Certificate expired solusvm master server


#1

Hi,

We have some issue with letsencrypt working under solusvm control panel.
Before the renew everything works perfect, after that letsencrypt ssl not will work anymore.

We contacting solusvm support but there also not know how to solved this issue so that’s why i open this topic.
The follow steps are https://documentation.solusvm.com/display/DOCS/NGINX+for+SolusVM+1.x we recreate many times but this have not result.

I hope someone can help me to solved this problem.


#2

Unfortunately this looks like a problem that’s specific to the Let’s Encrypt client and configuration used by SolusVM and not something related to certbot or Let’s Encrypt’s CA server, so you probably won’t find much help here, unless someone happens to have used the same software and figured out a solution.

Based on the documentation you linked to, the only idea I have would be to follow this advice: “If you need to force an update of the certificate with the same domain settings you can run the same command without the -i flag.”, i.e. run /usr/local/svmstack/letsencrypt/letsencrypt.

Maybe that’ll renew the certificate even though the cronjob that should automate this doesn’t seem to be working.


#3

Hi,

I contact solusvm with this problem to and we try many times to renew it but without success. Also a recreate will not help.
That is the reason why i went to this forum.

I hope someone can help to solve this problem.


#4

Because we’re not solusvm support, we don’t know anything about solusvm. So for us to even have a chance of helping you will need to provide us with a lot of extra information.

For example, you will need to explain exactly what happens, you say it “will not work anymore” but that tells us nothing. What exactly happens? What exactly did you do and what did you expect, you will need to go into a lot of detail, with samples from files, log output and so on - and even then it’s not certain we can help.


#5

Hi,

I will explant what the situation was.
I follow the steps at https://documentation.solusvm.com/display/DOCS/NGINX+for+SolusVM+1.x and installation successfully letsencrypt at my server. After 90 days it was not auto renew and i try to to this manual via:
/usr/local/svmstack/letsencrypt/letsencrypt without success the certificate will not longer works. So then i try all steps again via /usr/local/svmstack/letsencrypt/letsencrypt -i but this was also without success. I try many times to apply the steps again but letsencrypt not will working on the server.

If you need additional information please let me know so i can provide this.

I appreciated your feedback.


#6

can you make sure you have the latest version of certbot (letsencrypt) installed and then use then verbose flag ( -vvv ) and provide a copy of the log file please.


#7

Hi,

Here is the log output:

[root@servercp ~]# /usr/local/svmstack/letsencrypt/letsencrypt -vvv
Account already registered. Continuing.
Starting certificate generation process for domains
Requesting challenge(s) for hide_domainname
Getting pkey
Reading pkey
Getting nonce
Getting nonce HEAD
Connecting to https://acme-v01.api.letsencrypt.org/directory
Verbose information:

* About to connect() to acme-v01.api.letsencrypt.org port 443 (#0)
*   Trying 104.74.78.149... * connected
* Connected to acme-v01.api.letsencrypt.org (104.74.78.149) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
*       subject: C=US,ST=California,L=Mountain View,O=INTERNET SECURITY RESEARCH GROUP,CN=*.api.letsencrypt.org
*       start date: Jun 26 17:05:45 2015 GMT
*       expire date: Jun 25 17:05:45 2018 GMT
*       common name: *.api.letsencrypt.org
*       issuer: CN=TrustID Server CA A52,OU=TrustID Server,O=IdenTrust,C=US
> GET /directory HTTP/1.1
Host: acme-v01.api.letsencrypt.org
Accept: application/json
Content-Type: application/json

< HTTP/1.1 200 OK
< Server: nginx
< Content-Type: application/json
< Content-Length: 280
< Boulder-Request-Id: HjmtxYjRGjN8me9wtgr9rHRxx0d1vloprS3_PAmD8YE
< Replay-Nonce: BGTBiMWY_yBET6CaGWPW8582BIUr6fBSqNAQoVYWFnA
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Mon, 01 Aug 2016 12:04:29 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Mon, 01 Aug 2016 12:04:29 GMT
< Connection: keep-alive
<
* Connection #0 to host acme-v01.api.letsencrypt.org left intact

Payload 1
Payload 2
Signing
Sending signed request to /acme/new-authz
Connecting to /acme/new-authz
Connecting to https://acme-v01.api.letsencrypt.org/acme/new-authz
Verbose information:

