Delete all certificates and private keys by mistake

marceloroig80 · July 28, 2021, 4:15pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: enlacesystem.com.py

I ran this command:
/root/.acme.sh/acme.sh --issue -d enlacesystem.com.py -d www.enlacesystem.com.py --cert-file /etc/letsencrypt/live/enlacesystem.com.py/cert.pem --key-file /etc/letsencrypt/live/enlacesystem.com.py/privkey.pem --fullchain-file /etc/letsencrypt/live/enlacesystem.com.py/fullchain.pem -w /home/enlacesystem.com.py/public_html --force

It produced this output:
[07.28.2021_11-18-13] Failed to obtain SSL for: enlacesystem.com.py and: www.enlacesystem.com.py
[07.28.2021_11-18-13] Trying to obtain SSL for: enlacesystem.com.py
[07.28.2021_11-18-15] Failed to obtain SSL, issuing self-signed SSL for: enlacesystem.com.py
[07.28.2021_11-18-15] {'enlacesystemsrl@gmail.com': (554, b'5.7.1 enlacesystemsrl@gmail.com: Relay access denied')}
[07.28.2021_11-18-15] Self signed SSL issued for enlacesystem.com.py.
[07.28.2021_07-22-22] invalid literal for int() with base 10: 'no'. [SSHServer.findSSHPort]
[07.28.2021_16-00-04] [Errno 111] Connection refused

My web server is (include version): Cyberpanel 2.2

The operating system my web server runs on is (include version): Centos 8

My hosting provider, if applicable, is: Local Server

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Cyberpanel 2.2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
[root @ webhosting ~] # certbot-auto --version
bash: certbot-auto: command not found ...

I use the help translator, I hope you understand me. I had problems creating subdomains and I think that I exceeded the limit of requests, and then I made the mistake of deleting all the certificates from the folder "rm -rf /etc/letsencrypt/live/." to try to generate again, and since then I can not solve it again, I have waited 15 days and it still does not generate a new certificate. Could you give me more light please.

rg305 · July 28, 2021, 4:50pm

I would start by recreating the file path:
mkdir /etc/letsencrypt/live/enlacesystem.com.py
Then rerun the acme.sh command.
Please don't script the use of "--force",

marceloroig80 · July 28, 2021, 6:02pm

I did it and it solved with autogenerated certificate. Now I tried how you indicate it without the --force and I get the following message:

[root@webhosting ~]# /root/.acme.sh/acme.sh --issue -d enlacesystem.com.py -d ww w.enlacesystem.com.py --cert-file /etc/letsencrypt/live/enlacesystem.com.py/cert .pem --key-file /etc/letsencrypt/live/enlacesystem.com.py/privkey.pem --fullchai n-file /etc/letsencrypt/live/enlacesystem.com.py/fullchain.pem -w /home/enlacesy stem.com.py/public_html
[mié jul 28 13:58:08 -04 2021] Using CA: https://acme.zerossl.com/v2/DV90
[mié jul 28 13:58:09 -04 2021] No EAB credentials found for ZeroSSL, let's get o ne
[mié jul 28 13:58:09 -04 2021] acme.sh is using ZeroSSL as default CA now.
[mié jul 28 13:58:09 -04 2021] Please update your account with an email address first.
[mié jul 28 13:58:09 -04 2021] acme.sh --register-account -m my@example.com
[mié jul 28 13:58:09 -04 2021] See: https://github.com/acmesh-official/acme.sh/w iki/ZeroSSL.com-CA
[mié jul 28 13:58:09 -04 2021] Please add '--debug' or '--log' to check more details.
[mié jul 28 13:58:09 -04 2021] See: https://github.com/acmesh-official/acme.sh/w iki/How-to-debug-acme.sh

marceloroig80 · July 28, 2021, 6:29pm

Also try what the error says:

[root@webhosting ~]# acme.sh --register-account -m admin@enlacesystem.com.py
[mié jul 28 14:05:03 -04 2021] No EAB credentials found for ZeroSSL, let's get one
[mié jul 28 14:05:04 -04 2021] Registering account: https://acme.zerossl.com/v2/DV90
[mié jul 28 14:05:06 -04 2021] Registered
[mié jul 28 14:05:06 -04 2021] ACCOUNT_THUMBPRINT='N30Swg9NI7F1pd2ZzNlrB4HYLLH6aJx4XDGNH21Hdes'
[root@webhosting ~]#

