Questions about Renewing before TLS-ALPN-01 Revocations

I believe this was the solution for renewing certificates on a much much older version of Caddy. Please read the docs to see the recommended way today.

3 Likes

I believe this was the solution for renewing certificates on a much much older version of Caddy. Please read the docs to see the recommended way today.

I thought so too, but please have a look at Let's Encrypt Certificate revoked but not renewed (as referenced in this thread).

@rconrad What's in your Caddy logs? No one who has reported this behavior has showed us their logs, so we can only guess without them.

Completely new to this and not sure which steps to take to renew our certification.

Site: chat.bioangels.net
Installed a Rocket.Chat server with a Snap and created an SSL with Caddy and Let's Encrypt.

I check the online database and our site was affected. But I'm not sure how to renew our certification or where our certifications are even located (or which version of Caddy I am using).

OS: Ubuntu 20.04
Hosted by Digital Ocean

@mholt

What's in your Caddy logs? No one who has reported this behavior has showed us their logs, so we can only guess without them.

Because we haven't seen any logs with an indication about the OCSP issue.

Except - of course - where the renewals worked with the tls.cache.maintenance event

OCSP status for managed certificate is REVOKED; attempting to replace with new certificate

But even assuming that the OCSP cache could be the reason, we deleted $XDG_DATA_HOME/caddy/ocsp and restarted caddy without success.

One presumably could build a test case with a manual certificate revocation and measure / debug the issue easily.

Interesting. We were 'unaffected' per the tool LE created, but the cert is revoked and we needed to triage. FYI.

How did you check that?

If you used the tool with the URL of your site, it might pick up the incorrect certificate (b/c it might have already been renewed). You could enter your hostname into https://crt.sh/ and check the certificate which was issued just before January 26th. That cert then probably is revoked and on the list of the tool. You can check that using the serial (without the colons :, just the number/letters).

3 Likes

I am currently running a Wordpress site on Lightsail. I've successfully renewed my certificate but it is not showing up on skinva.com

Issues related to revocation should be fixed for all users in the latest CertMagic: Release v0.15.3 · caddyserver/certmagic · GitHub

Whereas before, it was just kind of a party trick, this patch has been tested in production on thousands of domains and is known to work.

2 Likes

A post was split to a new topic: Cannot Renew Deactivating authz

Hi i want to renew, How can i do that ?

Hello, and welcome. Open a new thread in the #help section.

2 Likes

14 posts were merged into an existing topic: Early renewal for bncert (bitnami)

Has anyone been able to successfully fix this using Lego? I am getting 'The certificate expires in 59 days, the number of days defined to perform the renewal is 30: no renewal.'. It would really suck if the website can't be seen for 29 more days. Doesn't seem like a good thing for Lego to not have a force renew option.

@tychoash
Is there any way to temporarily change the default renewal interval (30 days before expiry) to a number that would trigger the renewal today?

3 Likes

Maybe with the --days X option as described here? (such as set days to 90)

https://go-acme.github.io/lego/usage/cli/examples/#to-renew-the-certificate-only-if-it-expires-within-45-days

3 Likes

I used this tutorial and cannot get it to work!

Please help!

I remember why I love this community! You rock @MikeMcQ (you too @rg305). That worked and the site is back up and running!

4 Likes

We completed revocations and provided additional time for revoked certs to be renewed and replaced with relaxed rate limits. We have returned our rate limits to the documented values.

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.