Peculiar issue with renewals


#1

I’ve been using acme.sh for about a year now and it’s been fairly straightforward and learned a few things along way.
Recently some unexplained issues started popping up on cert renewals. I’m currently with Arvixe for hosting and the issues are happening on different accounts.
It’s happening with wildcard certs and regular ones.
here are the errors I’m getting (replacing domains with domain.com)
*.domain.com:Challenge error: {“type”:“urn:ietf:params:acme:error:malformed”,“detail”:“Expired authorization”,“status”: 404} (twice, one for each wildcard)

domain.com:Verify error:Invalid response from http://domain.com/.well-known/acme-challenge/9v9rWt9QbGg_z8wyIJJ7dtnyTq3dqKO51eeR0u66_QI
It seems the challenge file is not at that location nor is being created, this worked until recently started giving this error

/public_html’: Permission denied
/home/myuser/.acme.sh/acme.sh: line 3951: /public_html//.well-known/acme-challenge/HMAV8KK_UhfeVvdWRulAkccBdxYStcie60oWeQ5XWww: No such file or directory
domain.com:Can not write token to file : /public_html//.well-known/acme-challenge/HMAV8KK_UhfeVvdWRulAkccBdxYStcie60oWeQ5XWww

notice the double // after public_html… this also renewed without issue for months.
I haven’t changed anything that I can remember in relation to folder permissions or anything like that and other certs do renew just fine

I’m perplexed as to what could be causing this, I also have similar issues with another shared account on a different server but also some certs renew fine so it’s specific.

Thanks for your help


#2

Hi,

Are you requesting a wildcard certificate?
If so, why it’s using http validation?

Are you using cPanel? Can you check if all folders are under the same owner? (Also with write permission?)

Moved to #help
(Who moved it???)

Thank you


#3

there are a couple wildcard certs and a couple regular certs
the folder permissions have not changed (not by me at least)

I’ll take a look and report back.
@tdelmas moved it to help, not sure why as it’s an acme.sh issue


#4

Sorry if I made a mistake, do you want I moved it back?

As it’s a problem using a client, not developing one, (right ?) I think #help is the correct category.

#client-dev
This category is for discussing development of all Let’s Encrypt clients, including Certbot.
If you’re having an issue using certbot or another Let’s Encrypt client please see the #help category.


#5

this domain points to a site that’s in a folder located in root, it’s got a .well-known folder in it but it’s empty (invalid response?)

this one points to the root, there is no .well-known folder in there… weird


#6

thanks for the clarification


#7

I shouln’t have moved it “silently”, @stevenzhu is right about that :slightly_smiling_face:, my apologies!


#8

also what’s the expired authorization mean? the 404 status? can this be reset? Was having this error before the certs were expired so it’s not an expiry issue, i guess


#9

Hi @OrAnGeWorX

then create two folders - /.well-known/acme-challenge and check the permissions.


#10

that gave out the same error message as previously
also another thing i noticed is that an SSL I had created for a subdomain (working at the moment) doesn’t have those /.well-known/acme-challenge folders
It’s pointing to a site I set up outside of public_html


#11

Not really… :rofl:
I was planning to move the thread right after I wrote that response… Then realized someone just moved it.


#12

Hi,

Could you please really check for the permissions on folders? (Is user who control the folder & the user who run acme.sh the same?)

Thank you


#13

I use the credentials on the account to SSH into it. That’s been the norm ever since I first used acme.sh. The folder permissions are 755.
I also compared with another account that’s renewing correctly to have the same setup.
How else could I check this?


#14

I have just reinstalled acme.sh hoping it might have something that was messed up and retried the --renew-all and it gave me the same errors; expired authorization for the wildcards, a permission denied for one domain and the failed verification for another domain. I resolved the last one by going full manual


#15

Well… This might be a server issue with CLN / cPanel, have you tried to contact your hosting provider?

Thank you


#16

I haven’t yet but seeing that Arvixe doesn’t support LE, I believe I won’t get much help there. I’ll attempt that route for the domain issues but the expired authentication for the wildcards isn’t a hosting problem. The only reference to this I found on forums here doesn’t really explain how to go about resolution.


#17

Is it possible that your Hoster tries to create an own Letsencrypt client and blocks the directory /.well-known/acme-challenge/?


#18

emm. That’s right, there seem to be fewer explanations on this matter.

Just by the way, have you tried to request a wildcard certificate at your home machines? (or on another machine that could successfully perform the renewal process?)

If Arvixe does not support Let’s Encrypt / Comodo cPanel certificate by default, they will not try to override the .well-known roots. (Not to mention that current version of cPanel only routes .well-known traffic to “a host specified” location when an issuance by AutoSSL is pending)

Thank you


#19

I’m not aware of that. Also, it wouldn’t occur on one account and not the other, I guess


#20

Not that savvy to attempt that. Any pointers in that direction would be greatly appreciated. Though I suspect that the result would be the same based on what I came across. If I understood this correctly, there is an authorization that’s “hung” in the system.