Osiris · July 28, 2021, 6:49pm

Acme.sh has been sold to ZeroSSL and uses their ACME server by default since June this year if you're running the latest "master" version currently. If you want to keep using Let's Encrypt, you'll need to tell acme.sh to do so. Please refer to the acme.sh documentation on how to do that (I have no idea..)

marceloroig80 · July 28, 2021, 8:05pm

Uff, good information, I did not know about the change of ACME and ZeroSSL, but for the moment I executed with the command --debug as it said in the error, and it worked!

The command you run:
/root/.acme.sh/acme.sh --issue -d enlacesystem.com.py -d www.enlacesystem.com.py --cert- file /etc/letsencrypt/live/enlacesystem.com.py/cert.pem --key-file /etc/letsencrypt/live/enlacesystem.com.py/privkey.pem --fullchain-file /etc/letsencrypt/live/enlacesystem.com.py/fullchain.pem -w /home/enlacesystem.com.py/public_html --debug

the result:
[mié jul 28 14:39:37 -04 2021] Success
[mié jul 28 14:39:56 -04 2021] Cert success.
[mié jul 28 14:39:56 -04 2021] Your cert is in /root/.acme.sh/enlacesystem.com.py/enlacesystem.com.py.cer
[mié jul 28 14:39:56 -04 2021] Your cert key is in /root/.acme.sh/enlacesystem.com.py/enlacesystem.com.py.key
[mié jul 28 14:39:56 -04 2021] The intermediate CA cert is in /root/.acme.sh/enlacesystem.com.py/ca.cer
[mié jul 28 14:39:56 -04 2021] And the full chain certs is there: /root/.acme.sh/enlacesystem.com.py/fullchain.cer
[mié jul 28 14:39:57 -04 2021] Installing cert to:/etc/letsencrypt/live/enlacesystem.com.py/cert.pem
[mié jul 28 14:39:57 -04 2021] Installing key to:/etc/letsencrypt/live/enlacesystem.com.py/privkey.pem
[mié jul 28 14:39:57 -04 2021] Installing full chain to:/etc/letsencrypt/live/enlacesystem.com.py/fullchain.pem
[mié jul 28 14:39:57 -04 2021] _on_issue_success

Thank you once for your help, you have guided me to solve it ...

rg305 · July 28, 2021, 8:12pm

See: crt.sh | enlacesystem.com.py
The latest cert is NOT from LE - it is from ZeroSSL.

Rip · July 28, 2021, 8:56pm

I notice something interesting in acme.sh

Reference:
https:// github .com/acmesh-official/acme.sh/blob/master/acme.sh

To Change default CA;

Line 35 - DEFAULT_CA=$CA_ZEROSSL
Line 36 - DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST

Should be:

DEFAULT_CA=$CA_LETSENCRYPT_V2
DEFAULT_STAGING_CA=$CA_LETSENCRYPT_V2_TEST

Got me wondering....
Go figure?

rg305 · July 28, 2021, 8:59pm

Stage against LE but certify against 0SSL?
Half ax coding...

Rip · July 28, 2021, 9:07pm

IM TELLIN!!!

Osiris · July 28, 2021, 9:11pm

That's probably because you registered a ZeroSSL account with your previous command. As @rg305 already pointed out, you're using a ZeroSSL certificate now.

Acme.sh should also have a command line option to set the ACME provider.

Nummer378 · July 29, 2021, 1:04pm

If you want to continue using acme.sh + Let's Encrypt, this command will suffice:

acme.sh --set-default-ca --server letsencrypt

Note that this will not change CA's for existing certificates, so any existing ZeroSSL (or Let's Encrypt) certificate will continue to be renewed with that CA. [There was a bug on master that this wouldn't hold for very very old acme.sh configs, but I believe this is fixed now]

ZeroSSL does not document any (public) staging enviroment at this time.

system · August 28, 2021, 1:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.