My certificate expired and I can not get acme.sh to renew it

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wa.newtonpro.com

I ran this command: acme.sh --renew-all
It produced this output:
[Thu Aug 12 12:31:52 CDT 2021] Renew: 'wa.newtonpro.com'
[Thu Aug 12 12:31:52 CDT 2021] Sleep 10 and retry.

My web server is (include version): Apache/2.4.10 (Linux/SUSE)

The operating system my web server runs on is (include version):USE Linux Enterprise Server 12 (x86_64)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):acme.sh v3.0.1

1 Like
2

Welcome to the Let's Encrypt Community, Brent :slightly_smiling_face:

Please post the entire output of the command.

There appears to be an extensive history of successful autorenewals:

https://crt.sh/?q=wa.newtonpro.com

What changed between May and July?

2 Likes
3

Here is another attempt:
marcie:~/.acme.sh # ./acme.sh --renew-all
[Thu Aug 12 15:48:28 CDT 2021] Renew: 'wa.newtonpro.com'
[Thu Aug 12 15:48:29 CDT 2021] Sleep 10 and retry.
[Thu Aug 12 15:48:40 CDT 2021] Sleep 10 and retry.
[Thu Aug 12 15:48:52 CDT 2021] Sleep 10 and retry.
6^C
marcie:~/.acme.sh #

1 Like
4

The only thing that changed is the auto renewing stopped working. I think it has to do with acme-v1 api not being supported now.

1 Like
5

I hope this has so clues:
marcie:~/.acme.sh # less acme.sh.log
[Thu Aug 12 15:28:51 CDT 2021] Running cmd: renewAll
[Thu Aug 12 15:28:51 CDT 2021] Using config home:/root/.acme.sh
[Thu Aug 12 15:28:52 CDT 2021] default_acme_server
[Thu Aug 12 15:28:52 CDT 2021] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Thu Aug 12 15:28:52 CDT 2021] _stopRenewOnError
[Thu Aug 12 15:28:52 CDT 2021] _set_level='2'
[Thu Aug 12 15:28:52 CDT 2021] di='/root/.acme.sh/wa.newtonpro.com/'
[Thu Aug 12 15:28:52 CDT 2021] d='wa.newtonpro.com'
[Thu Aug 12 15:28:52 CDT 2021] Using config home:/root/.acme.sh
[Thu Aug 12 15:28:52 CDT 2021] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Thu Aug 12 15:28:52 CDT 2021] DOMAIN_PATH='/root/.acme.sh/wa.newtonpro.com'
[Thu Aug 12 15:28:52 CDT 2021] Renew: 'wa.newtonpro.com'
[Thu Aug 12 15:28:52 CDT 2021] Le_API='https://acme-v01.api.letsencrypt.org/directory'
[Thu Aug 12 15:28:52 CDT 2021] Using config home:/root/.acme.sh
[Thu Aug 12 15:28:52 CDT 2021] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Thu Aug 12 15:28:52 CDT 2021] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Thu Aug 12 15:28:52 CDT 2021] Retrying GET
[Thu Aug 12 15:28:52 CDT 2021] GET
[Thu Aug 12 15:28:52 CDT 2021] url='https://acme-v01.api.letsencrypt.org/directory'
[Thu Aug 12 15:28:52 CDT 2021] timeout=
[Thu Aug 12 15:28:52 CDT 2021] displayError='1'
[Thu Aug 12 15:28:52 CDT 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
[Thu Aug 12 15:28:52 CDT 2021] ret='0'
[Thu Aug 12 15:28:52 CDT 2021] _hcode='0'
[Thu Aug 12 15:28:52 CDT 2021] ACME_KEY_CHANGE
[Thu Aug 12 15:28:52 CDT 2021] ACME_NEW_AUTHZ
[Thu Aug 12 15:28:52 CDT 2021] ACME_NEW_ORDER
[Thu Aug 12 15:28:52 CDT 2021] ACME_NEW_ACCOUNT
[Thu Aug 12 15:28:52 CDT 2021] ACME_REVOKE_CERT
[Thu Aug 12 15:28:52 CDT 2021] ACME_AGREEMENT
[Thu Aug 12 15:28:52 CDT 2021] ACME_NEW_NONCE
[Thu Aug 12 15:28:52 CDT 2021] Sleep 10 and retry.

