SSL Certificate unable to auto renew

hxiao · August 13, 2021, 7:24pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

IP blocked? Can some one help me to solve it?

My domain is:
cyberalert.com(38.108.108.188)
I ran this command: cyberalert.com(38.108.108.188)
/root/.acme.sh
It produced this output:
Could not get nonce, let's try again.
[Thu Aug 12 22:46:55 EDT 2021] The new-authz request is ok.
[Thu Aug 12 22:46:55 EDT 2021] Error, can not get domain token entry secure.cyberalert.com
[Thu Aug 12 22:46:55 EDT 2021] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Thu Aug 12 22:46:55 EDT 2021] Error renew secure.cyberalert.com.

My web server is (include version):
Server version: Apache/2.2.15 (Unix)

The operating system my web server runs on is (include version):
CentOS release 6.4 (Final)
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): acme.sh version: 2.8.1

rg305 · August 13, 2021, 7:32pm

Hi @hxiao, and welcome to the LE community forum

It seems that challenge requests to your site are being redirected to another site (incorrectly):

curl -Iki secure.cyberalert.com/.well-known/acme-challenge/Test-File-1234
HTTP/1.1 301 Moved Permanently
Date: Fri, 13 Aug 2021 19:32:44 GMT
Server: Apache
Location: http://www.cyberalert.com/.well-known/acme-challenge/Test-File-1234

You can either fix the redirection OR use --webroot method to place the challenge token/response in that other site location (since both names resolve to the same IP).

I would prefer to fix the problem than to workaround it

hxiao · August 13, 2021, 7:59pm

here is another log message, just want to double check if it point to the same issue？

GET
[Thu Aug 12 22:50:03 EDT 2021] url='https://acme-v01.api.letsencrypt.org/directory'
[Thu Aug 12 22:50:03 EDT 2021] timeout=
[Thu Aug 12 22:50:03 EDT 2021] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Thu Aug 12 22:50:03 EDT 2021] ret='0'
[Thu Aug 12 22:50:03 EDT 2021] Could not get nonce, let's try again.

rg305 · August 13, 2021, 8:35pm

I don't know acme.sh well enough to comment on those logs entries.

I can speak with certainty on the incorrect redirection mentioned above.
Which is more than enough to break any ACME client trying to validate via HTTP.

system · September 12, 2021, 8:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.