Acme.sh failed twice since ZeroSSL bought it

brentlh · November 16, 2021, 10:01pm

I failed after ZeroSSL bought acme.sh and I enter a help topic for that, and was help to get it working via the community.

I stayed with Letsencrypt because I did not like the way it had worked for a long time until ZeroSSL took ownership of acme.sh

Now the 2nd under ZeroSLL, it needed to be renewed again, it did not renew it again.

My domain is: wa.newtonpro.com

I ran this command: .acme.sh # /root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh

It produced this output: (From acme.sh.log file)
Tue Nov 16 00:42:35 CST 2021] Can not init api, for https://acme-v02.api.letsencrypt.org/directory
[Tue Nov 16 00:42:35 CST 2021] Return code: 1
[Tue Nov 16 00:42:35 CST 2021] Error renew wa.newtonpro.com.
[Tue Nov 16 00:42:35 CST 2021] _error_level='1'
[Tue Nov 16 00:42:35 CST 2021] _set_level='3'
[Tue Nov 16 00:42:35 CST 2021] Sending via: smtp
[Tue Nov 16 00:42:35 CST 2021] Found /root/.acme.sh/notify/smtp.sh for smtp
[Tue Nov 16 00:42:35 CST 2021] SMTP_BIN='/usr/bin/curl'
[Tue Nov 16 00:42:35 CST 2021] SMTP_FROM='marcie@newtonpro.com'
[Tue Nov 16 00:42:35 CST 2021] SMTP_TO='brent@newtonpro.com'
[Tue Nov 16 00:42:35 CST 2021] SMTP_HOST='172.16.1.127'
[Tue Nov 16 00:42:35 CST 2021] SMTP_SECURE='tls'
[Tue Nov 16 00:42:35 CST 2021] SMTP_PORT='587'
[Tue Nov 16 00:42:35 CST 2021] SMTP_USERNAME='brent'
[Tue Nov 16 00:42:35 CST 2021] SMTP_PASSWORD='[hidden](please add '--output-insecure' to see this value)'
[Tue Nov 16 00:42:35 CST 2021] SMTP_TIMEOUT='30'
[Tue Nov 16 00:42:35 CST 2021] SMTP_SUBJECT='Renew Error'
[Tue Nov 16 00:42:35 CST 2021] SMTP_CONTENT='Error certs:
wa.newtonpro.com

'
[Tue Nov 16 00:42:35 CST 2021] Error sending message with /usr/bin/curl.
[Tue Nov 16 00:42:35 CST 2021] Error send message by smtp_send
[Tue Nov 16 00:42:35 CST 2021] Set /root/.acme.sh/notify/smtp.sh error.
[Tue Nov 16 00:42:35 CST 2021] ===End cron===
[Tue Nov 16 15:26:56 CST 2021] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Tue Nov 16 15:26:56 CST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'

My web server is (include version): apache Version 2.4

The operating system my web server runs on is (include version): SLES 12 SuSe Linux Enterprise Server.

My hosting provider, if applicable, is: Company Hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): v3.0.2

_az · November 16, 2021, 10:06pm

What's the output of:

curl -i https://acme-v02.api.letsencrypt.org/directory

SLES 12 is very end-of-life and I would guess that your issue has something to do with an outdated CA certificates package, following Let's Encrypt's recent certificate chain changes.

brentlh · November 16, 2021, 10:10pm

It replied:

curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl - SSL CA Certificates

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

_az · November 16, 2021, 10:14pm

Thanks. curl/acme.sh can't communicate with Let's Encrypt, because your operating system and its packages are too out-of-date.

The preferred option is going to be to upgrade to a maintained version of SLES.

You could also try the workaround I posted here, keeping in mind that those instructions are for Ubuntu and may need to be adjusted for SLES. It's possible also that the instructions won't work, if the problem is the age of your OpenSSL package.

brentlh · November 16, 2021, 11:00pm

Anyone know how to get acme.sh to use curl with a -k option so I can get this certificate renewed and fight the update later after that? Browsers are now not allowing easy access without a valid certificate. I agree that needs to happen but was not I fight I need to do now.

_az · November 16, 2021, 11:21pm

Apparently you can set HTTPS_INSECURE=1 in the environment and that will do the trick.

brentlh · November 16, 2021, 11:39pm

Sorry, but I have not worked very long with Linux.

What do you mean by 'in the environment'?

MikeMcQ · November 16, 2021, 11:45pm

Just add ``--insecure``` to the acme.sh command. Use acme.sh help to see options

brentlh · November 17, 2021, 12:15am

Sincere Thanks to everybody that help get me acme.sh to renew this certificate.

You ROCK!!!

Now I have get the updates so it works automaticly again.

system · December 17, 2021, 12:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.