acme.sh
acme.sh copied to clipboard
Published
20 hours ago •
acmesh-official
acmesh-official
Certificate Expired, but it shows renewed and gets skipped
I noticed one of my certificates has timestamps indicating that it was renewed, but the certificate is actually expired. Here are the details.
When acme.sh runs to see if there are any renewals, it skips this certificate
[Fri Apr 12 13:56:01 UTC 2019] Renew: '*.api-cicd.eng.dc.company.com'
[Fri Apr 12 13:56:01 UTC 2019] Skip, Next renewal time is: Wed May 1 00:34:53 UTC 2019
[Fri Apr 12 13:56:01 UTC 2019] Add '--force' to force to renew.
[Fri Apr 12 13:56:01 UTC 2019] Skipped *.api-cicd.eng.dc.company.com
Next I make sure that I'm using the latest version and that the dates on the files look right
/ # "/root/.acme.sh"/acme.sh --version
https://github.com/Neilpang/acme.sh
v2.8.1
/ # cd /acme.sh/'*.api-cicd.eng.dc.company.com'
/acme.sh/*.api-cicd.eng.dc.company.com # ls -la
total 44
-rw-r--r-- 1 root root 1992 Mar 2 00:34 '*.api-cicd.eng.dc.company.com.cer'
-rw-r--r-- 1 root root 1673 Apr 12 14:06 '*.api-cicd.eng.dc.company.com.conf'
-rw-r--r-- 1 root root 1058 Mar 2 00:34 '*.api-cicd.eng.dc.company.com.csr'
-rw-r--r-- 1 root root 240 Mar 2 00:34 '*.api-cicd.eng.dc.company.com.csr.conf'
-rw-r--r-- 1 root root 1679 Oct 26 16:55 '*.api-cicd.eng.dc.company.com.key'
drwxr-xr-x 2 root root 4096 Oct 26 16:57 .
drwxr-xr-x 99 1000 1000 12288 Apr 8 17:06 ..
-rw-r--r-- 1 root root 1648 Mar 2 00:34 ca.cer
-rw-r--r-- 1 root root 3640 Mar 2 00:34 fullchain.cer
The March 2 timestamp on the files suggests that it was renewed and supports the next renewal date of May 1. However, when I use openssl to check the existing certificate, it is expired.
/acme.sh/*.api-cicd.eng.dc.company.com # openssl x509 -in '*.api-cicd.eng.dc.company.com.cer' -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
04:c0:03:fa:b7:77:05:ea:bf:a9:36:3a:96:6c:70:20:0d:81
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Dec 31 23:56:44 2018 GMT
Not After : Mar 31 23:56:44 2019 GMT
Subject: CN=*.api-cicd.eng.dc.company.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d7:fd:99:1b:44:22:ea:00:24:2c:78:53:30:b4:
10:ef:8f:3b:55:1d:02:ef:24:c1:fd:56:80:22:fe:
f4:58:3c:39:f6:35:42:2a:8c:06:f8:3e:e6:fa:c0:
48:63:31:d6:1f:4e:05:31:34:98:18:20:be:6f:6b:
58:69:e9:55:ee:64:04:14:8c:d4:eb:71:11:a5:ef:
04:da:fe:cf:bb:bc:39:ae:3a:2a:0c:6d:d0:ba:d9:
d5:b1:4c:c3:07:b9:b7:c0:08:fb:ad:07:da:76:43:
ab:e6:c0:df:d4:3e:70:23:a5:77:7e:f7:46:3d:8e:
7d:9c:72:75:c7:d6:4c:ca:e9:3b:f3:10:60:d9:84:
fa:d3:2c:c7:b9:22:2e:23:7b:9f:5e:a1:30:1a:d7:
14:23:74:36:62:18:8a:ba:87:40:41:6b:36:35:2a:
a8:9b:80:39:fc:f7:54:6b:cb:3d:ee:16:58:df:b1:
e8:5f:39:45:b8:eb:16:22:c8:58:27:11:86:b3:02:
bd:e4:52:58:4f:2a:1a:6b:18:61:0d:67:02:3d:22:
b7:fc:a5:2b:58:6f:27:6e:36:f8:3b:ee:28:b2:1f:
c6:b0:2d:fc:fa:c9:b6:a5:50:db:06:97:2d:c5:47:
25:ec:33:2d:1a:f2:cf:b4:27:10:2a:b4:6e:09:ad:
77:c7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
A3:6A:4D:B7:CD:65:16:6B:CC:38:F0:B4:E4:7E:01:C5:72:16:65:2B
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:*.api-cicd.eng.dc.company.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
Timestamp : Jan 1 00:56:44.199 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:4B:07:DE:01:39:0A:CE:39:20:2E:D2:0A:
40:65:63:B8:97:74:B8:9E:D0:5D:6A:91:7D:1A:87:1F:
