SSL Renewal Failed

Discussion in 'ISPConfig 3 Priority Support' started by Dave King, Mar 18, 2025.

Page 1 of 2
  1. Dave King

    Dave King Member HowtoForge Supporter

    Hi,
    My setup has been live for a few months and the renewal of the LetsEncrypt has failed, not sure how to deal with it.
    I added a site to reforce a new SSL, this is the error that I think is key:

    [Tue Mar 18 09:13:23 GMT 2025] code='400'
    [Tue Mar 18 09:13:23 GMT 2025] original='{
    "type": "urn:ietf:params:acme:error:malformed",
    "detail": "Unable to update challenge :: authorization must be pending",
    "status": 400
    }'
    [Tue Mar 18 09:13:23 GMT 2025] response='{
    "type": "urn:ietf:params:acme:error:malformed",
    "detail": "Unable to update challenge :: authorization must be pending",
    "status": 400
    }'

    Urgent help appreciated please as they cannot send emails.
    Thanks
     
    Dave King, Mar 18, 2025
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The central system SSL cert usually is not from a website; adding a site for it will cause the main cert to be disconnected from the system, and renewals for it must fail then. Did you use the certificate from a site from the beginning, or did you just created a website now to disconnect the certificate?
     
    till, Mar 18, 2025
    #2
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Regarding the error you get, might be that you are somehow caching requests on your system that shall go to lets encrypt but you cache them in a caching proxy or similar.

    also:

     
    till, Mar 18, 2025
    #3
  4. Dave King

    Dave King Member HowtoForge Supporter

    Thanks, I found someone on another post here recommending it, but this was after the failure.
    I deleted the site now.
    How to a force a retry please? It seems to only happen at 5am.
     
    Dave King, Mar 18, 2025
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Deleting the site won't reverse the damaged config, as the certificate configuration has already been changed and will not change again upon deletion.

    What you can try to fix is to run an ISPConfig update, reconfigure services during the update, and let the updater create a new SSL cert.
     
    till, Mar 18, 2025
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Also, the renewal has probably been retried every day for weeks as the first renewal attempt does not start on the day it expires, so you must check what you might have installed in front of the server that might cache or block access from LE servers to your system to validate the certificate.
     
    till, Mar 18, 2025
    #6
  7. Dave King

    Dave King Member HowtoForge Supporter

    I think the issue is 443 was never forwarded to the server, I guess that was needed, right?
    I have only just forwarded it now.
    How do I run the update you mention, please?
     
    Dave King, Mar 18, 2025
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The port that you need for renewal is 80.
     
    till, Mar 18, 2025
    #8
  9. till

    till Super Moderator Staff Member ISPConfig Developer


    ispconfig_update.sh --force
     
    till, Mar 18, 2025
    #9
  10. Dave King

    Dave King Member HowtoForge Supporter

    Certificate exists. Not creating a new one.
     
    Dave King, Mar 18, 2025
    #10
  11. Dave King

    Dave King Member HowtoForge Supporter

    Maybe fixed actually?


    [Tue Mar 18 10:49:29 GMT 2025] LE_WORKING_DIR='/root/.acme.sh'
    [Tue Mar 18 10:49:29 GMT 2025] Running cmd: upgrade
    [Tue Mar 18 10:49:29 GMT 2025] Using config home: /root/.acme.sh
    [Tue Mar 18 10:49:29 GMT 2025] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Tue Mar 18 10:49:29 GMT 2025] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Tue Mar 18 10:49:29 GMT 2025] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Tue Mar 18 10:49:29 GMT 2025] _ACME_SERVER_PATH='directory'
    [Tue Mar 18 10:49:29 GMT 2025] GET
    [Tue Mar 18 10:49:29 GMT 2025] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master'
    [Tue Mar 18 10:49:29 GMT 2025] timeout=30
    [Tue Mar 18 10:49:29 GMT 2025] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g --connect-timeout 30'
    [Tue Mar 18 10:49:30 GMT 2025] ret='0'
    [Tue Mar 18 10:49:30 GMT 2025] Already up to date!
    [Tue Mar 18 10:49:30 GMT 2025] Upgrade successful!
    [Tue Mar 18 10:49:30 GMT 2025] LE_WORKING_DIR='/root/.acme.sh'
    [Tue Mar 18 10:49:30 GMT 2025] Running cmd: setdefaultca
    [Tue Mar 18 10:49:30 GMT 2025] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
     
    Dave King, Mar 18, 2025
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the update of acme.sh command, it's not about issuing a certificate. But you should see in your browser if the certificate is ok again.
     
    till, Mar 18, 2025
    #12
  13. Dave King

    Dave King Member HowtoForge Supporter

    Attackers might be trying to steal your information from ADDRESS REMOVED (for example, passwords, messages, or credit cards). Learn more about this warning

    net::ERR_CERT_DATE_INVALID
     
    Dave King, Mar 18, 2025
    #13
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Sure, feel free to send it to me as private message.
     
    till, Mar 18, 2025
    #14
    Dave King likes this.
  15. Dave King

    Dave King Member HowtoForge Supporter

    Thank you, message sent.
     
    Dave King, Mar 18, 2025
    #15
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    I get an error that the website is unreachable; you might have closed the port in a firewall.
     
    till, Mar 18, 2025
    #16
  17. Dave King

    Dave King Member HowtoForge Supporter

    I realised port 80 was secured to our office IP, try now please.
     
    Dave King, Mar 18, 2025
    #17
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    The URL you sent me is port 8081 and not 80. Which site you get on port 80 does not matter for the certificate renewal, as long as its the right server.
     
    till, Mar 18, 2025
    #18
  19. Dave King

    Dave King Member HowtoForge Supporter

    We only run email services on this server, I assumed the SSL would need to be active for this also? Sorry if I have lead down the wrong path.
     
    Dave King, Mar 18, 2025
    #19
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. But if you run mail services only, you could not have created a website on that server, as websites should have been disabled there. But in any case, port 80 must be open for Let's Encrypt.
     
    till, Mar 18, 2025
    #20
Page 1 of 2

Share This Page