Help for noob on the cert tools


#1

Please fill out the fields below so we can help you better.

My domain is:www.computerpatch.net

I ran this command:

It produced this output:

My operating system is (include version):opensuse tumbleweed

My web server is (include version):apache?

My hosting provider, if applicable, is:godaddy.com

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):yes

I used ZeroSSL online tools to create certs for computerpatch.net and all of it’s sub domains. I got the cert installed on the godaddy server and the certs are working. The issue for me is the cert expire in 89 days and I have little clue on how to renew them. This morning I ran this script from the ZeroSSL site (after installing the certs last night) under installable packages. “cpan -i Crypt::LE” I then ran “gary@linux-omo4:~> sudo le.pl --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains “computerpatch.net,www.computerpatch.net,freeportselfstorage.com,www.freeportselfstorage.com,profennoenterprises.com,www.profennoenterprises.com,brunswickmaineselfstorage.com,www.brunswickmaineselfstorage.com,portlandmaineselfstorage.com,www.portlandmaineselfstorage.com” --path /var/www/html/.well-known/acme-challenge/ --generate-missing --unlink --renew 10 --live
[sudo] password for root:
2016/08/09 11:48:03 [ ZeroSSL Crypt::LE client v0.17 started. ]
2016/08/09 11:48:03 Loading an account key from account.key
2016/08/09 11:48:03 Loading a CSR from mydomain.csr
2016/08/09 11:48:03 Checking certificate for expiration (website connection).
2016/08/09 11:48:03 Checking brunswickmaineselfstorage.com
2016/08/09 11:48:03 Too early for renewal, certificate expires in 89 days.
gary@linux-omo4:~>” The thing is I have no idea if this is inspecting my cert on the Godday server or some file on my computer. I have little working knowledge of how to use bash commands and thing like “–path /var/www” confuse me as to is the path to a web server or some thing on my computer? I have spent almost thirty hour reading tutorials and I am only getting more confused.
Any help would be appreciated.


#2

I don’t use the zerossl client myself, however if you installed the cert yesterday, it would have been valid for 90 days, so checking it today (via the script), 89 days would be correct - so it sounds as if you have it all working correctly.


#3

So if I run the code in 20 days it should renew the cert? Do you recommend a client the will run on opensuse the way I have it set up seems to be a lot of work to keep up with. I was unable to find a client the would install.


#4

It renews the cert (probably) when there’s 30 days or less left… So no, you’d have to wait some longer :wink:


#5

Thanks I’ll give it a try when there is less than 30 days left but I am not confident it will renew there must be an easier way.


#6

ZeroSSL client (le.pl) has two methods of checking whether it’s time to renew or not. If the certificate file is available locally (basically if mydomain.crt exists and readable), then it will be checked. Otherwise it will try to go through your listed domains and connect to them using HTTPS. Once there is a response and the certificate expiration date (“Not After”) is determined, it is compared to whatever number of days you have set in the --renew parameter. In this case you have a fresh certificate expiring in 89 days and renew is set to be run if it is 10 or less days left until expiration. So renewal does not kick in.

I do believe that it is described in the usage documentation, but if you have additional questions, feel free to use the ZeroSSL contact form - that way any questions can be answered quicker :slight_smile:

P.S. If you’re keen to just make sure renewal works as expected, you can try setting --renew to more than 90 days (or the number of days left until expiration). However, keep in mind that Let’s Encrypt rate-limits the amount of certificates which may be issued in a week to the same set of domain names, so it is not recommended to try this more often than 5 times per week.


#7

Thanks for the reply but it went way over head. I doubt I could rewrite the script and i don’t even know if I need to run it or if it some how know when to run itself.


#8

OK, I’ll try to simplify it a bit :slight_smile: Essentially you run it correctly. You have used a renew option and it was right - the renew option there instructs the client to ONLY ask Let’s Encrypt for a new certificate for your domain if it is about to expire soon (10 days or less in your case). If that command was run on 1st of November, then it would have produced a new mydomain.crt file. All you would need to do is to copy it into proper place (using “cp” command) or enter it into appropriate field of your Control Panel.

By the way, the client itself does not need any special rights, but for --path option that path should be accessible and writeable by whoever runs it of course.

If it still sounds a bit too technical, then essentially you can just repeat the process using the same online tools at ZeroSSL as you did initially a day or two before the expiration and re-enter the certificate in the Control Panel.


