Topic: Renewing letsencrypt certificate

[JRBATM20192021]

Hi,

I need to renew my lets encrypt certificate but I can't figure out what I need to do for that... I tried reinstalling it but that didn't work. What code do I need to use to update my lets encrypt certificate?

[sages]

RTFW https://wiki.koozali.org/Letsencrypt

[ReetP]

RTFW

Damn I nearly spat my coffee out

[ReetP]

Hi,

I need to renew my lets encrypt certificate but I can't figure out what I need to do for that... I tried reinstalling it but that didn't work. What code do I need to use to update my lets encrypt certificate?

Also, for SME technical questions use the correct forums -

Koozali SME Server v10
https://forums.contribs.org/index.php/board,34.0.html

Koozali SME Server v10 Contribs
https://forums.contribs.org/index.php/board,36.0.html

if you are still on v9 then don't bother asking....... upgrade.

[JRBATM20192021]

I RTFW I wouldn't have asked if what I tried worked

It didn't go I tried updating first I get this error

]# yum update smeserver-letsencrypt dehydrated --enablerepo=smecontribs
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: centos.mirrors.hoobly.com
 * smeaddons: ftp.nluug.nl
 * smecontribs: ftp.nluug.nl
 * smeextras: ftp.nluug.nl
 * smeos: ftp.nluug.nl
 * smeupdates: ftp.nluug.nl
 * updates: mirrors.xtom.com
4455 packages excluded due to repository priority protections
No packages marked for update

Then I tried Installing a new one which didn't work either.

I will use the correct forum in the future

FYI I am using SME 10

Thanks.

[sages]

So far you've asked how to update your letsencrypt certificate and stated that you don't know how. Then you stated that you tried to reinstall something, followed by a request for code.
Your later reply suggests that you have tried to update the letsencrypt contrib. Lastly you tried to 'install a new one'.
I'm guessing you are a little confused and frustrated.
Funnily enough, so are the people who may be able to help you.

What exactly have you done?
What logs have you looked at?
What messages have you seen when you tried whatever you have done?
if you are trying to update your letsencrypt certificate why have you tried to reinstall the contrib? has you problem changed from your original post? What is the actual problem you are trying to resolve?


We need some clues. Trying to second guess what you are doing and playing forty questions gets rather tiring very quickly.
I don't know what your profession is, and it doesn't matter, but try sticking ear muffs, blindfold and handcuff your hands behind you. Now imagine someone is requesting your professional assistance.
I've got a suspicion that you may feel rather confused and frustrated. QED

[Jean-Philippe Pialasse]

moved topic to contribs 10

[JRBATM20192021]

Okay I have tried to update my lets encrypt certificate via a terminal window this is the code I tried to use

Updating
Few reported issue when upgrading the contribs see Bugzilla:10286 and Bugzilla:10097
A full update can be done as follow :
yum update smeserver-letsencrypt dehydrated --enablerepo=smecontribs
It is important to do the usual
signal-event post-upgrade;  signal-event reboot
otherwise
signal-event console-save
failure to do this might leave the contribution not working and your certificates not renewed.

After doing that I was left with this Screenshot (attached) of an error of nothing marked to update and all packages are under protection......

And then I used all of the code in the wiki which I used to install Let encrypt back in July to "install a new one" but it didn't work either....

The logs say nothing except that i have been getting emails from lets encrypt saying my certificate is going to expire and I need to renew it.

No the problem has not changed I tried installing a new one because updating it didn't work.

Since the certificate is now expired Is there a way to "delete it" and just install a fresh new one?

Also is 3 months standard? Or Can I do a Year?

Okay I think I explained everything if I need to explain more just say.....

Thank you

[sages]

Quick glance.

Tip: if you use putty you can copy and paste using the mouse. Left click and drag the cursor over the text to copy. The highlighted text is copied into the clipboard. Right click to paste back into putty or ctrl-v into windows. Easier than a screen shot.

It also appears that smeserver-letencrypt is already installed and the latest versions, hence nothing to update.
That aside I think you are confusing updating the contrib with updating the actual certificate.

