Cant renew certificates

My domain is fipgauges.com

I ran this command:
/usr/bin/php /root/acmephp.phar request fipgauges.com --force

It produced this output:

Loading account key pair…
Forced renewal.
Loading domain key pair…
Loading domain distinguished name…
Loading the order related to the domains fipgauges.com
Renewing certificate for domain fipgauges.com

In ServerErrorHandler.php line 107:

[malformed] The request message was malformed: No order for ID 2848199017 (on request “GET https://acme-v02.api.let
sencrypt.org/acme/order/76341933/2848199017”)

In RequestException.php line 113:

Client error: GET https://acme-v02.api.letsencrypt.org/acme/order/76341933/2848199017 resulted in a 404 Not Foun d response:
{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “No order for ID 2848199017”,
“status”: 404
}

request [-f|–force] [–country COUNTRY] [–province PROVINCE] [–locality LOCALITY] [–organization ORGANIZATION] [–unit UNIT] [–email EMAIL] [-a|–alternative-name ALTERNATIVE-NAME] [–]

My web server is (include version):
apache2

The operating system my web server runs on is (include version):
Debianv8

My hosting provider, if applicable, is: Virgin Media
Netgear ReadyNAS 314 drive - home hosted

I had the same issue 90 days ago and in the end I have to setup acmephp from scratch and go through all the validation tasks etc like adding those files to my web server and again I still cant update and no idea why.

Please help this is very frustrating and last time trying to fix it I broke my webserver and my site was down for a week.

Regards Daren

Which version of acmephp are you using? Is that the most recent? To me, it looks like a bug in the client.

I’m not sure, no idea how to check. I only installed it in January. I could do a manual cert renewal for a month or two, but stopped around March sometime.

How can I check version, it should be fairly new to to only having installed no to long ago.

Sorry, i’m pretty IT literate, but when it come to webservers i’m not great at all. My Unix/Lynx skills are very limited

Daz

I don’t know, I’ve never used that client in my life.

The most recent version, 1.2.0, was released on January 15.

You could try other lightweight, CLI only clients which might run on your NAS like acme.sh.

I installed acme.sh and run the renewal and got these errors (I also run the old status script to show I do have working and active certs)…
root@ReadyNAS2:~# /root/.acme.sh/acme.sh --renew -d fipgauges.com -d www.fipgauges.com
[Sat Jun 13 13:33:02 WEST 2020] Renew: ‘fipgauges.com
[Sat Jun 13 13:33:02 WEST 2020] ‘fipgauges.com’ is not a issued domain, skip.
root@ReadyNAS2:~# /root/.acme.sh/acme.sh --renew -d fipgauges.com
[Sat Jun 13 13:33:54 WEST 2020] Renew: ‘fipgauges.com
[Sat Jun 13 13:33:54 WEST 2020] ‘fipgauges.com’ is not a issued domain, skip.
root@ReadyNAS2:~# /root/.acme.sh/acme.sh --renew -d www.fipgauges.com
[Sat Jun 13 13:34:02 WEST 2020] Renew: ‘www.fipgauges.com
[Sat Jun 13 13:34:02 WEST 2020] ‘www.fipgauges.com’ is not a issued domain, skip.
root@ReadyNAS2:~# /usr/bin/php /root/acmephp.phar status
±------------------±---------------------------±--------------------±--------------------±---------------+
| Domain | Issuer | Valid from | Valid to | Needs renewal? |
±------------------±---------------------------±--------------------±--------------------±---------------+
| fipgauges.com | Let’s Encrypt Authority X3 | 2020-04-04 10:07:01 | 2020-07-03 10:07:01 | No |
| www.fipgauges.com | Let’s Encrypt Authority X3 | 2020-04-04 10:08:32 | 2020-07-03 10:08:32 | No |
±------------------±---------------------------±--------------------±--------------------±---------------+
root@ReadyNAS2:~#

Well, that’s to be expected. Different ACME clients normally (I don’t know any to be exact) don’t “share” their configurations and certificate storage. You’ll need to start from scratch with acme.sh, hopefully just once.

couldn’t find any instructions on how to setup acme.sh from scratch. Didn’t think using the same save storage location would be an issue. I could have easily have the certs in the www.web root

daz

errors from both clients almost suggest I have no Letsencrypt account?

I’m a noob but looks like i’m being rejected server side ?

Daz

See https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert

It is.

That would be unwise. Certs always need the accompanying private key, which you don’t want to share with the whole world. Leaking your private key is reason for certificate revocation.

I don’t have any reason to believe that statement. Why do you think so?

Acme.sh hasn’t even contacted Let’s Encrypt yet. You’re trying to do stuff with acme.sh which it isn’t ready for yet.

thanks for link to acme.sh instructions.

I will setup acme.sh from scratch and see what happens…

Thanks for your help and advice so far…

Daz

acmephp used to try challenge response, fail and give me instruction on manually adding challenge response to my website, which worked. But acme.sh says my challenge response doesn’t exist and doesn’t give info to add.

