Wordpress Litespeed SSL is not renew

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: compassdpo.com.br

I ran this command:sudo certbot renew -v

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/compassdpo.com.br-0001.conf

Certificate not yet due for renewal

Processing /etc/letsencrypt/renewal/compassdpo.com.br.conf

Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate for compassdpo.com.br and www.compassdpo.com.br
Performing the following challenges:
http-01 challenge for www.compassdpo.com.br
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Challenge failed for domain www.compassdpo.com.br
http-01 challenge for www.compassdpo.com.br

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.compassdpo.com.br
Type: unauthorized
Detail: 169.57.169.74: Invalid response from http://www.compassdpo.com.br/.well-known/acme-challenge/8jDirJOIo2tGjfpz1UfnHpG6oMWMG1-3SlQFgjJpwTY: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Cleaning up challenges
Failed to renew certificate compassdpo.com.br with error: Some challenges have failed.

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/compassdpo.com.br-0001/fullchain.pem expires on 2024-06-09 (skipped)
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/compassdpo.com.br/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
systemd 249 (249.11-0ubuntu3.11)

The operating system my web server runs on is (include version):
Linux

My hosting provider, if applicable, is:
Digital Oean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I can access via wordpress or ssh root

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

2

Welcome @MarcosClimby
You should check the DNS A record for your www subdomain. It points to an nginx server not LiteSpeed. And is a different IP than for your base name. Usually those two IP addresses are the same.

Request to: www.compassdpo.com.br/169.57.169.74, Result: [Address=169.57.169.74,Address Type=IPv4,Server=nginx

Request to: compassdpo.com.br/134.122.5.165, Result: [Address=134.122.5.165,Address Type=IPv4,Server=LiteSpeed

3

Hi MikeMcQ, thanks for your reply.
I have checked my DNS and server address and everything is configured pointing to ip 134.122.5.165.
Could ip address 169.57.169.74 something internal from Digital Ocean?

4

Not exactly.

Your www FQDN is using an incorrect CNAME [with a TYPO/misspelling]:

Name:    compassdpo.com.br
Address: 134.122.5.165

Name:    compass.com.br     <<<<< should be "compassdpo.com.br"
Address: 169.57.169.74
Aliases: www.compassdpo.com.br
5

Thank you @rg305! My fault. I have corrected the DNS.
Do I need to wait to repeat the process to renew the SSL?

6

No, Let's Encrypt queries the authoritive DNS servers directly. It is not affected by TTL propagation

7

Hello experts, it is me again! After correct the DNS I applied sudo certbot renew which sent me the following message:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/compassdpo.com.br-0001.conf

Certificate not yet due for renewal

Processing /etc/letsencrypt/renewal/compassdpo.com.br.conf

Certificate not yet due for renewal

The following certificates are not due for renewal yet:
/etc/letsencrypt/live/compassdpo.com.br-0001/fullchain.pem expires on 2024-06-09 (skipped)
/etc/letsencrypt/live/compassdpo.com.br/fullchain.pem expires on 2024-06-10 (skipped)
No renewals were attempted.

However when I tried to access the landing page: https://compassDPO.com.br it was showing not secured. Then I applied the command: sudo certbot renew --dry-run
The following message appears:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/compassdpo.com.br-0001.conf

Simulating renewal of an existing certificate for compassdpo.com.br
Failed to renew certificate compassdpo.com.br-0001 with error: Missing command line flag or config entry for this setting:
Input the webroot for compassdpo.com.br:

Processing /etc/letsencrypt/renewal/compassdpo.com.br.conf

Simulating renewal of an existing certificate for compassdpo.com.br and www.compassdpo.com.br

The following simulated renewals succeeded:
/etc/letsencrypt/live/compassdpo.com.br/fullchain.pem (success)

The following simulated renewals failed:
/etc/letsencrypt/live/compassdpo.com.br-0001/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

Any suggestion on how to solve this issue?
Many thanks!

8

You definitely got a new cert with your basename and its www subdomain dated today.

So, check your LiteSpeed configuration and make sure it refers to the cert files in the /etc/letsencrypt/live/compassdpo.com.br folder for the cert you got today

You can see your cert details with. Please show this so we can also fix the problem with the -0001 cert profile

sudo certbot certificates
9

Thanks Mike! I got the the following answer (which I understood was ok):
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: compassdpo.com.br-0001
Serial Number: 3adc700f5cba73e4f27dd8c4a56d7d386cf
Key Type: RSA
Domains: compassdpo.com.br
Expiry Date: 2024-06-09 10:37:18+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/compassdpo.com.br-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/compassdpo.com.br-0001/privkey.pem
Certificate Name: compassdpo.com.br
Serial Number: 4d80bef80c7d3051c7739d7e11a1110facd
Key Type: RSA
Domains: compassdpo.com.br www.compassdpo.com.br
Expiry Date: 2024-06-10 06:22:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/compassdpo.com.br/fullchain.pem
Private Key Path: /etc/letsencrypt/live/compassdpo.com.br/privkey.pem

I am sorry to ask but do you know how to check if LiteSpeed configuration refers to the cert files?

10

I am not expert at LiteSpeed. There are various ways to manage it.

Do you remember how you configured it originally? Because it is using a Let's Encrypt cert but one dated Dec7 2023. Did you have to copy that cert from /etc/letsencrypt/live folder or somehow import it to the LiteSpeed admin panel? I am just hoping to trigger a memory for you.

11

Thanks, no worrries Mike I will find out how to check LiteSpeed configuration.

When I first created the server enviroment at Digital Ocean (Droplet) and selected Wordpress LiteSpeed, SSL certification (Let`s Encrypt) was very simple to generate and the configuration is automatic. I did not copy or import the certicate...

12

I could manage to access LiteSpeed configuration system (WordPress | Images | Cloud | LiteSpeed Documentation). Https is working again!!!! Thanks for your support.

I am just thinking of deleting compass.com.br-0001 certifications because it seems to be useful...