24:98:17:4A:02:21:00:9C:34:B3:B9:3C:1A:36:50:3A:
72:E1:CF:EF:AA:97:2B:97:56:BF:26:F0:76:F4:1E:5B:
60:B2:02:70:11:C2:09
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
Timestamp : Jan 1 00:56:44.191 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:BF:AD:71:B1:4A:D7:01:77:98:C1:21:
36:51:A2:63:46:79:5B:27:42:B3:46:1E:EE:24:A6:68:
FC:02:39:8F:3C:02:21:00:A5:7B:61:C0:58:70:16:C7:
B7:99:34:02:98:0F:E1:70:D6:3F:6E:F7:F9:27:03:DF:
99:BF:63:64:4A:C2:8F:74
Signature Algorithm: sha256WithRSAEncryption
73:3a:e1:6b:d6:d3:78:92:c7:b4:0a:f5:45:84:9f:30:b9:c6:
19:54:fc:a9:bd:87:56:15:06:39:12:f3:69:e5:0c:f7:8c:c6:
fd:01:d3:ff:6d:cd:69:3c:ab:c6:46:93:7c:0c:34:1a:af:6a:
46:30:8f:53:d3:2c:d5:e2:55:be:34:c7:d0:d7:32:20:c5:20:
5e:a1:7f:98:0a:a2:ba:21:a9:ac:f3:2f:8c:79:b1:a3:41:4f:
87:11:66:e1:4a:aa:a1:44:0f:72:1c:6a:1d:7f:7c:f3:1b:86:
1d:78:d6:77:78:06:bf:4b:a8:37:51:4d:33:d6:bd:00:a2:6a:
ee:ca:92:96:73:13:9d:df:55:7b:1e:b9:f0:ac:37:81:49:a1:
95:64:13:81:f0:8a:78:6c:bd:7a:89:ee:56:14:85:dc:bf:21:
d5:f1:e3:fc:aa:85:29:c5:4b:12:75:1c:29:3f:4c:b1:79:a6:
f3:37:0b:61:08:f0:11:18:33:ba:53:67:9a:ad:b5:4e:e0:1a:
b3:f5:b1:ec:8d:51:70:97:ff:2b:93:6f:2f:e0:dc:0c:46:de:
6b:3e:37:1d:10:b0:2b:93:ae:b7:fd:84:f2:55:21:ea:b2:7d:
ae:50:e5:98:f1:70:34:44:bb:51:19:7d:13:2c:68:57:a7:c1:
e4:fb:19:4b
-----BEGIN CERTIFICATE-----
MIIFkzCCBHugAwIBAgISBMAD+rd3Beq/qTY6lmxwIA2BMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMzEyMzU2NDRaFw0x
OTAzMzEyMzU2NDRaMDgxNjA0BgNVBAMMLSouYXBpLW5ld2hpcmUtY2ljZC5lbmcu
aG91c3Rvbi50cmluZXQtazhzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANf9mRtEIuoAJCx4UzC0EO+PO1UdAu8kwf1WgCL+9Fg8OfY1QiqMBvg+
5vrASGMx1h9OBTE0mBggvm9rWGnpVe5kBBSM1OtxEaXvBNr+z7u8Oa46Kgxt0LrZ
1bFMwwe5t8AI+60H2nZDq+bA39Q+cCOld373Rj2OfZxydcfWTMrpO/MQYNmE+tMs
x7kiLiN7n16hMBrXFCN0NmIYirqHQEFrNjUqqJuAOfz3VGvLPe4WWN+x6F85Rbjr
FiLIWCcRhrMCveRSWE8qGmsYYQ1nAj0it/ylK1hvJ242+DvuKLIfxrAt/PrJtqVQ
2waXLcVHJewzLRryz7QnECq0bgmtd8cCAwEAAaOCAoMwggJ/MA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQUo2pNt81lFmvMOPC05H4BxXIWZSswHwYDVR0jBBgwFoAUqEpq
YwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJo
dHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNo
dHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzA4BgNVHREEMTAvgi0q
LmFwaS1uZXdoaXJlLWNpY2QuZW5nLmhvdXN0b24udHJpbmV0LWs4cy5jb20wTAYD
VR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYa
aHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHz
APEAdgB0ftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWgG6a2nAAAE
AwBHMEUCIEsH3gE5Cs45IC7SCkBlY7iXdLie0F1qkX0ahx8kmBdKAiEAnDSzuTwa
NlA6cuHP76qXK5dWvybwdvQeW2CyAnARwgkAdwApPFGWVMg5ZbqqUPxYB9S3b79Y
eily3KTDDPTlRUf0eAAAAWgG6a2fAAAEAwBIMEYCIQC/rXGxStcBd5jBITZRomNG
eVsnQrNGHu4kpmj8AjmPPAIhAKV7YcBYcBbHt5k0ApgP4XDWP273+ScD35m/Y2RK
wo90MA0GCSqGSIb3DQEBCwUAA4IBAQBzOuFr1tN4kse0CvVFhJ8wucYZVPypvYdW
FQY5EvNp5Qz3jMb9AdP/bc1pPKvGRpN8DDQar2pGMI9T0yzV4lW+NMfQ1zIgxSBe
oX+YCqK6Iams8y+MebGjQU+HEWbhSqqhRA9yHGodf3zzG4YdeNZ3eAa/S6g3UU0z
1r0AomruypKWcxOd31V7HrnwrDeBSaGVZBOB8Ip4bL16ie5WFIXcvyHV8eP8qoUp
xUsSdRwpP0yxeabzNwthCPARGDO6U2earbVO4Bqz9bHsjVFwl/8rk28v4NwMRt5r
PjcdELArk663/YTyVSHqsn2uUOWY8XA0RLtRGX0TLGhXp8Hk+xlL
-----END CERTIFICATE-----
Steps to reproduce
I just let it run
I did try changing Le_NextRenewTimeStr, but it didn't have any impact (didn't renew the certificate).
