Acme_sh not renewing after 60 days - How to debug?

Hi,
I would prefer not to post the domain because I don't want the person I am trying to host site for to worry if they searched for their website, and came across these issues.

I am using acme_sh. I set up my own crontab to remind me because in the past I was using certbot, and it failed to renew, and the website went down. Now I changed to acme_sh (because I am using debian, since I wish not to use snap, which could issue an update at any time and break things. I followed the acme_sh's installation/cert issue/cert installation procedure and it all went well. Their documentation says it should auto renew after 60 days.

Issue command:

sudo -u username /home/username/.acme.sh/acme.sh --issue --server letsencrypt -d example.com -d www.example.com -w /var/www/example.com/public'

Install command:

sudo -u username /home/username/.acme.sh/acme.sh --install-cert -d example.com --fullchain-file /var/www/example.com/private/cert/fullchain.pem --key-file /var/www/example.com/private/cert/key.pem --cert-file /var/www/example.com/private/cert/cert.pem

64 days later...

When I run my own cron job to check if it has expired (using nmap -p 443 --script ssl-cert example.com, I get (note it should have renewed 4 days ago):

The certificate is valid from 2022-04-21 to 2022-07-20, 64 days since issue (should renew after 60), 25 days remaining (cert valid for 90 days)

There is no file (from reading other people problems they referred to this log):
/home/username/.acme.sh/acme.sh.log

./acme.sh --renew-all prints nothing

$ ./acme.sh --renew-all
$

This is whats in the root's hoem dir:

root@demo:~/.acme.sh# ll
total 24
drwxr-xr-x 4 root root 4096 Jun 23 14:29 .
drwx------ 7 root root 4096 Jun 23 14:30 ..
-rw-r--r-- 1 root root   73 Jun 23 14:36 account.conf
drwxr-xr-x 3 root root 4096 Jun 23 14:29 ca
drwxr-xr-x 3 root root 4096 Jun 23 14:29 example.co.za
-rw-r--r-- 1 root root  490 Jun 23 14:36 http.header

And this is what is in the users home dir:

username@demo:~/.acme.sh$ ll
total 240
drwx------ 5 username username   4096 Jun 23 14:29 .
drwxr-xr-x 7 username username   4096 Jun 23 14:30 ..
-rw-r--r-- 1 username username    200 Jun 23 14:29 account.conf
-rwxr-xr-x 1 username username 216188 Jun 23 14:29 acme.sh
-rw-r--r-- 1 username username     96 Jun 23 14:29 acme.sh.env
drwxr-xr-x 2 username username   4096 Jun 23 14:29 deploy
drwxr-xr-x 2 username username   4096 Jun 23 14:29 dnsapi
drwxr-xr-x 2 username username   4096 Jun 23 14:29 notify

These are the daily cronjobs (cert_check is the cron job I made):

$ sudo -u username run-parts --test /etc/cron.daily
/etc/cron.daily/apt-compat
/etc/cron.daily/cert_check
/etc/cron.daily/dpkg
/etc/cron.daily/logrotate
/etc/cron.daily/man-db
/etc/cron.daily/sysstat

Here are the not updated certs:

/var/www/example.com/private/cert$ ll
total 24
drwxrwx--- 2 username www-data 4096 Apr 21 13:52 .
drwxrwx--- 3 username www-data 4096 Apr 21 13:52 ..
-rw-rw---- 1 username www-data 1891 Apr 21 14:22 cert.pem
-rw-rw---- 1 username www-data 5642 Apr 21 14:22 fullchain.pem
-rw-rw---- 1 username www-data 1675 Apr 21 14:22 key.pem

What else can I try?

Please show:
acme.sh --list

There are multiple weird things:

• You seem to have two acme.sh installations: One for root, one for your local user. This is likely going to cause issues, if it hasn't already.
  • Assuming example.co.za is a placeholder for your actual domain name, that means acme.sh has a certificate under its root user installation.
• Neither your shown issue nor install cert commands run under the root user (where your cert seems to be).
• The install-cert doesn't have a reloadcmd, so acme.sh will not reload your webserver. In that case your webserver might not pick up the renewed certificate.

