I realize I am running a deprecated version of letsencrypt-express, but herein lies the problem. I am trying to find time to update all the 3rd party packages for crowdcontrolrecords.com, but it involves some rewriting. Especially around using https://www.npmjs.com/package/greenlock-express which uses a newer version of your ACME APIs.
I simply wanted a bit more time to rewrite things and it appears you guys are stopping new registrations on ACMEv1 after 10/30 according to this post: End of Life Plan for ACMEv1
To be clear, “registration” is about creating an ACME account. It has nothing to do with certificates.
It’s typical for an ACME client to register an account when you first install it on a computer, and then keep using forever after. Most ACMEv1 users are not affected by the registration brownouts, unless they’re installing obsolete ACME clients on new servers, or their client does not save its account details and constantly registers new ones.
I don’t know if letsencrypt-express saves and reuses account information. Maybe its documentation makes that clear.
Did it display or log any sort of error message about why it failed to renew your certificate?
So strange. I got it to work finally, but I am not certain I grok how/why it suddenly worked. Apoologies in advance for the multiple posts. This form won’t allow me to post more than 20 links per post!? So I will break it up…
My cert renewal process involves two steps:
Running Express with testing() function
Running Express without testing()
You’re probably wondering what I am talking about. Here’s the Express code related to letsencrypt-express (on my end)…
// var LEX = require('letsencrypt-express').testing();
// Gets you console logs explaining what's going on as well as a fake cert. I believe you MUST do this first in order for the live one to work.
var LEX = require('letsencrypt-express');
// Gets you the real live cert. Use this in production.
var domain1 = {
domains: ['www.crowdcontrolrecords.com','crowdcontrolrecords.com'],
email: 'info@crowdcontrolrecords.com',
agreeTos: true
};
var lex = LEX.create({
configDir: require('os').homedir() + '/letsencrypt/etc',
approveRegistration: function (hostname, approve) { // leave `null` to disable automatic registration
approve(null, domain1);
}
});
Normally I run express via custom systemctl I setup. Something like this: https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units When you guys asked what’s the response, I ran the status systemctl command and was reminded that it only gives you a few lines. So I stopped the express server and ran it directly via node blahServer.js and watched the responses when I hit the website and it attempted to renew certs.
Note: testing certs will be installed because .testing() was called.
remove .testing() to get live certs.
[LEX] automatic registration handling turned on for testing.
[LEX] creating sniCallback {
“configDir”: “/home/nick/letsencrypt/etc”,
“debug”: true,
“webrootPath”: “/tmp/acme-challenge”,
“privkeyPath”: “/home/nick/letsencrypt/etc/live/:hostname/privkey.pem”,
“fullchainPath”: “/home/nick/letsencrypt/etc/live/:hostname/fullchain.pem”,
“certPath”: “/home/nick/letsencrypt/etc/live/:hostname/cert.pem”,
“chainPath”: “/home/nick/letsencrypt/etc/live/:hostname/chain.pem”,
“server”: “https://acme-staging.api.letsencrypt.org/directory”,
“letsencrypt”: {
“backend”: {}
}
}
Server is now listening on port 443…
[LEX] no certs loaded for ‘www.crowdcontrolrecords.com’
[LE] fetch
[letsencrypt/lib/common.js] fetchFromDisk
Error: ENOENT: no such file or directory, open ‘/home/nick/letsencrypt/etc/live/www.crowdcontrolrecords.com/privkey.pem’
at Error (native)
[LEX] fetch from disk result ‘www.crowdcontrolrecords.com’:
null
[LEX] ‘www.crowdcontrolrecords.com’ is not registered, requesting approval
[LEX] ‘www.crowdcontrolrecords.com’ registration approved, attempting register
[LE] register
[NLE]: begin registration
This Let’s Encrypt / ACME server has been updated with urls that this client doesn’t understand
{ ‘key-change’: ‘https://acme-staging.api.letsencrypt.org/acme/key-change’,
meta:
{ caaIdentities: [ ‘letsencrypt.org’ ],
‘terms-of-service’: ‘https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf’,
website: ‘https://letsencrypt.org/docs/staging-environment/’ },
‘new-authz’: ‘https://acme-staging.api.letsencrypt.org/acme/new-authz’,
‘new-cert’: ‘https://acme-staging.api.letsencrypt.org/acme/new-cert’,
‘new-reg’: ‘https://acme-staging.api.letsencrypt.org/acme/new-reg’,
pAn5U_Z11hs: ‘Adding random entries to the directory’,
‘revoke-cert’: ‘https://acme-staging.api.letsencrypt.org/acme/revoke-cert’ }
[le/core.js] use account
Account ‘ed812d0d50e92225ecd36b053a8b7540’ was corrupt. No big deal (I think?). Creating a new one…
[LEX] ‘www.crowdcontrolrecords.com’ register completed Error: Registration request failed: {
“type”: “urn:acme:error:unauthorized”,
“detail”: “Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See End of Life Plan for ACMEv1 for details.”,
“status”: 403
}
at handleErr (/home/nick/release/develop_671a19a/node_modules/letiny-core/lib/register-new-account.js:101:17)
at getTerms (/home/nick/release/develop_671a19a/node_modules/letiny-core/lib/register-new-account.js:28:16)
at Request._callback (/home/nick/release/develop_671a19a/node_modules/letiny-core/lib/acme-client.js:113:7)
at Request.self.callback (/home/nick/release/develop_671a19a/node_modules/request/request.js:187:22)
at emitTwo (events.js:106:13)
at Request.emit (events.js:191:7)
at Request. (/home/nick/release/develop_671a19a/node_modules/request/request.js:1044:10)
at emitOne (events.js:96:13)
at Request.emit (events.js:188:7)
at IncomingMessage. (/home/nick/release/develop_671a19a/node_modules/request/request.js:965:12)
at emitNone (events.js:91:20)
at IncomingMessage.emit (events.js:185:7)
at endReadableNT (_stream_readable.js:934:12)
at _combinedTickCallback (internal/process/next_tick.js:74:11)
at process._tickCallback (internal/process/next_tick.js:98:9) undefined
cert is NOT looking good
[LEX] certs for ‘www.crowdcontrolrecords.com’ recently failed and are still in cool down
[LEX] certs for ‘www.crowdcontrolrecords.com’ recently failed and are still in cool down
It looks like it’s attempting to register my domain vs renew! Maybe that’s the issue!? At any rate, I removed the .testing() and restarted the express server directly with node blahServer.js command and got the following response…
It was attempting to register an account. As the link explains, account registration has been disabled on the ACMEv1 staging API.
The Let's Encrypt staging and production environments use separate databases, including separate account databases.
I don't know why the client was doing that. (I hope someone who knows how it works responds to this thread.) Maybe "testing" mode always registers new staging accounts. Maybe it always registers new accounts period. Maybe not.
Do you have logs from when it was failing to renew the certificate?
Let's Encrypt has also temporarily disabled registration of production accounts sometimes -- the link gives the schedule of temporary brownouts and when registrations will be permanently disabled.
Maybe the client always registers new production accounts. If so, you would have had problems during the last brownout, and will soon have problems again.
Maybe it coincidentally failed for other reasons. Your logs, if there are any, should show exactly what happened.
For that matter, do you have detailed logs from when it succeeded in renewing the certificate? They should show if it's continually registering new accounts, at least.