Debug log
[Fri Apr 12 14:35:13 UTC 2019] di='/acme.sh/*.api-cicd.eng.dc.company.com/'
[Fri Apr 12 14:35:13 UTC 2019] d='*.api-cicd.eng.dc.company.com'
[Fri Apr 12 14:35:13 UTC 2019] Using config home:/acme.sh
[Fri Apr 12 14:35:13 UTC 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Apr 12 14:35:13 UTC 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Fri Apr 12 14:35:13 UTC 2019] DOMAIN_PATH='/acme.sh/*.api-cicd.eng.dc.company.com'
[Fri Apr 12 14:35:13 UTC 2019] Renew: '*.api-cicd.eng.dc.company.com'
[Fri Apr 12 14:35:13 UTC 2019] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Fri Apr 12 14:35:13 UTC 2019] Using config home:/acme.sh
[Fri Apr 12 14:35:13 UTC 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Apr 12 14:35:13 UTC 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Fri Apr 12 14:35:13 UTC 2019] Skip, Next renewal time is: Wed May 1 00:34:53 UTC 2019
[Fri Apr 12 14:35:13 UTC 2019] Add '--force' to force to renew.
[Fri Apr 12 14:35:13 UTC 2019] Return code: 2
[Fri Apr 12 14:35:13 UTC 2019] Skipped *.api-cicd.eng.dc.company.com
Here it is
/acme.sh/*.api-cicd.eng.dc.company.com # cat '*.api-cicd.eng.dc.company.com.conf'
Le_Domain='*.api-cicd.eng.dc.company.com'
Le_Alt='no'
Le_Webroot='dns_nsone'
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''
Le_API='https://acme-v02.api.letsencrypt.org/directory'
Le_Keylength=''
Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/35871151/337406242'
Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/04c003fab77705eabfa9363a966c70200d81'
Le_CertCreateTime='1551486893'
Le_CertCreateTimeStr='Sat Mar 2 00:34:53 UTC 2019'
Le_NextRenewTimeStr='Wed May 1 00:34:53 UTC 2019'
Le_NextRenewTime='1556584493'
Le_DeployHook='kubernetes,'
DEPLOY_K8S_PORT='7443'
DEPLOY_K8S_URL='api.eng.dc.company.com'
DEPLOY_K8S_NAMESPACE='api-cicd'
DEPLOY_K8S_SA_TOKEN='REDACTED'
Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/35871151/337406242'
please try :
acme.sh --renew -d '*.api-cicd.eng.dc.company.com' --debug 2 --force
I created a kubernetes deployment hook. You can see it here https://github.com/dwatrous/letsencrypt-kubernetes. I wasn't sure how reusable it was, so I haven't committed it back to your project yet, but I plan to work on that at some point.
I seem to be having the same issue today. I run the neilpang/acme.sh docker image. acme.sh shows my domain has been renewed, but the certificate files aren't update. My docker host is ContainerOS and uses a host mount --mount type=bind,src=/ssd/dev/ssl/out,dst=/acme.sh. I have renewed the walr.io domain today until I now get:
Error creating new order :: too many certificates already issued for exact set of domains: *.walr.io,walr.io: see https://letsencrypt.org/docs/rate-limits/
I had same problem on another domain earlier, but somehow it got fixed. It seems like maybe:
[Fri Apr 12 19:28:55 UTC 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/036e115036185a7463ad19107714e2931856
Is downloading old version of the certificate and not the one just created? Or, the new downloaded file is not replacing the old one?
Anyway, just thought I'd add to this report just in case it helps to resolve this issue.
/acme.sh/walr.io # acme.sh -r -d walr.io --force
[Fri Apr 12 19:28:52 UTC 2019] Renew: 'walr.io'
[Fri Apr 12 19:28:52 UTC 2019] Multi domain='DNS:walr.io,DNS:*.walr.io'
[Fri Apr 12 19:28:52 UTC 2019] Getting domain auth token for each domain
[Fri Apr 12 19:28:53 UTC 2019] Getting webroot for domain='walr.io'
[Fri Apr 12 19:28:53 UTC 2019] Getting webroot for domain='*.walr.io'
[Fri Apr 12 19:28:53 UTC 2019] walr.io is already verified, skip dns-01.
[Fri Apr 12 19:28:53 UTC 2019] *.walr.io is already verified, skip dns-01.
[Fri Apr 12 19:28:53 UTC 2019] Verify finished, start to sign.
[Fri Apr 12 19:28:53 UTC 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/31721654/396589340
[Fri Apr 12 19:28:55 UTC 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/036e115036185a7463ad19107714e2931856
[Fri Apr 12 19:28:55 UTC 2019] Cert success.
