and making soft reboot of my vps server also made no difference.
How can I fix this situation? Any idea will be appreciated.

Did you also run acme.sh --install? Which apparently installs the cron job for renewal. You can also check manually if such a cronjob is present.

Hmm, apparently this shouldn't be necessary if you'd do the whole curl | sh step.. (Which personally I would NEVER do, IPU knows what kind of code you'd be running ) Probably a good idea to double check the presence of the cronjob though.

Hi @OzanD, and welcome to the LE community forum

Please change your API keys that you posted.

Does it use the cert files "as is"?
Or did it require some file conversion?

That should be a one-time thing.

SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"

OK, I'm pretty sure that's NOT how/where acme.sh stores the cert files.
So, something must happen between the time the cert is acquired and when Tomcat is able to use it.

Thanks. The API key was not correct. I changed it before the sending message.

I solved the problem. When I created a new certificate, the file paths became different from those in the configuration file in Apache2 (/etc/apache2/sites-available/example.com.conf). When I fixed them, the problem went away. Thanks for your help.

What is the path being used in the Apache config?

SSLCertificateFile /home/user/.acme.sh/example.com_ecc/fullchain.cer
SSLCertificateKeyFile /home/user/.acme.sh/example.com_ecc/example.com.key
SSLCACertificateFile /home/user/.acme.sh/example.com_ecc/ca.cer

That path seems correct.
So, maybe all you need is to restart/reload Apache after each renewal.

To the .acme.sh failure to renew, I think you only need to execute a cron job with:
acme.sh --renew-all

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.