• Please be aware: Kaspersky Anti-Virus has been deprecated
    With the upgrade to Plesk Obsidian 18.0.64, "Kaspersky Anti-Virus for Servers" will be automatically removed from the servers it is installed on. We recommend that you migrate to Sophos Anti-Virus for Servers.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Forwarded to devs Let's Encrypt wildcard cartificates cannot be renewed automatically

D

D3nnis3n

Regular Pleskian
User name: D3nnis3n

TITLE

Let's Encrypt wildcard cartificates cannot be renewed automatically

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian 18.0.28 Update Nr. 3, Ubuntu 18.04.4 LTS, AMD64

PROBLEM DESCRIPTION

When activating the auto-renewal of Let's Encrypt Wildcard Certificates (which should be possible as of Let's Encrypt Extension Version 2.7.0) the renewal is failing and the administrators gets sent the following message for all wildcard domains via e-mail:

* 'Lets Encrypt xxx' [days to expire: xx]
[-] *.xxx
[-] xxx


Invalid response from https://acme-v02.api.letsencrypt.org/acme/order/xxxxx/xxxxxx.
Details:
Type: urn:ietf:params:acme:error:malformed
Status: 404
Detail: No order for ID xxxx
Click to expand...

Both [FIXED BUG] Unable to install a Let's Encrypt certificate: Order's status ("pending") is not acceptable for finalization or No order for ID and Unable to install a Let´s Encrypt certificate in Plesk: urn:ietf:params:acme:error:malformed are NOT applicable / do NOT fix the issue.

We are using Plesk as Primary DNS controller, so it's not either the known issue when using a third-party DNS server.
Let's Encrypt is configured to renew 90 days before expiring, with the cronjobs for renewal of both SSLit! and Let's Encrypt set to be executed every 1st Month instead of every day.

This issue does not happen for non-wildcard certificates, they renew fine. The issue did not happen on Plesk Onyx either, wildcards renewed fine back then.

STEPS TO REPRODUCE

1. Set renew-before-expiration = 90 in [ext-letsencrypt] in panel.ini.
2. Reconfigure the autorenew cronjobs to trigger every first of month.
3. Issue a autorenewing wildcard certificate for a domain.
4. Wait until it's renewal time.
5. See it hasn't been renewed and get the message:
* 'Lets Encrypt xxx' [days to expire: xx]
[-] *.xxx
[-] xxx


Invalid response from https://acme-v02.api.letsencrypt.org/acme/order/xxxxx/xxxxxx.
Details:
Type: urn:ietf:params:acme:error:malformed
Status: 404
Detail: No order for ID xxxx
Click to expand...

Steps 1 and 2 are optional, it's not working with the default configuration either, unfortunately.

ACTUAL RESULT

The wildcard certificate is not automatically renewed and needs to be renewed manually.

EXPECTED RESULT

The wildcard certificate is automatically renewed.

ANY ADDITIONAL INFORMATION
See here: Issue - Let's Encrypt Issues with Renewal


YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug / Help sorting out (Fixing it)
 
Last edited:
@D3nnis3n

It is a first report about "No order for ID" issue since we've released EXTLETSENC-765 fix.

Please contact with our support Plesk Help Center or try to fix the issue yourself.

If you decide to fix the issue yourself you may try to renew one of these certificates manually via UI or use a workaround from [FIXED BUG] Unable to install a Let's Encrypt certificate: Order's status ("pending") is not acceptable for finalization or No order for ID

Code: 
1 Connect to the Plesk server via SSH

2 Search for the JSON file which contains the Let's Encrypt order in the /usr/local/psa/var/modules/letsencrypt/orders folder:

egrep -Ril example.com /usr/local/psa/var/modules/letsencrypt/orders

/usr/local/psa/var/modules/letsencrypt/orders/c92788fed3b07d20e4ad823731285d30f0c88dcb.json

Note: replace the example.com with the name of the affected domain.

3 Remove the JSON file retrieved with the previous command:

rm /usr/local/psa/var/modules/letsencrypt/orders/c92788fed3b07d20e4ad823731285d30f0c88dcb.json

4 Reissue the Let's Encrypt certificate
 
Hello cepesh84,
i've already done these steps (as mentioned in the OP) several times, the issue persisted through any renewals nontheless. These workarounds / fixes are ineffective, removing the orders will lead to the renewal failing with the same error the next time it's supposed to be renewed automatically again. I'm unable to get it to automatically renew. Manual renewal is not a problem, but i don't want to do that. I want it to renew automatically. But no matter how often i apply these fixes, the next renewal will fail with the order error again.

I do not have access to the Help Center, as i didn't buy the license from plesk and am not willing to pay for a bug report. My retailer recommended to report it as bug in these forums instead - which i did in the hope for an effective bugfix.

Both [FIXED BUG] Unable to install a Let's Encrypt certificate: Order's status ("pending") is not acceptable for finalization or No order for ID and Unable to install a Let´s Encrypt certificate in Plesk: urn:ietf:params:acme:error:malformed are NOT applicable / do NOT fix the issue.
Click to expand...
 
Hello @D3nnis3n,

I can't say anything for sure without access to a server, but we had a list of the tickets about this issue and workaround was fixing it.
Do you a problem with renewal of all wildcard certificates on your server or just some of them?

Let's try to investigate issue without involving a support team. You should choose a one of domains with the problem.

Open `psa` database in console
Code: 
plesk db

SELECT name, id, guid FROM `domains` where name = '<name-of-domain-with-issue>';
Create a backup of sslit database:
Code: 
cp /usr/local/psa/var/modules/sslit/sslit.sqlite3 /usr/local/psa/var/modules/sslit/sslit.sqlite3.backup
open sslit db:
Code: 
sqlite3 /usr/local/psa/var/modules/sslit/sslit.sqlite3
.headers on
select * from orders where domainGuid = '<guid-from-psa-database>';
How much orders with status = 0 do you have?

if there are a lot of such orders, please look to their attributes. You should compare 'registrationEmail' attribute of last orders with status 0 & 1 for this domain. Do they differ from each other?

You may use this query to get attributes of the order:
Code: 
select * from OrderAttribute where orderId = <order-id>;
 
Sorry cepesh, i saw this post too late - i have since removed SSLit completely in the hope renewal would work again today. Unfortunately it seems like it hasnt tried renewing the wildcards today at all, e.g. no error no success. Only non-wildcards have been renewed. Earlier this worked just fine without SSLit. I'll reinstall the plugin, but obviously we'll need to wait a bit for new order ids and data.
 
Actually, they did renew, just an hour later as it does UTC. Well, it works without SSLit, so i'm throwing that plugin out.
 
You must log in or register to reply here.

Similar threads

Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2 3
Replies
48
Views
10K
gsk
gsk
D
Issue Automatic renewal via SSLit doesn't work for wildcard certificates
Replies
3
Views
1K
D3nnis3n
D
D
Question Renewing Let's encrypt automatically
Replies
3
Views
495
Kaspar
K
Bitpalast
Resolved SSL create and renew errors on random domains / possibly a Let's Encrypt issue, but maybe only in combination with Plesk
Replies
11
Views
1K
Change Maker
C
K
Question Renewing Let's Encrypt with external DNS servers
Replies
5
Views
1K
klowet
K
Back
Top