-----BEGIN CERTIFICATE-----
MIIFUTCCBDmgAwIBAgISA24RUDYYWnRjrRkQdxTikxhWMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMTkyMjUwNDlaFw0x
OTAzMTkyMjUwNDlaMBIxEDAOBgNVBAMTB3dhbHIuaW8wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC+Bj3FiNOsOMvWjTwZDbfFmoJpn1tsPhPtQDODbnWD
SULPNMAXUylzRUjDsDDt9fpFKwj3w5Kr25hzRYaSLcw0JwogmTj5xXxstvs63ceC
HAUp7/MMKyxBXKHO66UNAqA30oEw9xNImQvl+IxHZQ56/DGDUFVEiRy5V4uXzfYa
cQO6JuwOsBs83UMb/uq1ezISwuBtn4DHe7KIfFDZqzeydgrpHKF5eRmWihyREUmu
lC30LBGprzeryfE8pJVMoAC+9QmVzmfQxNDpSbD9RVrw6yPR+dgFyPRZ1iiJ2IBQ
fvbxSDaFfJiqSkjt41I77Vh/NUZpWn/6zFz5jH3F/QDVAgMBAAGjggJnMIICYzAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFIcH/qgc930g3nyo0AFeNSDR4Ib8MB8GA1Ud
IwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggr
BgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggr
BgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wHQYD
VR0RBBYwFIIJKi53YWxyLmlvggd3YWxyLmlvMEwGA1UdIARFMEMwCAYGZ4EMAQIB
MDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
Y3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAdH7agzGtMxCRIZzO
JU9CcMK//V5CIAjGNzV55hB7zFYAAAFnyOEG1wAABAMASDBGAiEA7vsnJvhZW53V
ynW3K0qfEnqOjZhXhwndRsoXwzmpW8wCIQClo72bp4HvK/BQL57j7QM0PCcLSFVB
IXyRX+s2d5E+LwB1ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAAB
Z8jhB0QAAAQDAEYwRAIgD8iC6yKtU1sw2JWchy0hx7Dgl3C4JUrhURi/Pgq30NwC
IEGsSB4GdaDE7TA0Fmi4OAFtiNJh7fOPBOn+9YvS7tfLMA0GCSqGSIb3DQEBCwUA
A4IBAQCa+pADxJtT/K/fGuoYQaaU88ndhV+h2dM+DXFjsxGB5bJSHnqQKzczaz+5
/00xLi7rzmYKfLwUaVvbMS6HBAEy7Owd6d9aDi4F1wWhHjKgtUESi2Qp7Tr+sFvs
0jk9fGgFdYUwifRcvB5Jq1pTxFv5oV+e7I1U0EJHwI+MY+2b/WTUuwySYrVNnkxp
HpnXVBDZSJbYtCBD+lpH2TXqjTZIMm3JWLJu9TX0WcV3MOdraoSNg+Zeelc1FQbt
ZNM72uL5Or6tED0xcxtQRbnUESoKPRYxA5MjeaJHMzUYdx/D6I12KdfXGntudGXP
N2Jal+D/ll+tYmRHo+gKppoumSQg
-----END CERTIFICATE-----
[Fri Apr 12 19:28:55 UTC 2019] Your cert is in /acme.sh/walr.io/walr.io.cer
[Fri Apr 12 19:28:55 UTC 2019] Your cert key is in /acme.sh/walr.io/walr.io.key
[Fri Apr 12 19:28:55 UTC 2019] The intermediate CA cert is in /acme.sh/walr.io/ca.cer
[Fri Apr 12 19:28:55 UTC 2019] And the full chain certs is there: /acme.sh/walr.io/fullchain.cer
/acme.sh/walr.io # ls
ca.cer fullchain.cer.old walr.io.conf walr.io.csr.conf
fullchain.cer walr.io.cer walr.io.csr walr.io.key
/acme.sh/walr.io #
/acme.sh/walr.io #
/acme.sh/walr.io # openssl x509 -in /acme.sh/walr.io/fullchain.cer -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:6e:11:50:36:18:5a:74:63:ad:19:10:77:14:e2:93:18:56
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Validity
Not Before: Dec 19 22:50:49 2018 GMT
Not After : Mar 19 22:50:49 2019 GMT
Subject: CN = walr.io
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:be:06:3d:c5:88:d3:ac:38:cb:d6:8d:3c:19:0d:
b7:c5:9a:82:69:9f:5b:6c:3e:13:ed:40:33:83:6e:
75:83:49:42:cf:34:c0:17:53:29:73:45:48:c3:b0:
30:ed:f5:fa:45:2b:08:f7:c3:92:ab:db:98:73:45:
86:92:2d:cc:34:27:0a:20:99:38:f9:c5:7c:6c:b6:
fb:3a:dd:c7:82:1c:05:29:ef:f3:0c:2b:2c:41:5c:
a1:ce:eb:a5:0d:02:a0:37:d2:81:30:f7:13:48:99:
0b:e5:f8:8c:47:65:0e:7a:fc:31:83:50:55:44:89:
1c:b9:57:8b:97:cd:f6:1a:71:03:ba:26:ec:0e:b0:
1b:3c:dd:43:1b:fe:ea:b5:7b:32:12:c2:e0:6d:9f:
80:c7:7b:b2:88:7c:50:d9:ab:37:b2:76:0a:e9:1c:
a1:79:79:19:96:8a:1c:91:11:49:ae:94:2d:f4:2c:
11:a9:af:37:ab:c9:f1:3c:a4:95:4c:a0:00:be:f5:
09:95:ce:67:d0:c4:d0:e9:49:b0:fd:45:5a:f0:eb:
23:d1:f9:d8:05:c8:f4:59:d6:28:89:d8:80:50:7e:
f6:f1:48:36:85:7c:98:aa:4a:48:ed:e3:52:3b:ed:
58:7f:35:46:69:5a:7f:fa:cc:5c:f9:8c:7d:c5:fd:
00:d5
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
87:07:FE:A8:1C:F7:7D:20:DE:7C:A8:D0:01:5E:35:20:D1:E0:86:FC
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:*.walr.io, DNS:walr.io
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 74:7E:DA:83:31:AD:33:10:91:21:9C:CE:25:4F:42:70:
C2:BF:FD:5E:42:20:08:C6:37:35:79:E6:10:7B:CC:56
Timestamp : Dec 19 23:50:49.815 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:EE:FB:27:26:F8:59:5B:9D:D5:CA:75:
B7:2B:4A:9F:12:7A:8E:8D:98:57:87:09:DD:46:CA:17:
C3:39:A9:5B:CC:02:21:00:A5:A3:BD:9B:A7:81:EF:2B:
F0:50:2F:9E:E3:ED:03:34:3C:27:0B:48:55:41:21:7C:
91:5F:EB:36:77:91:3E:2F
Signed Certificate Timestamp:
Version : v1 (0x0)
Log ID : 29:3C:51:96:54:C8:39:65:BA:AA:50:FC:58:07:D4:B7:
6F:BF:58:7A:29:72:DC:A4:C3:0C:F4:E5:45:47:F4:78
Timestamp : Dec 19 23:50:49.924 2018 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:0F:C8:82:EB:22:AD:53:5B:30:D8:95:9C:
87:2D:21:C7:B0:E0:97:70:B8:25:4A:E1:51:18:BF:3E:
0A:B7:D0:DC:02:20:41:AC:48:1E:06:75:A0:C4:ED:30:
34:16:68:B8:38:01:6D:88:D2:61:ED:F3:8F:04:E9:FE:
F5:8B:D2:EE:D7:CB
Signature Algorithm: sha256WithRSAEncryption
9a:fa:90:03:c4:9b:53:fc:af:df:1a:ea:18:41:a6:94:f3:c9:
dd:85:5f:a1:d9:d3:3e:0d:71:63:b3:11:81:e5:b2:52:1e:7a:
90:2b:37:33:6b:3f:b9:ff:4d:31:2e:2e:eb:ce:66:0a:7c:bc:
14:69:5b:db:31:2e:87:04:01:32:ec:ec:1d:e9:df:5a:0e:2e:
05:d7:05:a1:1e:32:a0:b5:41:12:8b:64:29:ed:3a:fe:b0:5b:
ec:d2:39:3d:7c:68:05:75:85:30:89:f4:5c:bc:1e:49:ab:5a:
53:c4:5b:f9:a1:5f:9e:ec:8d:54:d0:42:47:c0:8f:8c:63:ed:
9b:fd:64:d4:bb:0c:92:62:b5:4d:9e:4c:69:1e:99:d7:54:10:
d9:48:96:d8:b4:20:43:fa:5a:47:d9:35:ea:8d:36:48:32:6d:
c9:58:b2:6e:f5:35:f4:59:c5:77:30:e7:6b:6a:84:8d:83:e6:
5e:7a:57:35:15:06:ed:64:d3:3b:da:e2:f9:3a:be:ad:10:3d:
31:73:1b:50:45:b9:d4:11:2a:0a:3d:16:31:03:93:23:79:a2:
47:33:35:18:77:1f:c3:e8:8d:76:29:d7:d7:1a:7b:6e:74:65:
cf:37:62:5a:97:e0:ff:96:5f:ad:62:64:47:a3:e8:0a:a6:9a:
2e:99:24:20
-----BEGIN CERTIFICATE-----
MIIFUTCCBDmgAwIBAgISA24RUDYYWnRjrRkQdxTikxhWMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMTkyMjUwNDlaFw0x
OTAzMTkyMjUwNDlaMBIxEDAOBgNVBAMTB3dhbHIuaW8wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC+Bj3FiNOsOMvWjTwZDbfFmoJpn1tsPhPtQDODbnWD
SULPNMAXUylzRUjDsDDt9fpFKwj3w5Kr25hzRYaSLcw0JwogmTj5xXxstvs63ceC
HAUp7/MMKyxBXKHO66UNAqA30oEw9xNImQvl+IxHZQ56/DGDUFVEiRy5V4uXzfYa
cQO6JuwOsBs83UMb/uq1ezISwuBtn4DHe7KIfFDZqzeydgrpHKF5eRmWihyREUmu
lC30LBGprzeryfE8pJVMoAC+9QmVzmfQxNDpSbD9RVrw6yPR+dgFyPRZ1iiJ2IBQ
fvbxSDaFfJiqSkjt41I77Vh/NUZpWn/6zFz5jH3F/QDVAgMBAAGjggJnMIICYzAO
BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG
A1UdEwEB/wQCMAAwHQYDVR0OBBYEFIcH/qgc930g3nyo0AFeNSDR4Ib8MB8GA1Ud
IwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMwYTAuBggr
BgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAvBggr
BgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8wHQYD
VR0RBBYwFIIJKi53YWxyLmlvggd3YWxyLmlvMEwGA1UdIARFMEMwCAYGZ4EMAQIB
MDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
Y3J5cHQub3JnMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAdH7agzGtMxCRIZzO
JU9CcMK//V5CIAjGNzV55hB7zFYAAAFnyOEG1wAABAMASDBGAiEA7vsnJvhZW53V
ynW3K0qfEnqOjZhXhwndRsoXwzmpW8wCIQClo72bp4HvK/BQL57j7QM0PCcLSFVB
IXyRX+s2d5E+LwB1ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAAB
Z8jhB0QAAAQDAEYwRAIgD8iC6yKtU1sw2JWchy0hx7Dgl3C4JUrhURi/Pgq30NwC
IEGsSB4GdaDE7TA0Fmi4OAFtiNJh7fOPBOn+9YvS7tfLMA0GCSqGSIb3DQEBCwUA
A4IBAQCa+pADxJtT/K/fGuoYQaaU88ndhV+h2dM+DXFjsxGB5bJSHnqQKzczaz+5
/00xLi7rzmYKfLwUaVvbMS6HBAEy7Owd6d9aDi4F1wWhHjKgtUESi2Qp7Tr+sFvs
0jk9fGgFdYUwifRcvB5Jq1pTxFv5oV+e7I1U0EJHwI+MY+2b/WTUuwySYrVNnkxp
HpnXVBDZSJbYtCBD+lpH2TXqjTZIMm3JWLJu9TX0WcV3MOdraoSNg+Zeelc1FQbt
ZNM72uL5Or6tED0xcxtQRbnUESoKPRYxA5MjeaJHMzUYdx/D6I12KdfXGntudGXP
N2Jal+D/ll+tYmRHo+gKppoumSQg
-----END CERTIFICATE-----
I tried renewing another domain whose cert has expired, and I am getting the same problem. The renew appear to work and it downloads the cert from:
https://acme-v02.api.letsencrypt.org/acme/cert/03fc9035e78be6f37b29ec9a29b47dd80c34
When I download this file using curl manually, it is still the old expired certificate and not the new one.
