I ran this command:
/usr/bin/php /root/acmephp.phar request fipgauges.com --force
It produced this output:
Loading account key pair…
Forced renewal.
Loading domain key pair…
Loading domain distinguished name…
Loading the order related to the domains fipgauges.com …
Renewing certificate for domain fipgauges.com …
Client error: GET https://acme-v02.api.letsencrypt.org/acme/order/76341933/2848199017 resulted in a 404 Not Foun d response:
{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “No order for ID 2848199017”,
“status”: 404
}
The operating system my web server runs on is (include version):
Debianv8
My hosting provider, if applicable, is: Virgin Media
Netgear ReadyNAS 314 drive - home hosted
I had the same issue 90 days ago and in the end I have to setup acmephp from scratch and go through all the validation tasks etc like adding those files to my web server and again I still cant update and no idea why.
Please help this is very frustrating and last time trying to fix it I broke my webserver and my site was down for a week.
I’m not sure, no idea how to check. I only installed it in January. I could do a manual cert renewal for a month or two, but stopped around March sometime.
How can I check version, it should be fairly new to to only having installed no to long ago.
Sorry, i’m pretty IT literate, but when it come to webservers i’m not great at all. My Unix/Lynx skills are very limited
I installed acme.sh and run the renewal and got these errors (I also run the old status script to show I do have working and active certs)....
root@ReadyNAS2:~# /root/.acme.sh/acme.sh --renew -d fipgauges.com -d www.fipgauges.com
[Sat Jun 13 13:33:02 WEST 2020] Renew: 'fipgauges.com'
[Sat Jun 13 13:33:02 WEST 2020] 'fipgauges.com' is not a issued domain, skip.
root@ReadyNAS2:~# /root/.acme.sh/acme.sh --renew -d fipgauges.com
[Sat Jun 13 13:33:54 WEST 2020] Renew: 'fipgauges.com'
[Sat Jun 13 13:33:54 WEST 2020] 'fipgauges.com' is not a issued domain, skip.
root@ReadyNAS2:~# /root/.acme.sh/acme.sh --renew -d www.fipgauges.com
[Sat Jun 13 13:34:02 WEST 2020] Renew: 'www.fipgauges.com'
[Sat Jun 13 13:34:02 WEST 2020] 'www.fipgauges.com' is not a issued domain, skip.
root@ReadyNAS2:~# /usr/bin/php /root/acmephp.phar status
+-------------------+----------------------------+---------------------+---------------------+----------------+
| Domain | Issuer | Valid from | Valid to | Needs renewal? |
+-------------------+----------------------------+---------------------+---------------------+----------------+
| fipgauges.com | Let's Encrypt Authority X3 | 2020-04-04 10:07:01 | 2020-07-03 10:07:01 | No |
| www.fipgauges.com | Let's Encrypt Authority X3 | 2020-04-04 10:08:32 | 2020-07-03 10:08:32 | No |
+-------------------+----------------------------+---------------------+---------------------+----------------+
root@ReadyNAS2:~#
Well, that’s to be expected. Different ACME clients normally (I don’t know any to be exact) don’t “share” their configurations and certificate storage. You’ll need to start from scratch with acme.sh, hopefully just once.
couldn’t find any instructions on how to setup acme.sh from scratch. Didn’t think using the same save storage location would be an issue. I could have easily have the certs in the www.web root
That would be unwise. Certs always need the accompanying private key, which you don't want to share with the whole world. Leaking your private key is reason for certificate revocation.
I don't have any reason to believe that statement. Why do you think so?
Acme.sh hasn't even contacted Let's Encrypt yet. You're trying to do stuff with acme.sh which it isn't ready for yet.
acmephp used to try challenge response, fail and give me instruction on manually adding challenge response to my website, which worked. But acme.sh says my challenge response doesn’t exist and doesn’t give info to add.
