My crontab show this command:
# crontab -l
43 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
I did a check on expiration like so:
# openssl x509 -noout -enddate -in cert.crt
notAfter=Aug 18 05:34:06 2023 GMT
So does it renew on the last day of the expiration (Aug 18) ? If the cron runs every day why it doesn't renew the cert file ?
From the acme.sh README:
All the certs will be renewed automatically every 60 days.
So it looks like something is wrong. Please run the renewal command manually and afterwards fill out the entire questionnaire below.
PM: it's at this stage probably a good idea to use the staging environment if your CA is actually Let's Encrypt (acme.sh defaults to using ZeroSSL as the CA, because, well, 
)
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I realized that port 80 was being used by another process (Nginx Docker container).
[Mon Aug 14 17:01:58 CST 2023] ===Starting cron===
[Mon Aug 14 17:01:58 CST 2023] Renew: 'mywebsite.com'
[Mon Aug 14 17:01:58 CST 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Mon Aug 14 17:01:59 CST 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon Aug 14 17:01:59 CST 2023] Standalone mode.
[Mon Aug 14 17:01:59 CST 2023] Single domain='mywebsite.com'
[Mon Aug 14 17:01:59 CST 2023] Getting domain auth token for each domain
[Mon Aug 14 17:02:01 CST 2023] Getting webroot for domain='mywebsite.com'
[Mon Aug 14 17:02:01 CST 2023] Verifying: mywebsite.com
[Mon Aug 14 17:02:01 CST 2023] Standalone mode server
2023/08/14 17:02:01 socat[1010] E bind(5, {AF=2 0.0.0.0:80}, 16): Address already in use
[Mon Aug 14 17:02:03 CST 2023] Pending, The CA is processing your order, please just wait. (1/30)
[Mon Aug 14 17:02:07 CST 2023] mywebsite.com:Verify error:2606:4700:3036::6815:3373: Invalid response from http://mywebsite.com/.well-known/acme-challenge/5bl6rDhKNLLg6OHbVgIyNP6Txvtn0icwablkmJOe7iE: 403
/root/.acme.sh/acme.sh: line 2518: kill: (1010) - No such process
[Mon Aug 14 17:02:07 CST 2023] Please add '--debug' or '--log' to check more details.
[Mon Aug 14 17:02:07 CST 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Mon Aug 14 17:02:07 CST 2023] Error renew mywebsite.com_ecc.
[Mon Aug 14 17:02:07 CST 2023] ===End cron===
So, I stopped it using the docker container stop command. Afterward, I attempted the renewal process again, and it successfully renewed the certificate.
I am using Cloudflare for my website and also running my application in another Docker container.
Is there a way to renew the certificate without halting the Nginx server?
Yes, you can use certbot --standalone (acme.sh has this functionality as well) and have nginx proxy the appropriate requests (everything .well-known/acme-challenge)
But this isn't why your certificate isn't renewing.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.