Now on my machine letsencrypt is configured as follows:
config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=xxxxxx@xxxx.xx.xx
    hookScript=disabled
    status=enabled
and
cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=xxxxx@xxxx.xx.xx
API="2"

PARAM_ACCEPT_TERMS="yes"

and
yum list installed | grep letsencrypt
smeserver-letsencrypt.noarch            0.5-17                    @smecontribs
yum list installed | grep dehydrated
dehydrated.noarch                       0.6.5-1.el7               @smeos

cat /home/e-smith/db/domains | grep letsencrypt
xxxxx.xxx.xx=domain|Content|xxxxx|Description|xxxx|Nameservers|internet|letsencryptSSLcert|enabled
xxxxx.xxx.xx=domain|Content|xxxxx|Description|xxxx|Nameservers|localhost|Removable|no|SystemPrimaryDomain|yes|letsencryptSSLcert|enabled
xxxxx.xxx.xx=domain|Content|xxxxx|Description|xxxx|Nameservers|internet|letsencryptSSLcert|enabled


So run the five highlighted commands above and show the response.

ps I believe the certificate validity duration is fixed. Changing it wouldn't resolve your underlying issue.

[sages]

And also
ls -a /home/e-smith/files/ibays/Primary/html | grep well-known

[JRBATM20192021]

Here what it said

config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=1
    configure=none
    email=admin@domain1.com
    hookScript=disabled
    keysize=NUMBER
    signal-event=console-save
    status=test
and

 cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
KEYSIZE="4096"
CONTACT_EMAIL=admin@domain1.com
API="1"

PARAM_ACCEPT_TERMS="yes"

and

 yum list installed | grep letsencrypt
smeserver-letsencrypt.noarch             0.5-17                   @smecontribs

and

yum list installed | grep dehydrated
dehydrated.noarch                        0.6.5-1.el7              @smeos

and

cat /home/e-smith/db/domains | grep letsencrypt
xxxx.com=domain|Content|Primary|Description|Primary domain|Nameservers|localhost|Removable|no|SystemPrimaryDomain|yes|letsencryptSSLcert|enabled

and

ls /home/e-smith/files/ibays/Primary/html/.well-known
ls: cannot access /home/e-smith/files/ibays/Primary/html/.well-known: No such file or directory

The one above is the only one that showed up wrong which I don't like because that means my problem is more complex then I want it to be..........

Also yes its installed... I did that in July has worked great and I have enjoyed it..... But Just ran out now which I don't like now....

Is there different code for updating??? I must be missing something.........

[sages]

Two things leap out
1/
https://wiki.koozali.org/Letsencrypt#Introduction
Big red box. Your configuration is for API=1, which is not supported.
The wiki has instructions for resolving this.
2/ your system does not have the folder "/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"

Without reading all of your previous posts, I suspect that somewhere in the past whilst 'fixing things' you have inadvertently removed this folder. It's kind of fundamental to how the renewal process works.

As there is a lot of other working installations out there I am leaning towards this missing folder being a created issue rather than a bug with the contrib.

Please run
cat /etc/httpd/conf/httpd.conf | grep well-known
 
So I can see if the folder is the only thing missing.
Then I'll try and give you some things to try and see if that resolves your issues.

[JRBATM20192021]

Okay here you go

 cat /etc/httpd/conf/httpd.conf | grep well-known
    Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/
    Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/

Yes I probably screwed something up.... Since the certificate is expired I need to get it up again.

Any help is appreciated thanks....

[sages]

ok try this:

mkdir -p /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
then
chown apache:shared /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
chmod 0775 /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge

then
follow the wiki
I'd suggest that you keep a record of what you type and the response. STOP at any error messages and reply back here with the commands and error messages. DO NOT CONTINUE IF AN ERROR IS REPORTED.

https://wiki.koozali.org/Letsencrypt#V2_API  scroll down to -> "For creating a new certificate or updating a V2 set to 2"
DO NOT ENABLE V1 API ONLY V2 API

Then follow the enable test mode and the test should now work. If not, stop and report back.
If the test works ok, then follow the wiki to enable production mode.

[JRBATM20192021]

Alright I started trying to install it again that's what you meant by follow the wiki right??

I started with these commands

# config show modSSL

By default it would show:

modSSL=service
   TCPPort=443
   access=public
   status=enabled

If this shows any values for crt, key, or CertificateChainFile, make a note of them. If you encounter an issue with the certificate files generated by Letsencrypt, you'll then be able to revert your changes. To make a 'backup' of your existing key and properties you can issue:

config show modSSL > "/root/db_configuration_modSSL_backup_$(date +%Y%m%d_%H%M%S)"