Reading the https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode like it’s not very helpfull.

I THNIK I should be adding a text record on my domain and perhaps this is why it’s not renewing ? I can add a text record on my domain provider I just don’t know what I need to add. Is it to do with the thumbprint acme.sh displayed while trying to issue certs ?

Soory I did say I don’t really know what I’m doing

Daz

Think I just worked out by removing -dns and use --apache it seemd to generate certs… just checking if I can use them in my apache.conf files (new directory to certs…)

I don’t like trial and error, a little knowledge is dangerous

Daz

Thanks for your help I’m now using the NEW acme.sh certs. Changing my webserver to new certs wasn’t too bad. was confused that acme.sh gave me 4 files, but I only have to entried in my SSL conf file (cert and key) didn’t know if I needed to add entried for the other two files ?

intermediate CA Cert and Full chain cert ?

I’ll do some more research on godaddy integration,DNS,TXT records etc (aint got a clue lol). I don’t mind manually renewing my certs (couldn’t even do that with acme.php) so hope i’m already in a better place.

Thank you again for your assistance, been amazing.

Daz

You’re supposed to use the full chain (which is just the certificate + intermediate cert combined) as the certificate file since Apache version 2.4.8. Only with older versions of Apache you’ll need to configure the intermediate CA cert separately.

Using only the single end leaf certificate without the intermediate in one way or another could fail with some webclients.

I didn’t really understand any of that unfortunately.

I have no idea then what I need to put in my apache SSL conf file or how to configure intermediate CA cert because I have no idea what that even is :frowning:

That is unfortunate indeed. And it should be your wake up call to try to learn something new. Whenever I come across something I don’t understand, I try to read about it and learn about it until I understand it.

For example, you can read more about what an intermediate certificate is here: https://www.securew2.com/blog/public-key-infrastructure-explained/#int-CA (found it with some simple Google keywords).

Even the Apache documentation has an intro to TLS: https://httpd.apache.org/docs/2.4/ssl/ssl_intro.html

1 Like

Yeah thanks I’m googling that stuff currently…

Just reading some stuff now that said full chain not used in apache 2.4.

I had pointed my ssl conf to the certs I’m acme.sh but just read not to do that.

Big learning curve…

Found I have to use install cert command to save certs to a different folder. I assume then when it renews certs it will put it in the new folder not the acme.sh one.

I don’t mind reading, playing and self learning but there’s the risk like last time of killing the server so I’m being very cautious this time

I spent days learning setting up acme.php and probably didn’t do that properly or it wouldn’t be broke. Acme.sh does seem a lot simpler but the creation of two extra file I’ve not seen before kick of a new learning curve I wasn’t prepared for.

I’ll do some more reading and playing and pray nothing breaks, while it’s sort or working I’m reluctant to touch it though :slight_smile:

Thank for you help so far

Play around on a testing server. VirtualBox is a free VM where you could load any Linux distribution and play around.

To be fair, I think the interface of acme.sh isn’t the most easy one. Although I don’t use it myself currently.

I’m not sure why those files are such a surprise. If I look at the Acme PHP documentation about configuring the webserver, I see Acme PHP also generates a fullchain.pem file, next to cert.pem and the private key. I’m only not sure it also generates the intermediate as a separate file. I guess not, because Acme PHP documents the use of fullchain.pem for the SSLCertificateChainFile, which I suppose should be just the intermediate certificate.

Thanks again for your comments and help. I think I have nearly nailed it.

I have now run the install_cert command line which I had overlooked and it’s now copied the certs to my chosen directory and I have manually edited my apache2 conf to point to the installed certs. I ran a renew test and was good and I can see it copies the certs to my certs folder and reloads apache for me.

The only thing I’m not sure about is if I should be pointing SSLCertificateChainFile in my ssl.conf to the CA or Chain cert?

I have in my conf…
SSLEngine on
SSLCertificateFile …/mydirectory/cert.pem
SSLCertificateKeyFile … /mydirectory/key.pem
SSLCertificateChainFile … /mydirectory/ca.pem

…/fullchain.pem (commented out)

Should I be switching the last two?

DAZ

If you have an Apache version 2.4.8 or newer, you shouldn’t be using SSLCertificateChainFile at all. If you have an Apache older than 2.4.8, you should use it and point it to letsencrypt.pem according to https://github.com/acmesh-official/acme.sh/wiki/Deploy-ssl-certs-to-apache-server That page mentions version 2.2 however, so no idea how old it is and if letsencrypt.pem actually exists.

However, if you’re using 2.4.8 or newer, you just have to point SSLCertificateFile to the file specified by the --fullchain-file option of acme.sh.

Note: I don’t really know acme.sh, this is what I gathered from its Wiki… Which is rather poorly documented if you’d ask me.