Acme.sh won't work without --force

rosede · August 27, 2018, 1:06pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
usmcmta.org

I ran this command:
acme.sh -r -d usmcmta.org

It produced this output:
Add '--force' to force to renew.
Return code: 2

My web server is (include version):
Don't Know

The operating system my web server runs on is (include version):
Linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
No

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes. Unknown version

I initially setup the certificate last October. I have to use acme.sh to administer the cert for my site. I have a cronjob setup to renew automatically.

The first time that I renewed, I think that I did it manually, just to make sure that it would work. Then I setup the cronjob and it failed. If memory service me correctly, it was because the script had been updated and whatever changed no longer allowed the version that I was using to work and caused the renewal to fail. I downloaded the updated script, re-ran the script and the cert was renewed.

The cert was set to expire at midnight. I checked it first thing this morning, and sure enough, it failed. A quick check of the logs only showed the following error:

BlockquoteAdd '--force' to force to renew.
Return code: 2

I updated the script from github and reran the command manually on the command line. I received the same error. This time I added the "--force" to the command and the script ran just fine and the cert was renewed.

Is there a reason why I needed to add "--force"? Do I need to add that option to the cronjob to ensure that it'll renew on the next renewal time?

Thank you.

Daryl

jared.m · August 27, 2018, 3:04pm

Are you sure? I see two certificates issued for that domain, one expiring on October 25, and the other (issued today) expiring on November 25. I think you had to use --force because acme.sh didn't believe renewal was necessary. Usually, it is recommended to renew certificates 30 days before expiry, but the certificate issues July 27 still had 60 days to go.

rosede · August 28, 2018, 7:08pm

I'll be honest, I'm a bit confused. Prior to your reply I was certain that the cert was scheduled to expire on August 26th. However, now I'm confused.

On May 28th, the renewal failed via cron. The acme.sh script had been changed and the change kept the script from being able to renew the cert. I downloaded a new script from git and ran it manually. The cert should have been valid until August 26th. And I kept a close eye on the cert. Often verifying that it was still valid and still scheduled to renew on August 26th.

I just looked at the logs and saw that a renewal happened on July 27th and the logs have repeating errors saying that they cert isn't set to expire until Sept. 25th. Since I kept an eye on the cert, and that it was valid until Aug. 26th, the first thing that I did on August 27th as to look at my site. I did not receive a green bar declaring that the site was secure, but rather a gray bar telling me that the site was unsecure.

So this is where I'm confused. If the cert was renewed in July, a full month before it was supposed to have been renewed, why would it show when I clicked on the cert in the URL bar? It still showed August as being the renewal date. Also, why did it renew a full month prior to when it was supposed to have renewed?

Another question. You say that you see two certs? Where do you see that? The cert on my site say's that its valid until November 25th. Are there two certs on my site?

Thank you.

Daryl

jared.m · August 28, 2018, 7:23pm

I saw the certificates on Google’s Certificate Transparency log search tool: https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:usmcmta.org&lu=cert_search

Having overlapping certificates is not a problem; in fact you should have them overlapping for a month if you renew 30 days before expiry. Your web server will only be serving the new one.

As for the green bar, if you indeed had an expired certificate being sent by your web server, you’d get a red bar. A gray bar indicates that there’s something else going on, usually mixed content, loading scripts from unauthenticated sources, or outdated ciphers. However, SSL Labs and WhyNoPadlock both look good. Would you be able to post a screenshot of what happens when you click the “Not Secure” icon by the address bar? That’ll give info on why.

rosede · August 29, 2018, 4:00pm

Perhaps the URL bar was red and not gray, I don't remember off the top of my head,and it is now secure, so I can't provide a screenshot, however I do remember that it said "Not Secure".

The document that I read last year when I set this up had a cronjob example that I copied/pasted into the cPanel cron entry. It checks every night to see if the cert needs to be renewed. Does the acme.sh script renew the cert a month prior to actual expiration? If so, this is something that I wasn't aware of. I was under the impression that it would only renew when it was set to expire.

I was just looking at the acme.sh documentation, and it is not the actual documentation that I read last year when I setup the cert. I don't remember reading last year that the cert will renew after 60 days, but this documentation does clearly say that. I know that the script had been updated a couple of times since I initially set it up, so perhaps it's something new with in the past year.

I'm not familiar with SSL Labs or WhyNoPadlock, or the link that you provided. These are all good links to keep and use for future troubleshooting. It's also good to learn that the cert renew's 30 day's prior to the expiration. In 60 day's, I'll have to keep an eye on the Google Transparency and make sure that it renewed as expected.

Thank you for the help and knowledge.

Daryl

system · September 28, 2018, 4:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.