1 Like
6

I am inclined to concur:

Keep in mind that acme.sh is now owned and operated by for-profit CA ZeroSSL and now acquires ZeroSSL certificates by default:

That shouldn't affect renewals of Let's Encrypt certificates though.

2 Likes
7

Griffin,
Thanks for your help!

And what if it has? What can I do now?

2 Likes
8

If your acme.sh version is recent enough, you could try changing the ACME directory in your renewal configuration file from https://acme-v01.api.letsencrypt.org/directory to https://acme-v02.api.letsencrypt.org/directory.

2 Likes
9

Griffin,
I do not know the configuration file you are meaning.

1 Like
10

Start here:

1 Like
11

I am there.

1 Like
12

I believe @Nummer378 to be more experienced with acme.sh than I, so I'll yield.

3 Likes
13

Griffin is on the right way, just chiming in:

It might be enough to change the API endpoint, though I'm not sure how acme.sh will handle the acme account. If the following doesn't work, the best option might be to remove the config file and start fresh - Neilpang has recommended this in the past.

To change the ACME endpoint:

Open /root/.acme.sh/wa.newtonpro.com/wa.newtonpro.com.conf with a text editor and edit the line were it says:

Le_API='https://acme-v01.api.letsencrypt.org/directory'

to

Le_API='https://acme-v02.api.letsencrypt.org/directory'

(Then try acme.sh --renew-all again)

4 Likes
14

I'm hoping the acme.sh version is v2 compatible. I've seen accounts carry-over from v1 to v2 with certbot, so hopefully all will be well here... :crossed_fingers:

3 Likes
15

It prints ZeroSSL as default server, which means this is acme.sh 3.0.0+ which is definetly fully v2 compatible. But these old acme.sh configs have had some trouble in the past, lot's of old cruft in there.

3 Likes
16

Here is the output now:

marcie:~/.acme.sh # ./acme.sh --renew-all
[Thu Aug 12 17:43:23 CDT 2021] Renew: 'wa.newtonpro.com'
[Thu Aug 12 17:43:41 CDT 2021] Please refer to libcurl - Error Codes for error code: 6
[Thu Aug 12 17:43:43 CDT 2021] Can not init api for: https://acme-v02api.letsencrypt.org/directory.
[Thu Aug 12 17:43:43 CDT 2021] Sleep 10 and retry.
[Thu Aug 12 17:44:11 CDT 2021] Please refer to libcurl - Error Codes for error code: 6
[Thu Aug 12 17:44:13 CDT 2021] Can not init api for: https://acme-v02api.letsencrypt.org/directory.
[Thu Aug 12 17:44:13 CDT 2021] Sleep 10 and retry.
9^C
marcie:~/.acme.sh #

1 Like
17

I think you're missing a '.' between v02 and api

3 Likes
18

I saw my mistake and fixed it and reran the acme.sh and it said success!

Thanks to both of you!!! :smile:

4 Likes
19

Do either of you know if I need to do anything else to get it to auto-renew the next time it needs to?

2 Likes
20

If your certs used to auto-renew in the past (except for the past months), it should work again as before. Your installation was still using ACMEv1, which is now end of life. You're now using ACMEv2, which is still well.

PS: One last thing:

If you want to continue using Let's Encrypt for future new domains, you should run

acme.sh --set-default-ca --server letsencrypt

To continue using Let's Encrypt as the default. This doesn't affect your current certificate though - this will continue to be renewed with Let's Encrypt in any case. This command is just for future certificates for different domains. This is not neccessary though, it entirely depends on your preference.

3 Likes