Forwarded to devs Let's Encrypt wildcard cartificates cannot be renewed automatically

[D3nnis3n]

User name: D3nnis3n

TITLE

Let's Encrypt wildcard cartificates cannot be renewed automatically

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE

Plesk Obsidian 18.0.28 Update Nr. 3, Ubuntu 18.04.4 LTS, AMD64

PROBLEM DESCRIPTION

When activating the auto-renewal of Let's Encrypt Wildcard Certificates (which should be possible as of Let's Encrypt Extension Version 2.7.0) the renewal is failing and the administrators gets sent the following message for all wildcard domains via e-mail:

* 'Lets Encrypt xxx' [days to expire: xx]
[-] *.xxx
[-] xxx


Invalid response from https://acme-v02.api.letsencrypt.org/acme/order/xxxxx/xxxxxx.
Details:
Type: urn:ietfarams:acme:error:malformed
Status: 404
Detail: No order for ID xxxx

Both [FIXED BUG] Unable to install a Let's Encrypt certificate: Order's status ("pending") is not acceptable for finalization or No order for ID and Unable to install a Let´s Encrypt certificate in Plesk: urn:ietf:params:acme:error:malformed are NOT applicable / do NOT fix the issue.

We are using Plesk as Primary DNS controller, so it's not either the known issue when using a third-party DNS server.
Let's Encrypt is configured to renew 90 days before expiring, with the cronjobs for renewal of both SSLit! and Let's Encrypt set to be executed every 1st Month instead of every day.

This issue does not happen for non-wildcard certificates, they renew fine. The issue did not happen on Plesk Onyx either, wildcards renewed fine back then.

STEPS TO REPRODUCE

1. Set renew-before-expiration = 90 in [ext-letsencrypt] in panel.ini.
2. Reconfigure the autorenew cronjobs to trigger every first of month.
3. Issue a autorenewing wildcard certificate for a domain.
4. Wait until it's renewal time.
5. See it hasn't been renewed and get the message:

* 'Lets Encrypt xxx' [days to expire: xx]
[-] *.xxx
[-] xxx


Invalid response from https://acme-v02.api.letsencrypt.org/acme/order/xxxxx/xxxxxx.
Details:
Type: urn:ietfarams:acme:error:malformed
Status: 404
Detail: No order for ID xxxx

Steps 1 and 2 are optional, it's not working with the default configuration either, unfortunately.

ACTUAL RESULT

The wildcard certificate is not automatically renewed and needs to be renewed manually.

EXPECTED RESULT

The wildcard certificate is automatically renewed.

ANY ADDITIONAL INFORMATION
See here: Issue - Let's Encrypt Issues with Renewal


YOUR EXPECTATIONS FROM PLESK SERVICE TEAM

Confirm bug / Help sorting out (Fixing it)

 

[cepesh84]

@D3nnis3n

It is a first report about "No order for ID" issue since we've released EXTLETSENC-765 fix.

Please contact with our support Plesk Help Center or try to fix the issue yourself.

If you decide to fix the issue yourself you may try to renew one of these certificates manually via UI or use a workaround from [FIXED BUG] Unable to install a Let's Encrypt certificate: Order's status ("pending") is not acceptable for finalization or No order for ID

1 Connect to the Plesk server via SSH

2 Search for the JSON file which contains the Let's Encrypt order in the /usr/local/psa/var/modules/letsencrypt/orders folder:

egrep -Ril example.com /usr/local/psa/var/modules/letsencrypt/orders

/usr/local/psa/var/modules/letsencrypt/orders/c92788fed3b07d20e4ad823731285d30f0c88dcb.json

Note: replace the example.com with the name of the affected domain.

3 Remove the JSON file retrieved with the previous command:

rm /usr/local/psa/var/modules/letsencrypt/orders/c92788fed3b07d20e4ad823731285d30f0c88dcb.json

4 Reissue the Let's Encrypt certificate

 

[D3nnis3n]

Hello cepesh84,
i've already done these steps (as mentioned in the OP) several times, the issue persisted through any renewals nontheless. These workarounds / fixes are ineffective, removing the orders will lead to the renewal failing with the same error the next time it's supposed to be renewed automatically again. I'm unable to get it to automatically renew. Manual renewal is not a problem, but i don't want to do that. I want it to renew automatically. But no matter how often i apply these fixes, the next renewal will fail with the order error again.

I do not have access to the Help Center, as i didn't buy the license from plesk and am not willing to pay for a bug report. My retailer recommended to report it as bug in these forums instead - which i did in the hope for an effective bugfix.

Both [FIXED BUG] Unable to install a Let's Encrypt certificate: Order's status ("pending") is not acceptable for finalization or No order for ID and Unable to install a Let´s Encrypt certificate in Plesk: urn:ietfarams:acme:error:malformed are NOT applicable / do NOT fix the issue.

 

[cepesh84]

Hello @D3nnis3n,

I can't say anything for sure without access to a server, but we had a list of the tickets about this issue and workaround was fixing it.
Do you a problem with renewal of all wildcard certificates on your server or just some of them?

Let's try to investigate issue without involving a support team. You should choose a one of domains with the problem.

Open `psa` database in console

plesk db

SELECT name, id, guid FROM `domains` where name = '<name-of-domain-with-issue>';

Create a backup of sslit database:

cp /usr/local/psa/var/modules/sslit/sslit.sqlite3 /usr/local/psa/var/modules/sslit/sslit.sqlite3.backup

open sslit db:

sqlite3 /usr/local/psa/var/modules/sslit/sslit.sqlite3
.headers on
select * from orders where domainGuid = '<guid-from-psa-database>';

How much orders with status = 0 do you have?

if there are a lot of such orders, please look to their attributes. You should compare 'registrationEmail' attribute of last orders with status 0 & 1 for this domain. Do they differ from each other?

You may use this query to get attributes of the order:

select * from OrderAttribute where orderId = <order-id>;

 

[D3nnis3n]

Sorry cepesh, i saw this post too late - i have since removed SSLit completely in the hope renewal would work again today. Unfortunately it seems like it hasnt tried renewing the wildcards today at all, e.g. no error no success. Only non-wildcards have been renewed. Earlier this worked just fine without SSLit. I'll reinstall the plugin, but obviously we'll need to wait a bit for new order ids and data.

 

[D3nnis3n]

Actually, they did renew, just an hour later as it does UTC. Well, it works without SSLit, so i'm throwing that plugin out.