[Solved] Lets Encrypt auto renewal

Discussion in 'Installation/Configuration' started by Cris Kolkman, Mar 5, 2017.

  1. Cris Kolkman

    Cris Kolkman Member

    Hello,

    I'm using Lets Encrypt to secure my websites only running into a problem atm.
    I created a subdomain for my site and wanted to secure it with SSL, but found out I'm getting this error:

    Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: mydomain.com

    Now I know that my SSL certs get renewed every day (bit of an overkill..) but can't find the cronjob doing that... :S
    Anyone know where I should look?
    My crontab shows:

    * * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
    * * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
    0 * * * * /home/cacheclear.sh

    Where the cacheclear only clears the memory cache.
     
  2. liane

    liane Member

    if you installed certbot, its cron is located at: /etc/cron.d/certbot
    acme.sh uses the regular crontab, but since you don't see it here, I guess you didn't install that.
    How did you install letsencrypt?
     
  3. Cris Kolkman

    Cris Kolkman Member

    Hello Liane,

    I installed the server and everything using the Perfect Server tutorial.
     
  4. liane

    liane Member

    there is a lot of "perfect server" tutorials, and the one I used did not install letsencrypt, which on did you follow?
     
  5. Cris Kolkman

    Cris Kolkman Member

  6. liane

    liane Member

    then, it should be in /etc/cron.d/certbot
    don't you have anything there?
     
  7. Cris Kolkman

    Cris Kolkman Member

    No the folder certbot does not excist in cron.d
     
  8. liane

    liane Member

    it's a file, but I don't know what the script installed
    could you try this:
    Code:
    grep -r certbot /etc/cron*
     
  9. Cris Kolkman

    Cris Kolkman Member

    That command does not return anything.
     
  10. liane

    liane Member

    and replacing "certbot" with "encrypt" or "acme"?
     
  11. Cris Kolkman

    Cris Kolkman Member

    root@***:~# grep -r encrypt /etc/cron*
    /etc/cron.daily/popularity-contest: --armor -o "$POPCONGPG" -r $POPCONKEY --encrypt "$POPCON"
    root@***:~# grep -r acme /etc/cron*
    root@***:~#
     
  12. liane

    liane Member

    it might be ISPConfig instead of a cron, have a look at /usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php
     
  13. Cris Kolkman

    Cris Kolkman Member

    This is in that file:

    PHP:
    class cronjob_letsencrypt extends cronjob {

            
    // job schedule
            
    protected $_schedule '0 3 * * *';

            public function 
    onRunJob() {
                    global 
    $app$conf;

                    
    $letsencrypt explode("\n"shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt'));
                    
    $letsencrypt reset($letsencrypt);
                    if(
    is_executable($letsencrypt)) {
                            
    $version trim(exec($letsencrypt ' --version 2>/dev/null'));
                            if(
    preg_match('/^(\S+)\s+(\d+(\.\d+)+)$/'$version$matches)) {
                                    
    $type strtolower($matches[1]);
                                    
    $version $matches[2];
                                    if((
    $type != 'letsencrypt' && $type != 'certbot') || version_compare($version'0.7.0''<')) {
                                            
    exec($letsencrypt ' -n renew');
                                            
    $app->services->restartServiceDelayed('httpd''reload');
                                    } else {
                                            
    $marker_file '/usr/local/ispconfig/server/le.restart';
                                            
    $cmd "echo '1' > " $marker_file;
                                            
    exec($letsencrypt ' -n renew --post-hook ' escapeshellarg($cmd));
                                            if(
    file_exists($marker_file) && trim(file_get_contents($marker_file)) == '1') {
                                                    
    unlink($marker_file);
                                                    
    $app->services->restartServiceDelayed('httpd''reload');
                                            }
                                    }
                            } else {
                                    
    exec($letsencrypt ' -n renew');
                                    
    $app->services->restartServiceDelayed('httpd''reload');
                            }
                    }

                    
    parent::onRunJob();
            }

    }
    But the question is also:
    Even when I change the cert renewal to once a month, I will keep having the same problem because I have too many sub-domains with a cert right?
    Counted the sub-domains where I want a cert for but there are only 4 at the moment.
    But when that becomes more in the future I have the same problem right?
     
  14. liane

    liane Member

    yes, this php script is executed by ISPC cron, and it executes:
    /root/.local/share/letsencrypt/bin/letsencrypt -n renew

    Strange why ISPC doesn't rely upon certbot own cron, but anyway, you should now look at letsencrypt log files to know what goes wrong with renewals, in /var/log/letsencrypt
     
  15. liane

    liane Member

    easier, just launch it manually:
    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt renew
     
  16. Cris Kolkman

    Cris Kolkman Member

    Well it goes wrong with this error:

    Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: mydomain.com

    But that's probably because the renewal of the cert is done every day and you can only renew 7 certs per week.
     
  17. Cris Kolkman

    Cris Kolkman Member

    Running the command manually gives the same error in my post #16
     
  18. liane

    liane Member

    ok, so check this file:
    /etc/letsencrypt/renewal/mydomain.com.conf
     
  19. Cris Kolkman

    Cris Kolkman Member

    Code:
    # renew_before_expiry = 30 days
    version = 0.9.3
    cert = /etc/letsencrypt/live/mydomain.com/cert.pem
    privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
    chain = /etc/letsencrypt/live/mydomain.com/chain.pem
    fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem
    
    # Options used in the renewal process
    [renewalparams]
    account = b2bc5d3e9d54f19249e80315676c35b5
    authenticator = webroot
    rsa_key_size = 4096
    installer = None
    [[webroot_map]]
    mydomain.com = /usr/local/ispconfig/interface/acme
    www.mydomain.com = /usr/local/ispconfig/interface/acme
    Is in the conf, but when I check the sites with a Lets Encrypt cert, I see that the certs are renewed every day.
     
  20. liane

    liane Member

    this conf looks ok
    what is the expiracy date of one of these certs, tomorrow or in 3 months?
     

Share This Page