#9

The online tool took several hour of work I would hate to do that every 90 days. Any way I think I figured out changing the 10 to a 90 and got this output seems to have a lot of errors.
gary@linux-omo4:~> sudo le.pl --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains “computerpatch.net,www.computerpatch.net,freeportselfstorage.com,www.freeportselfstorage.com,profennoenterprises.com,www.profennoenterprises.com,brunswickmaineselfstorage.com,www.brunswickmaineselfstorage.com,portlandmaineselfstorage.com,www.portlandmaineselfstorage.com” --path /var/www/html/.well-known/acme-challenge/ --generate-missing --unlink --renew 90 --live
[sudo] password for root:
2016/08/09 16:07:34 [ ZeroSSL Crypt::LE client v0.17 started. ]
2016/08/09 16:07:34 Loading an account key from account.key
2016/08/09 16:07:34 Loading a CSR from mydomain.csr
2016/08/09 16:07:34 Checking certificate for expiration (website connection).
2016/08/09 16:07:34 Checking brunswickmaineselfstorage.com
2016/08/09 16:07:34 Expiration threshold set at 90 days, the certificate expires in 89 days - will be renewing.
2016/08/09 16:07:35 Make sure to check TOS at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
2016/08/09 16:07:37 Successfully saved a challenge file ‘/var/www/html/.well-known/acme-challenge//3PWh6LyAbVdIuh43tle2Dn2hdnd58GMmw32H8NhNf8k’ for domain 'brunswickmaineselfstorage.com
2016/08/09 16:07:37 Successfully saved a challenge file ‘/var/www/html/.well-known/acme-challenge//NBUhCyl-KbdSvUsWwnDA-_TGIMNEDJTvjoExHLQdT10’ for domain 'computerpatch.net
2016/08/09 16:07:37 Successfully saved a challenge file ‘/var/www/html/.well-known/acme-challenge//AQcibZiwSR3ckC9Jn0rcQPqz9V50CQnQ8aXChNKVZqc’ for domain 'freeportselfstorage.com
2016/08/09 16:07:37 Successfully saved a challenge file ‘/var/www/html/.well-known/acme-challenge//C19_JUx5d1x30NkkaAGAYbyQDE0C8adwzeu3lpEe9xc’ for domain 'portlandmaineselfstorage.com
2016/08/09 16:07:37 Successfully saved a challenge file ‘/var/www/html/.well-known/acme-challenge//Nh-UZaCJRJsK_xzupyXb2ek1DB_pa4HPffUN_7dU6so’ for domain 'profennoenterprises.com
2016/08/09 16:07:37 Successfully saved a challenge file ‘/var/www/html/.well-known/acme-challenge//YGyqEUStwv76wZowwcYhGX9kj6JlsaCpYiJqcX4eSts’ for domain 'www.brunswickmaineselfstorage.com
2016/08/09 16:07:37 Successfully saved a challenge file ‘/var/www/html/.well-known/acme-challenge//dN0N22LdS2X-dBJxAl3NDhaFC5IHzTRyknId79AFOaA’ for domain 'www.computerpatch.net
2016/08/09 16:07:37 Successfully saved a challenge file ‘/var/www/html/.well-known/acme-challenge//7DoS-oxTKhf0pHbGY1Ouj536lAkNAixaoYv0jRWiR0U’ for domain 'www.freeportselfstorage.com
2016/08/09 16:07:37 Successfully saved a challenge file ‘/var/www/html/.well-known/acme-challenge//hV5ijA–fkmrYPZjxW7UHDp7n_bfDNU-1e49os6lXUE’ for domain 'www.portlandmaineselfstorage.com
2016/08/09 16:07:37 Successfully saved a challenge file ‘/var/www/html/.well-known/acme-challenge//RPzHbw8v6Ab18clENJANzOss7XutqMOnPcGt1FdYBWU’ for domain 'www.profennoenterprises.com
2016/08/09 16:07:39 Domain verification results for ‘brunswickmaineselfstorage.com’: error. Invalid response from http://brunswickmaineselfstorage.com/.well-known/acme-challenge/3PWh6LyAbVdIuh43tle2Dn2hdnd58GMmw32H8NhNf8k: "

404 Not Found

Not Found

<p" 2016/08/09 16:07:39 Challenge file '/var/www/html/.well-known/acme-challenge//3PWh6LyAbVdIuh43tle2Dn2hdnd58GMmw32H8NhNf8k' has been deleted. 2016/08/09 16:07:41 Domain verification results for 'computerpatch.net': error. Invalid response from http://computerpatch.net/.well-known/acme-challenge/NBUhCyl-KbdSvUsWwnDA-_TGIMNEDJTvjoExHLQdT10: " File Not Found " 2016/08/09 16:07:41 Challenge file '/var/www/html/.well-known/acme-challenge//NBUhCyl-KbdSvUsWwnDA-_TGIMNEDJTvjoExHLQdT10' has been deleted. 2016/08/09 16:07:46 Domain verification results for 'freeportselfstorage.com': error. Invalid response from http://freeportselfstorage.com/.well-known/acme-challenge/AQcibZiwSR3ckC9Jn0rcQPqz9V50CQnQ8aXChNKVZqc: " 404 Not Found