I THNIK I should be adding a text record on my domain and perhaps this is why it’s not renewing ? I can add a text record on my domain provider I just don’t know what I need to add. Is it to do with the thumbprint acme.sh displayed while trying to issue certs ?
Soory I did say I don’t really know what I’m doing
Think I just worked out by removing -dns and use --apache it seemd to generate certs… just checking if I can use them in my apache.conf files (new directory to certs…)
I don’t like trial and error, a little knowledge is dangerous
Thanks for your help I’m now using the NEW acme.sh certs. Changing my webserver to new certs wasn’t too bad. was confused that acme.sh gave me 4 files, but I only have to entried in my SSL conf file (cert and key) didn’t know if I needed to add entried for the other two files ?
intermediate CA Cert and Full chain cert ?
I’ll do some more research on godaddy integration,DNS,TXT records etc (aint got a clue lol). I don’t mind manually renewing my certs (couldn’t even do that with acme.php) so hope i’m already in a better place.
Thank you again for your assistance, been amazing.
You're supposed to use the full chain (which is just the certificate + intermediate cert combined) as the certificate file since Apache version 2.4.8. Only with older versions of Apache you'll need to configure the intermediate CA cert separately.
Using only the single end leaf certificate without the intermediate in one way or another could fail with some webclients.
That is unfortunate indeed. And it should be your wake up call to try to learn something new. Whenever I come across something I don’t understand, I try to read about it and learn about it until I understand it.
Just reading some stuff now that said full chain not used in apache 2.4.
I had pointed my ssl conf to the certs I’m acme.sh but just read not to do that.
Big learning curve…
Found I have to use install cert command to save certs to a different folder. I assume then when it renews certs it will put it in the new folder not the acme.sh one.
I don’t mind reading, playing and self learning but there’s the risk like last time of killing the server so I’m being very cautious this time
I spent days learning setting up acme.php and probably didn’t do that properly or it wouldn’t be broke. Acme.sh does seem a lot simpler but the creation of two extra file I’ve not seen before kick of a new learning curve I wasn’t prepared for.
I’ll do some more reading and playing and pray nothing breaks, while it’s sort or working I’m reluctant to touch it though
Play around on a testing server. VirtualBox is a free VM where you could load any Linux distribution and play around.
To be fair, I think the interface of acme.sh isn't the most easy one. Although I don't use it myself currently.
I'm not sure why those files are such a surprise. If I look at the Acme PHP documentation about configuring the webserver, I see Acme PHP also generates a fullchain.pem file, next to cert.pem and the private key. I'm only not sure it also generates the intermediate as a separate file. I guess not, because Acme PHP documents the use of fullchain.pem for the SSLCertificateChainFile, which I suppose should be just the intermediate certificate.
Thanks again for your comments and help. I think I have nearly nailed it.
I have now run the install_cert command line which I had overlooked and it’s now copied the certs to my chosen directory and I have manually edited my apache2 conf to point to the installed certs. I ran a renew test and was good and I can see it copies the certs to my certs folder and reloads apache for me.
The only thing I’m not sure about is if I should be pointing SSLCertificateChainFile in my ssl.conf to the CA or Chain cert?
I have in my conf…
SSLEngine on
SSLCertificateFile …/mydirectory/cert.pem
SSLCertificateKeyFile … /mydirectory/key.pem
SSLCertificateChainFile … /mydirectory/ca.pem
If you have an Apache version 2.4.8 or newer, you shouldn't be using SSLCertificateChainFile at all. If you have an Apache older than 2.4.8, you should use it and point it to letsencrypt.pem according to Deploy ssl certs to apache server · acmesh-official/acme.sh Wiki · GitHub That page mentions version 2.2 however, so no idea how old it is and if letsencrypt.pem actually exists.
However, if you're using 2.4.8 or newer, you just have to point SSLCertificateFile to the file specified by the --fullchain-file option of acme.sh.
Note: I don't really know acme.sh, this is what I gathered from its Wiki.. Which is rather poorly documented if you'd ask me.
