Automatic update Let’s encrypt did not work! [with EasyEngine]


#1

My certificate did not automatically update with the cronjobs configuration does anyone know how to solve this?

Thank you!


#2

Can you provide any more information? What command was run? Do you have output from the run? A normal “certbot renew” works pretty well, so having that output and knowing what was run will be essential to helping find the problem.


#3

Thanks for the feedback!
Here is the certificate cron.

0 0 * * 0 ee site update --le=renew --all 2> /dev/null # Renew all letsencrypt SSL cert. Set by EasyEngine

site: wordpress
ubuntu 16.04
nginx
digital ocean


#4

I mean if I use this command (certbot renew) does it renew now?

Thank you!


#5

It seems pretty unfortunate that they set 2 > /dev/null in this case, because it may have discarded useful error output…

So, how did you conclude that it didn’t work? Did you get a message about a failure to update, or did you simply notice that your certificate wasn’t updated on your site by a time when you expected it to be? As you might know, the final 0 there means that this command will only run on Sundays, which seems unnecessarily infrequent to me unless it is somehow trying to renew certificates without even checking whether they’re near expiry, in which case it seems unnecessarily frequent. I don’t know what EasyEngine’s behavior in this regard would be.

Can you tell us your domain name?


#6

I don’t know whether EasyEngine installs and uses Certbot or not. It’s possible that you don’t have Certbot at all, because EasyEngine might be using other client software to obtain certificates.

If you do have Certbot, certbot renew tries to renew all certificates that were obtained with Certbot on your system and saved under /etc/letsencrypt that are currently less than 30 days away from expiry. If a certificate is more than 30 days from expiry, unless you’ve manually changed the defaults, certbot renew does not try to renew that particular certificate.


#7

The certificate expired yesterday and I can already see browser alerts.
This is my website mysite


#8

So, you didn’t also get some kind of error message from EasyEngine about a renewal failure, just noticed that the certificate was expired?

I guess that this is a bad decision on EasyEngine’s part to suppress error reporting with 2 >/dev/null, because then people miss an opportunity to learn about problems…

Although I don’t know anything about EasyEngine, I would suggest directly running that command

ee site update --le=renew --all

yourself from a command line, and see what happens (for example, whether you get a specific error message).


#9

renew_before_expiry = 30 days

version = 0.12.0
archive_dir = /etc/letsencrypt/archive/mysite
cert = /etc/letsencrypt/live/mysite/cert.pem
privkey = /etc/letsencrypt/live/mysite/privkey.pem
chain = /etc/letsencrypt/live/mysite/chain.pem
fullchain = /etc/letsencrypt/live/mysite/fullchain.pem

Options used in the renewal process

[renewalparams]
authenticator = webroot
installer = None
account = UyJ4+sNHA5uEM53(@B[X
webroot_path = /var/www/mysite/htdocs,
[[webroot_map]]
www. mysite = /var/www/mysite/htdocs
mysite = /var/www/mysite/htdocs


#10

I used the command I’m waiting to finish.

Updating site mysite, please wait…


#11

Let us know what happens. This does also show that EasyEngine is actually using Certbot, so you can also try sudo certbot renew (depending on how EasyEngine has installed Certbot on your system).


#12

It seems to me that no change has taken place with this command I will try the other.


#13

sudo certbot renew
sudo: certbot: command not found


#14

It has probably installed it in some other location, so you could try to find it with locate certbot.


#15

Several paths to cerbots now appear


#16

I had to put it on the drive because it does not fit here!


#17

Whoops!

Well, the command to try would probably be

sudo /opt/letsencrypt/certbot-auto renew


#18

Uau :grinning:
sudo /opt/letsencrypt/certbot-auto renew
Upgrading certbot-auto 0.12.0 to 0.15.0…
Replacing certbot-auto…
Creating virtual environment…
Installing Python packages…
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/mysite.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for mysite
http-01 challenge for mysite
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/mysite/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/mysite/fullchain.pem (success)


#19

That looks good… you might also have to restart your web server in order for it to notice the new certificate. (I wonder why EasyEngine isn’t able to do this renewal for itself, if it works so easily with Certbot.)


#20

You saved me thanks for your help and patience with me!
Now everything is working well!