• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Question Let's Encrypt - How to do renewal manually

onycro

onycro

Basic Pleskian
Hey there,

I have multiple domains using plesk onyx with let's encrypt.
One certiciate of domain A seems to be auto-renewed.
Another certificate of domain B seems to expire within a year and seems to be "static".
Both certificates are managed/created by the extension.

How would I turn the certificate on domain B into an auto-renew certificate?
I couldn't find any setting/button for that.

Regards
onycro
 
All Let's Encrypt certificates auto-renew in time before they expire. Certificates that have not been issued by the Let's Encrypt certificate authority will not auto-renew.
 
Sorry, but that's not true. I've seen a lot of certificates which had not been renewed due to unclear failures.
 
If a certificate does not auto-renew, an error message is mailed to the address that was entered into the correspondence address field upon certificate creation. The message explains why a renewal fails. Auto-renewal is attempted daily if it fails on one day, so there should be plenty of time to act before a cert really expires.
 
Hi Peter, thanks for getting back to me. I really appreciate this!

In my case certificates used for securing mail and plesk itself are not automatically renewed.
When I run:

/opt/psa/admin/bin/php -dauto_prepend_file=sdk.php '/opt/psa/admin/plib/modules/letsencrypt/scripts/renew.php'"

I get the following message:

[2017-11-30 18:35:43] ERR [extension/letsencrypt] Failed to renew certificate of domain 'example-redacted.com': Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/WjNO76ZDMdXl1YdFRGnKycKoomTuGLtdjMyZWLdnOhU.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: Fetching http://example-redacted.com/.well-known/acme-challenge/Vc23bBGn_UIoV1jcexQn-yo-F-dZ7rLUYaZh6QVTUrc: Timeout


[2017-11-30 18:35:45] ERR [extension/letsencrypt] Failed to renew certificate of domain 'example2-redacted.com': Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/LF81fxpVyPotij2lhdM79VDFAPH4Y-cH4AN6NpyM3rk.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from http://example2-redacted.com/.well-known/acme-challenge/gzSv16-sagqvkXJL44AH3kaME3Xf6rWZfGLQOqfZvDc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"


So you can see clearly that 2 domains are failing. But the systems contains a lot more domains and currently the both certificates securing the panel and plesk are outdated. And not extended. And they are not mentioned in the error message.
 
In order for the certificate to renew, the domain must be accessible from the Internet. According to your error messages, this is not the case. Either the domain web space directory is inactive, missing or misconfigured or the DNS entry for that domain is pointing to a different host. In that case it is impossible to create or renew a Let's Encrypt certificate. When you mange to make the domains accessible from the Internet (so that in theory the /.well-known/acme-challenge/... file can be read, renewal will succeed.
 
I know that, of course. The both domains mentioned in the error message are failing because they are either not routed to the server or the customer has deployed an htaccess file with a RewriteRule which causes this issue. So it's OK that they fail and they are meant to fail as long as the customer does not fix this issues or removes the certificate.

But - those are NOT the domains which are not being extended. For the domains which are not being extended there's no error message shown.
Do you know what I mean?
 
By the way: the first domain which is mentioned in the error message is deactivated. So it's clear why Let's Encrypt renew fails. But that has nothing to do with the other certificates I'm talking about.
 
Last edited:
Alright. I think I can reproduce the issue.

Certificates added to the server pool by using the "Lets Encrypt" button from within the interface where you can assign certificates for mail and the panel are not beeing renewed automatically.
 
Yves Vogl said:
Alright. I think I can reproduce the issue.

Certificates added to the server pool by using the "Lets Encrypt" button from within the interface where you can assign certificates for mail and the panel are not beeing renewed automatically.
Click to expand...
There are certain limitations with using the same certificates for securing domains and Plesk itself at the same time, see Domain certificate cannot be renewed: One of the certificates you are going to delete is used for securing Plesk for instance. It is recommended to use separate certificates for Plesk and for all the domains even if Plesk certificate is supposed to use the same DN as one of your domains.
However since you found the certain way to reproduce the issue, I would ask you to provide more info about your environment (Plesk version, OS, extension version) and precise steps to get wrong behavior.
 
You must log in or register to reply here.

Similar threads

Azurel
Resolved Mail for "Let`s Encrypt certificates for ***** have been issued/renewed" missing?
Replies
2
Views
247
Azurel
Azurel
Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
27
Views
5K
Hangover2
Hangover2
F
Question How can I renew the Lets Encrypt certificates on a VPS Server from the Ionos company?
Replies
0
Views
218
fonorola
F
D
Issue Lets Encrypt Not Successful over port 80
Replies
8
Views
307
Daiv
D
Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
2K
Peter Debik
P
Back
Top