Problem with cert's renew

kazin8 · August 15, 2019, 1:12am

Hi!

I ran this command:
I have a client library in php and console commands

It produced this output:

gist.github.com

https://gist.github.com/kazin8/1da06bfda8fe1be8fb671c79421a9cb1

gistfile1.txt

15-08-2019 02:32:50: LE_ACME2\Account::get "ssl@ezpage.com" (from cache)
Trace #0: LE_ACME2\Account::get

15-08-2019 02:32:51: KID sign request for https://acme-v02.api.letsencrypt.org/acme/order/55251892/815052053
Trace #0: LE_ACME2\Utilities\RequestSigner::KID
Trace #1: LE_ACME2\Request\Order\Get::getResponse
Trace #2: LE_ACME2\Order::get

Data:
NULL

This file has been truncated. show original

My web server is (include version):
nginx/openresty/1.13.6.2

The operating system my web server runs on is (include version):
CentOS

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
nope

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): nope

Our service receives certificates from let’s encrypt for customer domains.
Recently, there was a problem with certificates renew.
I see that the error is that the order is in invalid status, but I can’t understand why:

https://acme-v02.api.letsencrypt.org/acme/order/55251892/815052053

How can I determine what the error is? In my opinion, the responses and requests are quite adequate.
Domains that work with an expired certificate have already accumulated, I really need help.

Thx.

mnordhoff · August 15, 2019, 1:23am

Line 62 shows that the order expired 2019-08-07:

gist.github.com

https://gist.github.com/kazin8/1da06bfda8fe1be8fb671c79421a9cb1#file-gistfile1-txt-L62

gistfile1.txt

15-08-2019 02:32:50: LE_ACME2\Account::get "ssl@ezpage.com" (from cache)
Trace #0: LE_ACME2\Account::get

15-08-2019 02:32:51: KID sign request for https://acme-v02.api.letsencrypt.org/acme/order/55251892/815052053
Trace #0: LE_ACME2\Utilities\RequestSigner::KID
Trace #1: LE_ACME2\Request\Order\Get::getResponse
Trace #2: LE_ACME2\Order::get

Data:
NULL

This file has been truncated. show original

Whatever happened before, it’s invalid now. You need to make a new one.

Orders last for 1 week. It must have been created on 2019-07-31.

Authorizations last for 30 days, and the one involved in that order is still valid, though.

kazin8 · August 15, 2019, 1:31am

Does this mean that I have to delete the folder with the order, keys and certificates for this domain and request everything again?

How to avoid this in the future? After all, with this approach, the path to the keys will change, then what is the point in general in the possibility of certificate renew?

mnordhoff · August 15, 2019, 2:14am

On a technical level, “renewing” a certificate isn’t really a thing. It’s just a word to describe issuing a new certificate that you consider to be similar to an older one.

It’s common to generate a new private key, but you can use the same one.

How to save the new certificate and key files is your choice. I’d guess that most ACME clients delete the old files and save the new ones at the same paths.

JuergenAuer · August 15, 2019, 7:06am

Hi @kazin8

Don’t delete certificates if they are used.

Your client may crash if current certificates are checked (and deleted). Or your webserver can’t restart if a certificate file is deleted.

schoen · August 16, 2019, 6:34am

My impression is that very few Let’s Encrypt clients save an order reference to disk. Instead, they normally use an order to obtain a certificate in a short period of time that normally corresponds to a single use of the client application. For example, in Certbot we always request a new order object from the certificate authority for each new certificate request. This is not the case for accounts, certificates, and keys, which we do persist on disk.