Not Found

<p" 2016/08/09 16:07:46 Challenge file '/var/www/html/.well-known/acme-challenge//AQcibZiwSR3ckC9Jn0rcQPqz9V50CQnQ8aXChNKVZqc' has been deleted. 2016/08/09 16:07:48 Domain verification results for 'portlandmaineselfstorage.com': error. Invalid response from http://portlandmaineselfstorage.com/.well-known/acme-challenge/C19_JUx5d1x30NkkaAGAYbyQDE0C8adwzeu3lpEe9xc: " 404 Not Found

Not Found

<p" 2016/08/09 16:07:48 Challenge file '/var/www/html/.well-known/acme-challenge//C19_JUx5d1x30NkkaAGAYbyQDE0C8adwzeu3lpEe9xc' has been deleted. 2016/08/09 16:07:50 Domain verification results for 'profennoenterprises.com': error. Invalid response from http://profennoenterprises.com/.well-known/acme-challenge/Nh-UZaCJRJsK_xzupyXb2ek1DB_pa4HPffUN_7dU6so: " 404 Not Found

Not Found

<p" 2016/08/09 16:07:50 Challenge file '/var/www/html/.well-known/acme-challenge//Nh-UZaCJRJsK_xzupyXb2ek1DB_pa4HPffUN_7dU6so' has been deleted. 2016/08/09 16:07:53 Domain verification results for 'www.brunswickmaineselfstorage.com': error. Invalid response from http://www.brunswickmaineselfstorage.com/.well-known/acme-challenge/YGyqEUStwv76wZowwcYhGX9kj6JlsaCpYiJqcX4eSts: " 404 Not Found

Not Found

<p" 2016/08/09 16:07:53 Challenge file '/var/www/html/.well-known/acme-challenge//YGyqEUStwv76wZowwcYhGX9kj6JlsaCpYiJqcX4eSts' has been deleted. 2016/08/09 16:07:55 Domain verification results for 'www.computerpatch.net': error. Invalid response from http://www.computerpatch.net/.well-known/acme-challenge/dN0N22LdS2X-dBJxAl3NDhaFC5IHzTRyknId79AFOaA: " File Not Found " 2016/08/09 16:07:55 Challenge file '/var/www/html/.well-known/acme-challenge//dN0N22LdS2X-dBJxAl3NDhaFC5IHzTRyknId79AFOaA' has been deleted. 2016/08/09 16:07:57 Domain verification results for 'www.freeportselfstorage.com': error. Invalid response from http://www.freeportselfstorage.com/.well-known/acme-challenge/7DoS-oxTKhf0pHbGY1Ouj536lAkNAixaoYv0jRWiR0U: " 404 Not Found

Not Found

<p" 2016/08/09 16:07:57 Challenge file '/var/www/html/.well-known/acme-challenge//7DoS-oxTKhf0pHbGY1Ouj536lAkNAixaoYv0jRWiR0U' has been deleted. 2016/08/09 16:08:00 Domain verification results for 'www.portlandmaineselfstorage.com': error. Invalid response from http://www.portlandmaineselfstorage.com/.well-known/acme-challenge/hV5ijA--fkmrYPZjxW7UHDp7n_bfDNU-1e49os6lXUE: " 404 Not Found

Not Found

<p" 2016/08/09 16:08:00 Challenge file '/var/www/html/.well-known/acme-challenge//hV5ijA--fkmrYPZjxW7UHDp7n_bfDNU-1e49os6lXUE' has been deleted. 2016/08/09 16:08:02 Domain verification results for 'www.profennoenterprises.com': error. Invalid response from http://www.profennoenterprises.com/.well-known/acme-challenge/RPzHbw8v6Ab18clENJANzOss7XutqMOnPcGt1FdYBWU: " 404 Not Found

Not Found

sorry if I posted wrong i don't see code brackets.

#10

Online process is actually quite fast, but I understand that with having many domains and being new to server environment it might indeed take some time.

Are you absolutely sure the path is correct and the files placed into it can be served properly? Say if you create a file /var/www/html/.well-known/acme-challenge/testfile (use sudo as well, so the rights would be identical to how it was with an actual process) and then try accessing it as http://www.computerpatch.net/.well-known/acme-challenge/testfile - would that work?