* About to connect() to acme-v01.api.letsencrypt.org port 443 (#0)
*   Trying 104.74.78.149... * connected
* Connected to acme-v01.api.letsencrypt.org (104.74.78.149) port 443 (#0)
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
*       subject: C=US,ST=California,L=Mountain View,O=INTERNET SECURITY RESEARCH GROUP,CN=*.api.letsencrypt.org
*       start date: Jun 26 17:05:45 2015 GMT
*       expire date: Jun 25 17:05:45 2018 GMT
*       common name: *.api.letsencrypt.org
*       issuer: CN=TrustID Server CA A52,OU=TrustID Server,O=IdenTrust,C=US
> POST /acme/new-authz HTTP/1.1
Host: acme-v01.api.letsencrypt.org
Accept: application/json
Content-Type: application/json
Content-Length: 2630
Expect: 100-continue

< HTTP/1.1 100 Continue
< Expires: Mon, 01 Aug 2016 12:04:30 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< HTTP/1.1 201 Created
< Server: nginx
< Content-Type: application/json
< Content-Length: 999
< Boulder-Request-Id: G718Ctp_OWnf8a0H4lygwZf9GpxLjmWwblPLVLG_jhs
< Boulder-Requester: 358195
< Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
< Location: https://acme-v01.api.letsencrypt.org/acme/authz/hSed7_Upw-fCFNb9PHhDwKATAgiJpO2hyvi74Al2thY
< Replay-Nonce: qpTVigSwmdipb4Sq22XJkUda5LzBe0-uKqD7XygyNyk
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
< Expires: Mon, 01 Aug 2016 12:04:30 GMT
< Cache-Control: max-age=0, no-cache, no-store
< Pragma: no-cache
< Date: Mon, 01 Aug 2016 12:04:30 GMT
< Connection: keep-alive
<
* Connection #0 to host acme-v01.api.letsencrypt.org left intact

Got challenge token for hide_domainname
Token for hide_domainname saved at /usr/local/solusvm/www/.verification/.well-known/acme-challenge/zRdoG5h2heJ4k8VoWu7wK1A0Bp1hej8m4pS9tpnI6z0 and should be available at http://hide_domainname/.well-known/acme-challenge/zRdoG5h2heJ4k8VoWu7wK1A0Bp1hej8m4pS9tpnI6z0

I check also if usr/local/solusvm/www/.verification/.well-known/acme-challenge/zRdoG5h2heJ4k8VoWu7wK1A0Bp1hej8m4pS9tpnI6z0 exist and this file was there.


#8

Is that the end of the log ? ( as there is no error message there )

Also, could you provide a domain name please ( it is provided in the open logs for all certificates issued anyway )


#9

Hi Andy,

The domain is

Thanks a lot for your feedback.


#10

Have you deleted the file .well-known/acme-challenge/zRdoG5h2heJ4k8VoWu7wK1A0Bp1hej8m4pS9tpnI6z0 ? I can’t reach that (I get a 404, page not found )


#11

Hi Andy,

No it is still there:

[root@servercp acme-challenge]# ls -la /usr/local/solusvm/www/.verification/.well-known/acme-challenge/zRdoG5h2heJ4k8VoWu7wK1A0Bp1hej8m4pS9tpnI6z0
-rw-r–r-- 1 solusvm solusvm 87 Aug 1 14:04 /usr/local/solusvm/www/.verification/.well-known/acme-challenge/zRdoG5h2heJ4k8VoWu7wK1A0Bp1hej8m4pS9tpnI6z0


#12

It looks as if the path is wrong for the challenge.

the challenge is accessible at

domain/.verification/.well-known/acme-challenge/zRdoG5h2heJ4k8VoWu7wK1A0Bp1hej8m4pS9tpnI6z0

but it should be accessible at

domain/.well-known/acme-challenge/zRdoG5h2heJ4k8VoWu7wK1A0Bp1hej8m4pS9tpnI6z0

I don’t know the solusvm script setup to be able to tell if the additional “.verification” is in a config file for the script, or the script itself.

If you can’t see where that is set, to change it, you may be able to resolve the issue by creating a symlink in /usr/local/solusvm/www/ called “.well-known” pointing to “.verification/.well-known”


#13

Hi Andy,

I try your solution and can download now the key see domain/.well-known/acme-challenge/wHWXrR-MgIMAyv_3tAqierZJ5V3AnLuMajv3NcjbjQA but it still not working :(.


#14

What does the full log give (using verbose), when you try now ?


#15

Hi Andy,

You are super! it works back again.
Thanks allot for your feedback!


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.