Then I ran this one

John Crisp has prepared a contrib that installs the dehydrated script, creates the appropriate configuration files, and integrates with the SME templates system. This is the simplest way to install dehydrated on your SME Server.
Installation

yum install smeserver-letsencrypt --enablerepo=smecontribs

and got this

[root@www ~]# yum install smeserver-letsencrypt --enablerepo=smecontribs
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: mirror.fileplanet.com
 * smeaddons: ftp.nluug.nl
 * smecontribs: ftp.nluug.nl
 * smeextras: ftp.nluug.nl
 * smeos: ftp.nluug.nl
 * smeupdates: ftp.nluug.nl
 * updates: centos-distro.1gservers.com
4455 packages excluded due to repository priority protections
Package smeserver-letsencrypt-0.5-17.noarch already installed and latest version
Nothing to do

In case re installing was not what you meant I tried the update code

yum update smeserver-letsencrypt dehydrated --enablerepo=smecontribs

and I got this

[root@www ~]# yum update smeserver-letsencrypt dehydrated --enablerepo=smecontribs
Loaded plugins: fastestmirror, post-transaction-actions, priorities, smeserver
Loading mirror speeds from cached hostfile
 * base: mirror.fileplanet.com
 * smeaddons: ftp.nluug.nl
 * smecontribs: ftp.nluug.nl
 * smeextras: ftp.nluug.nl
 * smeos: ftp.nluug.nl
 * smeupdates: ftp.nluug.nl
 * updates: mirror.chpc.utah.edu
4455 packages excluded due to repository priority protections
No packages marked for update
[root@www ~]#

Not sure what I'm doing wrong.

[ReetP]

The fundamental issue is a lack of understanding of what you are trying to achieve.

Renewing certificates != upgrading rpms

Classic http://xyproblem.info/

So you hadn't kept up with progress (if you want to administer a server you need to keep abreast of changes... This was discussed here before long ago) and your certs failed to update, so rather than understand the issue which was change to API 2 and re-generate your certs with 'dehydrated -c -x' (you should really enable test mode first to check) which would take about 2 minutes, you decided to remove the whole thing.

No, cert date periods are not decided by us so we can't change that. Again, go read why.  (If you really want longer periods you'll probably need to buy a certificate).

But a cronjob has taken the pain of renewal away and has been renewing them automagically since you first installed. So it is a non issue.

It just couldn't any more due to the API change.

Next time read thoroughly before attempting a solution, and if you are not sure then ask before trying.

[sages]

I think we are having a major communications failure here 
Read all of what I have posted in the last post.
I even gave you a link to where to start following the wiki.
ok, I didn't explicitely state not to follow the entire wiki.

got to here:

follow the wiki from here
https://wiki.koozali.org/Letsencrypt#V2_API  scroll down to -> "For creating a new certificate or updating a V2 set to 2"
DO NOT ENABLE V1 API ONLY V2 API

Then follow the enable test mode and the test should now work. If not, stop and report back.
If the test works ok, then continue to follow the wiki to enable production mode.

DO NOT TRY AND REINSTALL THE CONTRIB

[JRBATM20192021]

Yeah its me...... I'm exhausted been a long day.

It worked here is what it said

 config setprop letsencrypt API 2
[root@www ~]# signal-event console-save
[root@www ~]# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain1.com
    hookScript=disabled
    keysize=NUMBER
    signal-event=console-save
    status=test
[root@www ~]# letsencrypt=service
[root@www ~]#    ACCEPT_TERMS=yes
[root@www ~]#    API=2
[root@www ~]#    configure=none
[root@www ~]#    email=####@#####.###
[root@www ~]#    hookScript=disabled
[root@www ~]#    status=enabled
[root@www ~]# config setprop letsencrypt status test
[root@www ~]# signal-event console-save
[root@www ~]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing xxxx.com with alternative names: mail.xxxx.com www.xxxx.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Oct 14 01:57:52 2021 GMT (Less than 30 days). Renewing!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 3 authorizations URLs from the CA
 + Handling authorization for xxxx.com
 + Handling authorization for mail.xxxx.com
 + Handling authorization for www.xxxx.com
 + 3 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for xxxx.com authorization...
 + Challenge is valid!
 + Responding to challenge for mail.xxxx.com authorization...
 + Challenge is valid!
 + Responding to challenge for www.xxxx.com authorization...
 + Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!

Is there something else I need to do because it still says it's expired in a browser?

Thanks

[TerryF]

all good..been there effed that

That warm all over glow when you push the button and the bastard does what it is supposed to do..

have fun, life is to short

[JRBATM20192021]

hahaha  Yes its nice I was ready to trash the server and start over....

I agree life is too short.. I'm trying!