It looks like the verification files were successfully saved into a given directory, but when LE servers checked, the server was returning 404 (Not found). Normally that does not happen, but some server configurations may interfere with HTTP verification (regardless of the client used). For example symlink protection may do that. If you use the contact form on ZeroSSL and provide relevant parts of access.log and error.log related to the given time frame, I could look into that.


#11

OK so I made a folder in the root directory named .well-known I then made two folders in it one is acme-challenge which I coped the challenges from the online tool in to the other is acme-challengeprintf and it is empty. I also coppied and pasted it into each of the sub domains to get the online tool to see the files. I keep seeing the /var/www/html/ thing you are talking about but I don’t know what it is. My root directory is /public/html so I should create a new folder called /var/www/html/.well-known/acme-challenge/testfile I am not shore how to create this file or what it is or where to put it.
Sorry I did say I was new to the server side of this stuff I have read so many tutorials and I can’t seem to grasp all the terms people talk about. So thanks for your patience.


#12

OK, if “/public/html” is your directory for website pages, then .well-known/acme-challenge should have been created inside that one (rather than “/var/www/html/” you have used in your command). Let’s try it step by step.

a) Create a proper folder structure inside the directory with your pages

mkdir -p /public/html/.well-known/acme-challenge/

b) Check if you are in the directory where the files like account.key, mydomain.csr were stored (you haven’t stated what that is). You can list the files with

ls -al

or you could try finding files with the command like

find ~ -name account.key

to search from your home folder down. If you don’t find them, it is still OK - you will still be able to run the client, but your account key will be different then.

c) Run the client giving the correct path

le.pl --key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt --domains “computerpatch.net,www.computerpatch.net,freeportselfstorage.com,www.freeportselfstorage.com,profennoenterprises.com,www.profennoenterprises.com,brunswickmaineselfstorage.com,www.brunswickmaineselfstorage.com,portlandmaineselfstorage.com,www.portlandmaineselfstorage.com” --path /public/html/.well-known/acme-challenge --generate-missing --unlink --renew 10 --live

You may use sudo again (though as I mentioned, the client does not require specific rights). Apparently you can use not 10 but different value for --renew parameter. For example 90, like you did last time.

P.S. Please note that the command above will work if for all those domains the directory with the web pages is the same. If for example computerpatch.net takes its pages from /public/html/computerpatch/ and portlandmaineselfstorage.com takes them from /public/html/portlandmaineselfstorage, that would have to be used differently.


#13

OK so my (key account.key --csr mydomain.csr --csr-key mydomain.key --crt mydomain.crt) are in a folder on my PC in my home directory. (/public/html/) is on a server out on the internet I’m assuming when you refer to “–path/ public/html/” the path would be the IP address of the website which requires a user login. Computerpatch.net is in the root directory of /public/html/ not in any folder and all of the others domains are in folder with in that root. My confusion comes from running a bash command on my PC that will some how affect a folder on a server on the internet. I do understand all but the (–path part) of the above command you sent me but I don’t have a (certbot client) on my PC as I could not find one that would fully install on opensue. So if the code just works from a bash command line I think I could follow the code if it will get through Godaddy’s login.

I have good news for Me I have another site hosted at a service only a few mile from my home they do not have the lets encrypt tool in there C-panel. I left a support call with then yesterday and got a call back from them today. They did not know about the lets encrypt tool so I explained it to them they called me back in 30 minutes to say they had purchased a license from lets encrypt and should have it up and running in a day or so. I will dump Godaddy and move all my domains to Maine Hosting I think problem solved.


#14

Regarding that confusion with local PC and the server. Basically for the client to be able to create challenge files automatically, it would have to be run on the server, not on local PC. If those files were to be created manually or DNS verification was used, then indeed the client could be run on any PC (not necessarily the server itself).

If the client is run on the server, then account.key and other related files would need to be copied to the server to be used in your case. It is though, as I mentioned before, optional - if any of those files are not there, the new ones will be created. The --path would be the server-side path (so /public/html/.well-known/acme-challenge).

If you have found a new hoster which offers a Control Panel with Let’s Encrypt integration, it could be a good idea to move there I believe. Working with most clients presumes some basic knowledge of the command line, so for you it might be safer and quicker to use the Control Panel indeed.


#15

Thanks for all your help what i was missing is where to run the commands Godaddy dose not offer a command line in there C-Panel so if I under stand I would open bash on my PC an ssh to my domain to run the command. If that is the part I was misunderstanding I should be fine now. But I think I will move all my domains to the other host to make it simple. Once again Thanks for all the help.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.