As username (not root):

$ ./acme.sh --list
Main_Domain  KeyLength  SAN_Domains  CA  Created  Renew

So, you've deleted your cert(s)?

OR

Please show the output of these two commands:
which acme.sh
find / -name acme.sh

I think you onto something, I think I performed the issue as root, instead of as user username:

root@demo$ /home/username/.acme.sh/acme.sh --issue --server letsencrypt -d example.com -d www.example.com -w /var/www/example.com/public'

instead of:

sudo -u username /home/username/.acme.sh/acme.sh --issue --server letsencrypt -d example.com -d www.example.com -w /var/www/example.com/public'

I have not deleted the originally issued certs, they are in:

/var/www/example.com/private/cert$ ll
total 24
drwxrwx--- 2 username www-data 4096 Apr 21 13:52 .
drwxrwx--- 3 username www-data 4096 Apr 21 13:52 ..
-rw-rw---- 1 username www-data 1891 Apr 21 14:22 cert.pem
-rw-rw---- 1 username www-data 5642 Apr 21 14:22 fullchain.pem
-rw-rw---- 1 username www-data 1675 Apr 21 14:22 key.pem

It appears acme.sh is not in my path (which is okay since I always use the full path to the executable):

$ which acme.sh
$ sudo find / -name acme.sh
/home/username/.acme.sh/acme.sh

Cert files owned by "username www-data":

Why/How did you get into this state?
Did you copy/move them?

There are no certs to renew.
You will have to reissue.
[going forward I would check they are listed and wouldn't copy/move them]

If so, then what's the output of acme.sh --list as root?

From what I understood from reading the docs, when you issue/install your certs, acme.sh records the commands you last used, then replays that when renewing.

It was probably hard to see above when I first posted the install certs command cause it's one long line, I broke it into several lines so its easier to see:

sudo -u username /home/username/.acme.sh/acme.sh --install-cert -d example.com
--fullchain-file /var/www/example.com/private/cert/fullchain.pem
--key-file /var/www/example.com/private/cert/key.pem
--cert-file /var/www/example.com/private/cert/cert.pem

[this isn't exactly the forum for that software]

My guess is that if it can issue a cert, it should be able to renew it.
But you should be able to list it once it has been issued.
If it can't be listed, then it doesn't "exist" and can't be renewed.
Why it fails to "exist"... you would have to ask on their support channel(s).

Is this what you would like to see or something else?

As username (not root):

$ ./acme.sh --list
Main_Domain  KeyLength  SAN_Domains  CA  Created  Renew

I explicitely asked for acme.sh --list as root while you're now showing explicitely "not root" So no.

Ok thank you for that insight/lead, I will look into that.

Sorry my mistake, here as root:

sudo ./acme.sh --list
It seems that you are using sudo, please read this link first:
https://github.com/acmesh-official/acme.sh/wiki/sudo

Okay I switched to the root user, and there it is! thank you for that!

/home/username/.acme.sh/acme.sh --list
Main_Domain           KeyLength  SAN_Domains               CA               Created                          Renew
example.com  ""         www.example.com  LetsEncrypt.org  Thu 21 Apr 2022 12:22:12 PM UTC  2022-06-20T12:22:12Z

Maybe I must delete the root /home/.acme.sh folder and try issue/install again, ensuring I am doing it not as root.

I don't have experience with acme.sh, but isn't it possible to somehow "migrate" the files from /root/.acme.sh/ to /home/username/.acme.sh/ ? Shouldn't be too hard I'd think.. Check if nothing gets overwritten, copy the files and adjust the files owner?

Brillant! I did that, and now when I do acme.sh --list as the user, it shows the certs under the user's listing. I will wait a day and see if auto renew works tonight

Thank you @Osiris, @rg305, @Nummer378 for the fast and very knowledgable support!!

don't use sudo or su, obviously, you don't know how to use sudo correctly.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.