1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Question Let's Encrypt - How to do renewal manually

Discussion in 'Plesk Extensions' started by onycro, Jul 13, 2017.

  1. onycro

    onycro Basic Pleskian

    16
    60%
    Joined:
    Jul 6, 2012
    Messages:
    38
    Likes Received:
    0
    Hey there,

    I have multiple domains using plesk onyx with let's encrypt.
    One certiciate of domain A seems to be auto-renewed.
    Another certificate of domain B seems to expire within a year and seems to be "static".
    Both certificates are managed/created by the extension.

    How would I turn the certificate on domain B into an auto-renew certificate?
    I couldn't find any setting/button for that.

    Regards
    onycro
     
  2. Peter Debik

    Peter Debik Golden Pleskian Plesk Guru

    37
    80%
    Joined:
    Oct 15, 2015
    Messages:
    1,986
    Likes Received:
    404
    Location:
    Berlin, Germany
    All Let's Encrypt certificates auto-renew in time before they expire. Certificates that have not been issued by the Let's Encrypt certificate authority will not auto-renew.
     
  3. Yves Vogl

    Yves Vogl Basic Pleskian

    24
    57%
    Joined:
    Feb 5, 2009
    Messages:
    41
    Likes Received:
    0
    Sorry, but that's not true. I've seen a lot of certificates which had not been renewed due to unclear failures.
     
  4. Peter Debik

    Peter Debik Golden Pleskian Plesk Guru

    37
    80%
    Joined:
    Oct 15, 2015
    Messages:
    1,986
    Likes Received:
    404
    Location:
    Berlin, Germany
    If a certificate does not auto-renew, an error message is mailed to the address that was entered into the correspondence address field upon certificate creation. The message explains why a renewal fails. Auto-renewal is attempted daily if it fails on one day, so there should be plenty of time to act before a cert really expires.
     
  5. Yves Vogl

    Yves Vogl Basic Pleskian

    24
    57%
    Joined:
    Feb 5, 2009
    Messages:
    41
    Likes Received:
    0
    Hi Peter, thanks for getting back to me. I really appreciate this!

    In my case certificates used for securing mail and plesk itself are not automatically renewed.
    When I run:

    /opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/letsencrypt/scripts/renew.php'"

    I get the following message:

    [2017-11-30 18:35:43] ERR [extension/letsencrypt] Failed to renew certificate of domain 'example-redacted.com': Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/WjNO76ZDMdXl1YdFRGnKycKoomTuGLtdjMyZWLdnOhU.
    Details:
    Type: urn:acme:error:connection
    Status: 400
    Detail: Fetching http://example-redacted.com/.well-known/acme-challenge/Vc23bBGn_UIoV1jcexQn-yo-F-dZ7rLUYaZh6QVTUrc: Timeout


    [2017-11-30 18:35:45] ERR [extension/letsencrypt] Failed to renew certificate of domain 'example2-redacted.com': Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/LF81fxpVyPotij2lhdM79VDFAPH4Y-cH4AN6NpyM3rk.
    Details:
    Type: urn:acme:error:unauthorized
    Status: 403
    Detail: Invalid response from http://example2-redacted.com/.well-known/acme-challenge/gzSv16-sagqvkXJL44AH3kaME3Xf6rWZfGLQOqfZvDc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p"


    So you can see clearly that 2 domains are failing. But the systems contains a lot more domains and currently the both certificates securing the panel and plesk are outdated. And not extended. And they are not mentioned in the error message.
     
  6. Peter Debik

    Peter Debik Golden Pleskian Plesk Guru

    37
    80%
    Joined:
    Oct 15, 2015
    Messages:
    1,986
    Likes Received:
    404
    Location:
    Berlin, Germany
    In order for the certificate to renew, the domain must be accessible from the Internet. According to your error messages, this is not the case. Either the domain web space directory is inactive, missing or misconfigured or the DNS entry for that domain is pointing to a different host. In that case it is impossible to create or renew a Let's Encrypt certificate. When you mange to make the domains accessible from the Internet (so that in theory the /.well-known/acme-challenge/... file can be read, renewal will succeed.
     
  7. Yves Vogl

    Yves Vogl Basic Pleskian

    24
    57%
    Joined:
    Feb 5, 2009
    Messages:
    41
    Likes Received:
    0
    I know that, of course. The both domains mentioned in the error message are failing because they are either not routed to the server or the customer has deployed an htaccess file with a RewriteRule which causes this issue. So it's OK that they fail and they are meant to fail as long as the customer does not fix this issues or removes the certificate.

    But - those are NOT the domains which are not being extended. For the domains which are not being extended there's no error message shown.
    Do you know what I mean?
     
  8. Yves Vogl

    Yves Vogl Basic Pleskian

    24
    57%
    Joined:
    Feb 5, 2009
    Messages:
    41
    Likes Received:
    0
    By the way: the first domain which is mentioned in the error message is deactivated. So it's clear why Let's Encrypt renew fails. But that has nothing to do with the other certificates I'm talking about.
     
    Last edited: Nov 30, 2017
  9. Yves Vogl

    Yves Vogl Basic Pleskian

    24
    57%
    Joined:
    Feb 5, 2009
    Messages:
    41
    Likes Received:
    0
    Alright. I think I can reproduce the issue.

    Certificates added to the server pool by using the "Lets Encrypt" button from within the interface where you can assign certificates for mail and the panel are not beeing renewed automatically.
     
  10. Greg Voronov

    Greg Voronov New Pleskian Staff Member

    0
    60%
    Joined:
    Nov 12, 2017
    Messages:
    6
    Likes Received:
    0
    Location:
    This planet
    There are certain limitations with using the same certificates for securing domains and Plesk itself at the same time, see Domain certificate cannot be renewed: One of the certificates you are going to delete is used for securing Plesk for instance. It is recommended to use separate certificates for Plesk and for all the domains even if Plesk certificate is supposed to use the same DN as one of your domains.
    However since you found the certain way to reproduce the issue, I would ask you to provide more info about your environment (Plesk version, OS, extension version) and precise steps to get wrong behavior.
     
Loading...