So, maybe LE's API server is downloading stale cert file? Or, acme.sh isn't using the new cert URL (if it changes when a cert is renewed)?
@ktwalrus Your issue appears to be related to the Let's Encrypt quotas. If you always generate and renew from the same host, it doesn't count against your quota of new domains. My issue was different. In my case the files had the right timestamp and the conf file was updated as if the update was successful, but the content of the certificate file wasn't updated.
@dwatrous - My issue is the same as yours. The quota issue just happened because I was renewing so many times thinking the problem would fix itself.
But, as you can see above, the content of the certificate file at Let's Encrypt is not being updated.
I had 5 domains that expired last month and I just noticed they were expired today. When I ran acme.sh today to renew them, I ran into the problem that acme.sh appears to have succeeded but the cert files weren't updated (still the old certs).
One of the domains I renewed today failed many times but one time it was finally successful. So, I think Let's Encrypt file server is caching the old file (at least in some servers) and not invalidating the cache when the cert is renewed.
It seems to me that there is a bug in Let's Encrypt API servers or their storage servers.
I found the bug in acme.sh!!!
The certificate URL is not the same as the URL Let's Encrypt is returning. Rather, the certificate URL is the old one in the .conf file.
Here is the debug output (only the $response and the Le_LinkCert):
[Fri Apr 12 21:58:05 UTC 2019] response='{"status":"valid","expires":"2019-04-19T21:58:03Z","identifiers":[{"type":"dns","value":"*.walr.us"},{"type":"dns","value":"walr.us"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz/m2jSP0VrkmTHL-B-EaJl9uujgh3bJVxPgpkjMhyRbuE","https://acme-v02.api.letsencrypt.org/acme/authz/ypWs7z3GrGh-qgtrJc0YA95b2Uepe3y4ejoMI1E43qY"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/31721654/396735524","certificate":"https://acme-v02.api.letsencrypt.org/acme/cert/0367c9777943544cdb1445fdad8f27f32457"}'
[Fri Apr 12 21:58:05 UTC 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03962532218a0674224f86c34fb301f189b3
So, the problem was acme.sh didn't enter the loop to parse the response since $Le_LinkCert was already set from the .conf file.
When I unset Le_LinkCert to force the response to be parsed, everything worked and the new updated certificate was downloaded.
unset Le_LinkCert # bug workaround
_link_cert_retry=0
_MAX_CERT_RETRY=5
while [ -z "$Le_LinkCert" ] && [ "$_link_cert_retry" -lt "$_MAX_CERT_RETRY" ]; do
Maybe the .conf file shouldn't have Le_LinkCert in it? Or, my workaround might be the correct fix?
Edit: I think Le_LinkOrder might also need to be unset to force the response being parsed?
@dwatrous I read your kubernetes.sh. The cert was renewed successfully, but I didn't find any command to restart/reload the services that use the cert. I'm not sure if it's necessary for kubernetes. Here is an example: https://github.com/Neilpang/acme.sh/blob/master/deploy/haproxy.sh#L50
let me know.
@ktwalrus please upgrade to use the latest code, I think this issue was fixed already.
Thanks.
@Neilpang I am using neilpang/acme.sh, but I hadn't re-pulled it recently. After doing a "docker pull", the code does seem to have removed the "-z" test of "$Le_LinkCert" so this should fix my issue. Can't test since I've hit LE quota for issuing new certificates today in testing/debugging this issue.
But, looking at the code, it still looks like there might still be an issue with $Le_LinkOrder test:
if [ -z "$Le_LinkOrder" ]; then
Le_LinkOrder="$(echo "$responseHeaders" | grep -i '^Location.*$' | _tail_n
fi
@Neilpang The certificate looks like it updated, but you can see in the openssl output I posted originally, that the certificate is expired. The kubernetes script works perfectly, and isn't supposed to restart anything. It is simply supposed to create a secret based on the certificate. Consumers of that secret then decide what to do. I have been using it with the nginx ingress controller for more than a year and it has always worked great.
This case is unique in that acme.sh thinks it upgraded the certificate, but it didn't write the upgraded certificate to disk, or it got a bad certificate back, like @ktwalrus thinks.
Same issue for me today.
Three wildcard certificates on two different servers got renewed by cron job this morning using dns verification.
acme.log doesn't show any errors, everything worked as expected. Certificate and key file modification dates seem to be set correctly to 5:37 this morning.
But inspecting the expiration dates of all certificates including any existing copies in same directory using openssl x509 command, gave notAfter=May 30 09:19:30 2019 GMT again, as it does with each old certificate in backup directory.
Everything seems to work as expected, no errors anywhere, but renewal leads to same old certificate.
