[Solved] Lets Encrypt auto renewal

Hello,

I'm using Lets Encrypt to secure my websites only running into a problem atm.
I created a subdomain for my site and wanted to secure it with SSL, but found out I'm getting this error:

Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: mydomain.com

Now I know that my SSL certs get renewed every day (bit of an overkill..) but can't find the cronjob doing that... :S
Anyone know where I should look?
My crontab shows:

* * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
* * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
0 * * * * /home/cacheclear.sh

Where the cacheclear only clears the memory cache.

 

if you installed certbot, its cron is located at: /etc/cron.d/certbot
acme.sh uses the regular crontab, but since you don't see it here, I guess you didn't install that.
How did you install letsencrypt?

 

Hello Liane,

I installed the server and everything using the Perfect Server tutorial.

 

there is a lot of "perfect server" tutorials, and the one I used did not install letsencrypt, which on did you follow?

 

ISPConfig's own tutorial:
https://www.howtoforge.com/tutorial...8-4-jessie-apache-bind-dovecot-ispconfig-3-1/

 

then, it should be in /etc/cron.d/certbot
don't you have anything there?

 

No the folder certbot does not excist in cron.d

 

it's a file, but I don't know what the script installed
could you try this:

Code:

grep -r certbot /etc/cron*

 

That command does not return anything.

 

and replacing "certbot" with "encrypt" or "acme"?

 

root@***:~# grep -r encrypt /etc/cron*
/etc/cron.daily/popularity-contest: --armor -o "$POPCONGPG" -r $POPCONKEY --encrypt "$POPCON"
root@***:~# grep -r acme /etc/cron*
root@***:~#

 

it might be ISPConfig instead of a cron, have a look at /usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php

 

This is in that file:

PHP:

class cronjob_letsencrypt extends cronjob {

        // job schedule
        protected $_schedule = '0 3 * * *';

        public function onRunJob() {
                global $app, $conf;

                $letsencrypt = explode("\n", shell_exec('which letsencrypt certbot /root/.local/share/letsencrypt/bin/letsencrypt'));
                $letsencrypt = reset($letsencrypt);
                if(is_executable($letsencrypt)) {
                        $version = trim(exec($letsencrypt . ' --version 2>/dev/null'));
                        if(preg_match('/^(\S+)\s+(\d+(\.\d+)+)$/', $version, $matches)) {
                                $type = strtolower($matches[1]);
                                $version = $matches[2];
                                if(($type != 'letsencrypt' && $type != 'certbot') || version_compare($version, '0.7.0', '<')) {
                                        exec($letsencrypt . ' -n renew');
                                        $app->services->restartServiceDelayed('httpd', 'reload');
                                } else {
                                        $marker_file = '/usr/local/ispconfig/server/le.restart';
                                        $cmd = "echo '1' > " . $marker_file;
                                        exec($letsencrypt . ' -n renew --post-hook ' . escapeshellarg($cmd));
                                        if(file_exists($marker_file) && trim(file_get_contents($marker_file)) == '1') {
                                                unlink($marker_file);
                                                $app->services->restartServiceDelayed('httpd', 'reload');
                                        }
                                }
                        } else {
                                exec($letsencrypt . ' -n renew');
                                $app->services->restartServiceDelayed('httpd', 'reload');
                        }
                }

                parent::onRunJob();
        }

}

But the question is also:
Even when I change the cert renewal to once a month, I will keep having the same problem because I have too many sub-domains with a cert right?
Counted the sub-domains where I want a cert for but there are only 4 at the moment.
But when that becomes more in the future I have the same problem right?

 

yes, this php script is executed by ISPC cron, and it executes:
/root/.local/share/letsencrypt/bin/letsencrypt -n renew

Strange why ISPC doesn't rely upon certbot own cron, but anyway, you should now look at letsencrypt log files to know what goes wrong with renewals, in /var/log/letsencrypt

 

easier, just launch it manually:

Code:

/root/.local/share/letsencrypt/bin/letsencrypt renew

 

Well it goes wrong with this error:

Error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: mydomain.com

But that's probably because the renewal of the cert is done every day and you can only renew 7 certs per week.

 

Running the command manually gives the same error in my post #16

 

ok, so check this file:
/etc/letsencrypt/renewal/mydomain.com.conf

 

Code:

# renew_before_expiry = 30 days
version = 0.9.3
cert = /etc/letsencrypt/live/mydomain.com/cert.pem
privkey = /etc/letsencrypt/live/mydomain.com/privkey.pem
chain = /etc/letsencrypt/live/mydomain.com/chain.pem
fullchain = /etc/letsencrypt/live/mydomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = b2bc5d3e9d54f19249e80315676c35b5
authenticator = webroot
rsa_key_size = 4096
installer = None
[[webroot_map]]
mydomain.com = /usr/local/ispconfig/interface/acme
www.mydomain.com = /usr/local/ispconfig/interface/acme

Is in the conf, but when I check the sites with a Lets Encrypt cert, I see that the certs are renewed every day.

 

this conf looks ok
what is the expiracy date of one of these certs, tomorrow or in 3 months?