Resolved Let's Encrypt certificate expiration notice for domain "cdn.example.com" (and 1 more)

[Azurel]

I get mails with

Hello,

Your certificate (or certificates) for the names listed below will expire in 9 days. Please make sure to renew your certificate before then, or visitors to your website will encounter errors.

We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
Integration Guide - Let's Encrypt - Free SSL/TLS Certificates for details.

list-of-domains

For any questions or support, please visit Let's Encrypt Community Support. Unfortunately, we can't provide support by email.

The mails are not wrong, firefox showed me it get expired in few days.

Now its expired and not secure anymore.

What happen here? Here are no errors in:

- /usr/local/psa/var/modules/letsencrypt/logs/letsencrypt.log Last update is from march 2017!
- /var/log/plesk/panel.log
The last two months only messages like

ERR [panel] [Action Log] Failed login attempt with login 'admin' from IP 46.183.*.*
ERR [1] PHP Warning: Error while sending QUERY packet. PID=3281; File: /usr/local/psa/admin/externals/Zend/Db/Statement/Pdo.php, Line: 228

And I can access all (sub-)domains with
http://cdn.example.com/.well-known/acme-challenge/
and
https://cdn.example.com/.well-known/acme-challenge/

In topic Let’s Encrypt Secured Plesk Not Renewing IgorG said:

# crontab -l | grep letsen
3 16 * * * /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/renew.php'

My output is empty.

Tools / Schudele Tasks have the entry
/usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/keep-secured.php' for update hourly at 14min.
Is this not a very important task, so its should report by errors? Actual its set "Do not notify".

I have run it per "Run Now"-button and result was "successfully completed in 74 seconds.". AND expired domains have now a valid certificate.
I have received a mail with

Let's Encrypt certificates for ,,,, have been issued/renewed

and a bunch list of domains

What is here the problem with this scheduled task? Why its not working automatically?

OS ‪CentOS Linux 7.5.1804 (Core)‬
Product Plesk Onyx Version 17.5.3 Update #54, last updated on July 24, 2018 03:23 AM

 

[Monty]

Did you check if the cron service is running?
What's the output of systemctl status crond.service
Check your cron log file at /var/log/cron if the let's encrypt cronjob is executed every day

 

[Azurel]

I get this results

# systemctl status crond.service
● crond.service - Command Scheduler
Loaded: loaded (/usr/lib/systemd/system/crond.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2018-08-07 22:14:55 CEST; 1 weeks 0 days ago
Main PID: 585 (crond)
CGroup: /system.slice/crond.service
└─585 /usr/sbin/crond -n

Aug 15 09:45:01 mail crond[585]: (/opt/plesk/php/7.2/bin/php) ERROR (getpwnam() failed)
Aug 15 10:00:01 mail crond[585]: (/opt/plesk/php/7.2/bin/php) ERROR (getpwnam() failed)
Aug 15 10:15:01 mail crond[585]: (/opt/plesk/php/7.2/bin/php) ERROR (getpwnam() failed)
Aug 15 10:30:01 mail crond[585]: (/opt/plesk/php/7.2/bin/php) ERROR (getpwnam() failed)
Aug 15 10:45:01 mail crond[585]: (/opt/plesk/php/7.2/bin/php) ERROR (getpwnam() failed)
Aug 15 11:00:01 mail crond[585]: (/opt/plesk/php/7.2/bin/php) ERROR (getpwnam() failed)
Aug 15 11:15:01 mail crond[585]: (/opt/plesk/php/7.2/bin/php) ERROR (getpwnam() failed)
Aug 15 11:30:01 mail crond[585]: (/opt/plesk/php/7.2/bin/php) ERROR (getpwnam() failed)
Aug 15 11:45:01 mail crond[585]: (/opt/plesk/php/7.2/bin/php) ERROR (getpwnam() failed)
Aug 15 12:00:01 mail crond[585]: (/opt/plesk/php/7.2/bin/php) ERROR (getpwnam() failed)

This error have nothing todo with letsencrypt. I found that this is a matomo cron without user

0,15,30,45 * * * * /opt/plesk/php/7.2/bin/php /var/www/vhosts/example.com/analytics.example.com/matomo/console core:archive --url=https://analytics.example.com > /home/analytics/piwik-archive.log
I changed it to
0,15,30,45 * * * * root /opt/plesk/php/7.2/bin/php -q /var/www/vhosts/example.com/analytics.example.com/matomo/console core:archive --url=https://analytics.example.com > /home/analytics/piwik-archive.log
Now log is fine
Aug 15 12:30:01 mail CROND[12078]: (root) CMD (/opt/plesk/php/7.2/bin/php -q /var/www/vhosts/example.com/analytics.example.com/matomo/console core:archive --url=https://analytics.example.com > /home/analytics/piwik-archive.log)

Why not listed letsencrypt in cron-file?

 

[Monty]

In topic Let’s Encrypt Secured Plesk Not Renewing IgorG said:

My output is empty.

I missed this part. Your output of crontab -l should show an entry for the Let's Encrypt job. My output is:

# crontab -l | grep letsencrypt
36      *       *       *       *       /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/keep-secured.php'

If you don't see this then you're probably missing the cronjob. Either install it manually or re-install the Let's Encrypt extension.

 

[Azurel]

How I can install it manually? I wonder how this crontab can get missing. And why is here a scheduled task, when there is a crontab?

 

[Monty]

You may have deleted them by accident when you were logged in on the server in the shell.

The list of scheduled tasks in the Plesk interface is retrieved from the Plesk database and not from the "crontab" output. So if you change the cronjobs manually on the server you need to hit the "Refresh" button in the Plesk interface (in the Scheduled Task menu) to reflect the changes.

To add the cronjob manually, do "crontab -e" and enter the line I pasted above. Or re-install the Let's Encrypt extension.

 

[Azurel]

Thanks for helping! Ah f*ck, I see I have accident override (a month ago) the crontab with crontab <file>. And centos/plesk make no backups from this files. That very bad.I'm so stupid.

Can anybody give me the needed content from file /var/spool/cron/root for
OS ‪CentOS Linux 7.5.1804 (Core)‬, Product Plesk Onyx Version 17.5.3 Update #54

or is this only this single line?
3 16 * * * /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/renew.php'

 

[Monty]

This is what I have. Please note: I'm using the Wordpress Toolkit and Let's Encrypt extensions. You may need some more cronjobs if you have some other extensions.

MAILTO=""
36      *       *       *       *       /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/letsencrypt/scripts/keep-secured.php'
0       0       *       *       *       /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/wp-toolkit/scripts/instances-auto-update.php'
49      *       *       *       *       /usr/local/psa/admin/bin/php -dauto_prepend_file=sdk.php '/usr/local/psa/admin/plib/modules/wp-toolkit/scripts/maintenance.php'

 

[Azurel]

I only use letsencrypt and nodejs. Thanks for your big help!