This is the corresponding part of the log of one server:
[Sat May 18 05:37:02 CEST 2019] Using config home:/root/.acme.sh
[Sat May 18 05:37:02 CEST 2019] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Sat May 18 05:37:02 CEST 2019] ===Starting cron===
[Sat May 18 05:37:02 CEST 2019] Using config home:/root/.acme.sh
[Sat May 18 05:37:02 CEST 2019] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Sat May 18 05:37:02 CEST 2019] _stopRenewOnError
[Sat May 18 05:37:02 CEST 2019] di='/root/.acme.sh/*.company.de/'
[Sat May 18 05:37:02 CEST 2019] d='*.company.de'
[Sat May 18 05:37:02 CEST 2019] Using config home:/root/.acme.sh
[Sat May 18 05:37:02 CEST 2019] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Sat May 18 05:37:02 CEST 2019] DOMAIN_PATH='/root/.acme.sh/*.company.de'
[Sat May 18 05:37:02 CEST 2019] Renew: '*.company.de'
[Sat May 18 05:37:02 CEST 2019] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Sat May 18 05:37:02 CEST 2019] Using config home:/root/.acme.sh
[Sat May 18 05:37:02 CEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sat May 18 05:37:02 CEST 2019] _main_domain='*.company.de'
[Sat May 18 05:37:02 CEST 2019] _alt_domains='no'
[Sat May 18 05:37:02 CEST 2019] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
[Sat May 18 05:37:02 CEST 2019] _init api for server: https://acme-v02.api.letsencrypt.org/directory
[Sat May 18 05:37:02 CEST 2019] GET
[Sat May 18 05:37:02 CEST 2019] url='https://acme-v02.api.letsencrypt.org/directory'
[Sat May 18 05:37:02 CEST 2019] timeout=
[Sat May 18 05:37:02 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:03 CEST 2019] ret='0'
[Sat May 18 05:37:03 CEST 2019] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
[Sat May 18 05:37:03 CEST 2019] ACME_NEW_AUTHZ
[Sat May 18 05:37:03 CEST 2019] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sat May 18 05:37:03 CEST 2019] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
[Sat May 18 05:37:03 CEST 2019] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
[Sat May 18 05:37:03 CEST 2019] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Sat May 18 05:37:03 CEST 2019] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sat May 18 05:37:03 CEST 2019] ACME_VERSION='2'
[Sat May 18 05:37:03 CEST 2019] Le_NextRenewTime='1557829171'
[Sat May 18 05:37:03 CEST 2019] _on_before_issue
[Sat May 18 05:37:03 CEST 2019] _chk_main_domain='*.company.de'
[Sat May 18 05:37:03 CEST 2019] _chk_alt_domains
[Sat May 18 05:37:03 CEST 2019] Le_LocalAddress
[Sat May 18 05:37:03 CEST 2019] d='*.company.de'
[Sat May 18 05:37:03 CEST 2019] Check for domain='*.company.de'
[Sat May 18 05:37:03 CEST 2019] _currentRoot='dns_inwx'
[Sat May 18 05:37:03 CEST 2019] d
[Sat May 18 05:37:03 CEST 2019] _saved_account_key_hash is not changed, skip register account.
[Sat May 18 05:37:03 CEST 2019] Read key length:
[Sat May 18 05:37:03 CEST 2019] _createcsr
[Sat May 18 05:37:03 CEST 2019] Single domain='*.company.de'
[Sat May 18 05:37:03 CEST 2019] Getting domain auth token for each domain
[Sat May 18 05:37:03 CEST 2019] d
[Sat May 18 05:37:03 CEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sat May 18 05:37:03 CEST 2019] payload='{"identifiers": [{"type":"dns","value":"*.company.de"}]}'
[Sat May 18 05:37:03 CEST 2019] RSA key
[Sat May 18 05:37:03 CEST 2019] HEAD
[Sat May 18 05:37:03 CEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
[Sat May 18 05:37:03 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:03 CEST 2019] _ret='0'
[Sat May 18 05:37:03 CEST 2019] POST
[Sat May 18 05:37:03 CEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order'
[Sat May 18 05:37:03 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:04 CEST 2019] _ret='0'
[Sat May 18 05:37:04 CEST 2019] code='201'
[Sat May 18 05:37:04 CEST 2019] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/52444607/457125037'
[Sat May 18 05:37:04 CEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/authz/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0'
[Sat May 18 05:37:04 CEST 2019] payload
[Sat May 18 05:37:04 CEST 2019] POST
[Sat May 18 05:37:04 CEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0'
[Sat May 18 05:37:04 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:04 CEST 2019] _ret='0'
[Sat May 18 05:37:04 CEST 2019] code='200'
[Sat May 18 05:37:04 CEST 2019] d='*.company.de'
[Sat May 18 05:37:04 CEST 2019] Getting webroot for domain='*.company.de'
[Sat May 18 05:37:04 CEST 2019] _w='dns_inwx'
[Sat May 18 05:37:04 CEST 2019] _currentRoot='dns_inwx'
[Sat May 18 05:37:04 CEST 2019] entry='"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/challenge/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0/15990307749","token":"WCArExSjwd0ESsyX0GBkAObLdcZl1_SGT-V266-mwb4"'
[Sat May 18 05:37:04 CEST 2019] token='WCArExSjwd0ESsyX0GBkAObLdcZl1_SGT-V266-mwb4'
[Sat May 18 05:37:04 CEST 2019] uri='https://acme-v02.api.letsencrypt.org/acme/challenge/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0/15990307749'
