Acme.sh not auto-renewing

Help
1

Hello

I have successfully generated a certificate for my domain. It works perfectly, I have used acme.sh to generate it.

However, today my certificate expired and my website was down. I thought the point of using acme.sh was to auto-renew these certificates?

I was able to make my website working again my manually entering the following two commands:

acme.sh --renew -d example.com

systemctl reload nginx

How would I configure my server to auto-renew my certificates in the future? Normally I followed the same steps as here (it is for a different website though).

Currently crontab -l is empty for root and normal user.

I also noticed that executing acme.sh --list as root gives a different output then when I run it as normal user.
As root:

Main_Domain   KeyLength  SAN_Domains  CA           Created  Renew
example.com  ""         no           ZeroSSL.com

For the normal user all columns have a value.

How to configure this properly?

2

It looks like you're using ZeroSSL as the CA. This is the Let's Encrypt Community, which is a different CA. I'd like you to refer to the acme.sh documentation, which is quite terrible. Personally I have no experience with that ACME client. It might be as simple as you just need to add a cronjob manually? Or perhaps run some acme.sh command which does that for you? I dunno :man_shrugging:t2:

2 Likes
3

If you don't have a cronjob for acme.sh, it's possible you haven't installed it properly. How have you setup acme.sh?

The installation section in the README mentions various possibilities, including:

  • an online shell script (very ease to use, though it's generally not recommended to execute arbitrary unverified code)
  • running acme.sh --install
  • manually setting up the cronjob is fine as well

The acme.sh installation (primarily it's config directory) is relative to the current user's home directory. It is important to run all acme.sh commands (including the cronjob) as the same user. It's generally easiest to run acme.sh (always) as root, but running as non-root also works, if configured appropriately.

7 Likes
4

Do you still have?:

6 Likes
5

Looks like I'm "late to the party"!

acme.sh Trivia

Most know that Lets Encrypt is no longer the "DEFAULT Certificate Authority" for the shell script, acme.sh.

TO ENSURE LET'S ENCRYPT IS THE CA OF CHOICE EDIT ACME.SH

Verify Line 23:
CA_LETSENCRYPT_V2="https://acme-v02.api.letsencrypt.org/directory"
Verify Line 23:
CA_LETSENCRYPT_V2_TEST="https://acme-staging-v02.api.letsencrypt.org/directory"

Look for:
DEFAULT_CA=$CA_ZEROSSL
DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST

And change it to:
Line 38: DEFAULT_CA=$CA_LETSENCRYPT_V2
Line 39: DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST

I think it is interesting the author chose to continue using LET'S ENCRYPT'S staging environment. Most other CA's apparently do not have a testing environment as robust as ours.

RIP

3 Likes
6

at all

(buypass and google have one)

5 Likes
7

Isn't it easier to do below? The setting is thus preserved over acme.sh script updates

acme.sh --set-default-ca  --server  letsencrypt
6 Likes
8

Thanks Mike! Yes it actually is. Either way works. When I looked at my configuration the default CA was Z-ssl .... and i have always used LE... I modified it anyway I have certs renewing tomorrow. It will be interesting to see if any objections occur from the change.
Since I don't run these from the command line I prefer to change the configuration, to be sure. :innocent:

4 Likes
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.