I’ve been using acme.sh for about a year now and it’s been fairly straightforward and learned a few things along way.
Recently some unexplained issues started popping up on cert renewals. I’m currently with Arvixe for hosting and the issues are happening on different accounts.
It’s happening with wildcard certs and regular ones.
here are the errors I’m getting (replacing domains with domain.com)
*.domain.com:Challenge error: {“type”:“urn:ietf:params:acme:error:malformed”,“detail”:“Expired authorization”,“status”: 404} (twice, one for each wildcard)
/public_html’: Permission denied
/home/myuser/.acme.sh/acme.sh: line 3951: /public_html//.well-known/acme-challenge/HMAV8KK_UhfeVvdWRulAkccBdxYStcie60oWeQ5XWww: No such file or directory domain.com:Can not write token to file : /public_html//.well-known/acme-challenge/HMAV8KK_UhfeVvdWRulAkccBdxYStcie60oWeQ5XWww
notice the double // after public_html… this also renewed without issue for months.
I haven’t changed anything that I can remember in relation to folder permissions or anything like that and other certs do renew just fine
I’m perplexed as to what could be causing this, I also have similar issues with another shared account on a different server but also some certs renew fine so it’s specific.
Sorry if I made a mistake, do you want I moved it back?
As it's a problem using a client, not developing one, (right ?) I think Help is the correct category.
Client dev
This category is for discussing development of all Let’s Encrypt clients, including Certbot.
If you’re having an issue using certbot or another Let’s Encrypt client please see the Help category.
also what's the expired authorization mean? the 404 status? can this be reset? Was having this error before the certs were expired so it's not an expiry issue, i guess
that gave out the same error message as previously
also another thing i noticed is that an SSL I had created for a subdomain (working at the moment) doesn’t have those /.well-known/acme-challenge folders
It’s pointing to a site I set up outside of public_html
I use the credentials on the account to SSH into it. That’s been the norm ever since I first used acme.sh. The folder permissions are 755.
I also compared with another account that’s renewing correctly to have the same setup.
How else could I check this?
I have just reinstalled acme.sh hoping it might have something that was messed up and retried the --renew-all and it gave me the same errors; expired authorization for the wildcards, a permission denied for one domain and the failed verification for another domain. I resolved the last one by going full manual
I haven’t yet but seeing that Arvixe doesn’t support LE, I believe I won’t get much help there. I’ll attempt that route for the domain issues but the expired authentication for the wildcards isn’t a hosting problem. The only reference to this I found on forums here doesn’t really explain how to go about resolution.
emm. That's right, there seem to be fewer explanations on this matter.
Just by the way, have you tried to request a wildcard certificate at your home machines? (or on another machine that could successfully perform the renewal process?)
If Arvixe does not support Let's Encrypt / Comodo cPanel certificate by default, they will not try to override the .well-known roots. (Not to mention that current version of cPanel only routes .well-known traffic to "a host specified" location when an issuance by AutoSSL is pending)
Not that savvy to attempt that. Any pointers in that direction would be greatly appreciated. Though I suspect that the result would be the same based on what I came across. If I understood this correctly, there is an authorization that's "hung" in the system.
, my apologies!