[JRBATM20192021]

Before you remind I'm an Idiot again. I got it.... Thanks for Helping me sorry being a pain in the rear......

[ReetP]

Because it still says it's expired in a browser

Have you read the test of the wiki where it says:

"Enable Production Mode"

Because from your comment above you are still in test mode.

[JRBATM20192021]

I did I'm sorry It works now I saved this discussion so I don't have to ask again in January being the administrator for this server is one of the many things I do. I knew it was expiring didn't have time to deal with it till now......

I'm Sorry for bothering you guys......

[sages]

You don't have to renew it next year, it checks automatically once a week and if less than 30 days are left to expiry it auto renews it.
YOU DON'T HAVE TO TOUCH ANYTHING.
LEAVE YOUR HANDS IN YOUR POCKETS. 

Admin or whoever the email is configured to in the config

config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain1.com
    hookScript=disabled
    keysize=NUMBER
    signal-event=console-save
    status=test

should get an email every week (friday I think) saying it has either checked the certificate is still valid or that it has renewed it for you.

If the email configured above isn't your email address (or the server admin's email address) change it so that it is. correct. If you don't know how then please ask how to change it.

[JRBATM20192021]

Oh okay good to know. Thank you for the help I appreciate it!!! Sorry for being slow at getting what you were telling me.

[sages]

Did you configure the email address and did you get an auto email this morning (depending upon your timezone) reporting that an update to your letsencrypt certificate was attempted?
If not sort out the email address and see what happens next friday. Not much point having an automated process that you don't avail yourself of a status update. Better to sort it now than wait for a surprise in 3 months time.

[JRBATM20192021]

Yeah good point.. I forgot about it sadly... To much going on here in my neck of the woods....... No it appears I did not get an email saying an attempt was made to upgrade lets encrypt. I have it programmed for admin@domain1.com its where I got the message that it was expiring.

Do I just run this code to check to make sure its programmed correctly??

config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain1.com
    hookScript=disabled
    keysize=NUMBER
    signal-event=console-save
    status=test

Thanks

[JRBATM20192021]

Nevermind!!! it came! Yaaa!

# INFO: Using main config file /etc/dehydrated/config
Processing xxxx.com with alternative names: mail.xxxx.com www.xxxx.com
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Jan 12 07:28:37 2022 GMT (Longer than 30 days). Skipping renew!

[TerryF]

just needs patience

[JRBATM20192021]

Yes Good Point!

[ReetP]

If it all works then follow the wiki to set status from test to enabled and generate the real certificates.

[Jean-Philippe Pialasse]

still as said by Reetp as all is working now you need to switch from test to production.

Code: [Select]

status=test
means you are still in test mode.

follow wiki to go from test to enabled

[JRBATM20192021]

Alright Will do Thanks.

[JRBATM20192021]

Thanks for pointing out the test thing so that I would look into it.
I had copied that from sages up above from Oct 14 to ask if that was the code I needed to use to check before I realized I had gotten an email saying that it checked if the certificate was expired and if it needed to be updated.....
So all is well!
This is what mine says from my server so I assume I am good to go!!

[root@www ~]# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=admin@domain1.com
    hookScript=disabled
    keysize=NUMBER
    signal-event=console-save
    status=enabled

[TerryF]

Did you follow the wiki to enable production mode? No errors?

If yes and the output was as expected sit back and wait

[ReetP]

[root@www ~]# config show letsencrypt
letsencrypt=service

    signal-event=console-save

I don't think this is in the documentation (a reason to read really carefully)

At some stage you have messed up commands. You probably did this:

Code: [Select]

config setprop letsencrypt signal-event console-save
It won't do any damage but better to remove it like this:

Code: [Select]

config delprop letsencrypt signal-event
Make sure it has gone:

Code: [Select]

config show letsencrypt
Then just update to make sure:

Code: [Select]

signal-event console-save
Once you set it from 'test' to 'enabled' you did run dehydrated again - as per the wiki - to force it to generate 'real' certificates instead of 'test' ones?

[JRBATM20192021]

Okay I don't know why I missed this back last month oops but oh well!! Okay I did what you said. Shouldn't hurt anything right? I have been getting the email every week about Checking for renewal but then skipping because its not Jan 12th yet. So i think it is working correctly...

Also yes I ran the dehydrated again so it generated the real certificates so all good there!

Thanks

[TerryF]

Also yes I ran the dehydrated again so it generated the real certificates so all good there!
Thanks

Warning Will Robinson, check forum for other threads re dehydrated update and what that can do..do take note..