[Sat May 18 05:37:04 CEST 2019] keyauthorization='WCArExSjwd0ESsyX0GBkAObLdcZl1_SGT-V266-mwb4.5yTiR7E9_QC3lkCKKrZEc3GetSeXMcj2TtcjYVguKzQ'
[Sat May 18 05:37:04 CEST 2019] dvlist='*.company.de#WCArExSjwd0ESsyX0GBkAObLdcZl1_SGT-V266-mwb4.5yTiR7E9_QC3lkCKKrZEc3GetSeXMcj2TtcjYVguKzQ#https://acme-v02.api.letsencrypt.org/acme/challenge/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0/15990307749#dns-01#dns_inwx'
[Sat May 18 05:37:04 CEST 2019] d
[Sat May 18 05:37:04 CEST 2019] vlist='*.company.de#WCArExSjwd0ESsyX0GBkAObLdcZl1_SGT-V266-mwb4.5yTiR7E9_QC3lkCKKrZEc3GetSeXMcj2TtcjYVguKzQ#https://acme-v02.api.letsencrypt.org/acme/challenge/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0/15990307749#dns-01#dns_inwx,'
[Sat May 18 05:37:04 CEST 2019] d='*.company.de'
[Sat May 18 05:37:04 CEST 2019] _d_alias
[Sat May 18 05:37:04 CEST 2019] txtdomain='_acme-challenge.company.de'
[Sat May 18 05:37:04 CEST 2019] txt='MDSv2KSksmA_WDhMS2kbMaWhAxVP0lU7_DSuavUZM00'
[Sat May 18 05:37:04 CEST 2019] d_api='/root/.acme.sh/dnsapi/dns_inwx.sh'
[Sat May 18 05:37:04 CEST 2019] Found domain api file: /root/.acme.sh/dnsapi/dns_inwx.sh
[Sat May 18 05:37:04 CEST 2019] First detect the root zone
[Sat May 18 05:37:04 CEST 2019] get root
[Sat May 18 05:37:04 CEST 2019] POST
[Sat May 18 05:37:04 CEST 2019] _post_url='https://api.domrobot.com/xmlrpc/'
[Sat May 18 05:37:04 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:05 CEST 2019] _ret='0'
[Sat May 18 05:37:05 CEST 2019] POST
[Sat May 18 05:37:05 CEST 2019] _post_url='https://api.domrobot.com/xmlrpc/'
[Sat May 18 05:37:05 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:05 CEST 2019] _ret='0'
[Sat May 18 05:37:05 CEST 2019] h='company.de'
[Sat May 18 05:37:05 CEST 2019] _sub_domain='_acme-challenge'
[Sat May 18 05:37:05 CEST 2019] _domain='company.de'
[Sat May 18 05:37:05 CEST 2019] Adding record
[Sat May 18 05:37:05 CEST 2019] POST
[Sat May 18 05:37:05 CEST 2019] _post_url='https://api.domrobot.com/xmlrpc/'
[Sat May 18 05:37:05 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:08 CEST 2019] _ret='0'
[Sat May 18 05:37:08 CEST 2019] Let's check each dns records now. Sleep 20 seconds first.
[Sat May 18 05:37:28 CEST 2019] d='company.de'
[Sat May 18 05:37:28 CEST 2019] txtdomain='_acme-challenge.company.de'
[Sat May 18 05:37:28 CEST 2019] aliasDomain='_acme-challenge.company.de'
[Sat May 18 05:37:28 CEST 2019] txt='MDSv2KSksmA_WDhMS2kbMaWhAxVP0lU7_DSuavUZM00'
[Sat May 18 05:37:28 CEST 2019] d_api='/root/.acme.sh/dnsapi/dns_inwx.sh'
[Sat May 18 05:37:28 CEST 2019] Checking company.de for _acme-challenge.company.de
[Sat May 18 05:37:28 CEST 2019] _c_txtdomain='_acme-challenge.company.de'
[Sat May 18 05:37:28 CEST 2019] _c_aliasdomain='_acme-challenge.company.de'
[Sat May 18 05:37:28 CEST 2019] _c_txt='MDSv2KSksmA_WDhMS2kbMaWhAxVP0lU7_DSuavUZM00'
[Sat May 18 05:37:28 CEST 2019] GET
[Sat May 18 05:37:28 CEST 2019] url='https://cloudflare-dns.com/dns-query?name=_acme-challenge.company.de&type=TXT'
[Sat May 18 05:37:28 CEST 2019] timeout=
[Sat May 18 05:37:28 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:28 CEST 2019] ret='0'
[Sat May 18 05:37:28 CEST 2019] Domain company.de '_acme-challenge.company.de' success.
[Sat May 18 05:37:28 CEST 2019] All success, let's return
[Sat May 18 05:37:28 CEST 2019] ok, let's start to verify
[Sat May 18 05:37:28 CEST 2019] Verifying: *.company.de
[Sat May 18 05:37:28 CEST 2019] d='*.company.de'
[Sat May 18 05:37:28 CEST 2019] keyauthorization='WCArExSjwd0ESsyX0GBkAObLdcZl1_SGT-V266-mwb4.5yTiR7E9_QC3lkCKKrZEc3GetSeXMcj2TtcjYVguKzQ'
[Sat May 18 05:37:28 CEST 2019] uri='https://acme-v02.api.letsencrypt.org/acme/challenge/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0/15990307749'
[Sat May 18 05:37:28 CEST 2019] _currentRoot='dns_inwx'
[Sat May 18 05:37:28 CEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/challenge/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0/15990307749'
[Sat May 18 05:37:28 CEST 2019] payload='{}'
[Sat May 18 05:37:28 CEST 2019] POST
[Sat May 18 05:37:28 CEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/challenge/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0/15990307749'
[Sat May 18 05:37:28 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:29 CEST 2019] _ret='0'
[Sat May 18 05:37:29 CEST 2019] code='200'
[Sat May 18 05:37:29 CEST 2019] trigger validation code: 200
[Sat May 18 05:37:29 CEST 2019] sleep 2 secs to verify
[Sat May 18 05:37:31 CEST 2019] checking
[Sat May 18 05:37:31 CEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/challenge/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0/15990307749'
[Sat May 18 05:37:31 CEST 2019] payload
[Sat May 18 05:37:31 CEST 2019] POST
[Sat May 18 05:37:31 CEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/challenge/GJbMQop0OTE6rTwd1dyxR3Shv3W-gd1PeE8_4Ej5sw0/15990307749'
[Sat May 18 05:37:31 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:31 CEST 2019] _ret='0'
[Sat May 18 05:37:31 CEST 2019] code='200'
[Sat May 18 05:37:31 CEST 2019] Success
[Sat May 18 05:37:31 CEST 2019] pid
[Sat May 18 05:37:31 CEST 2019] Skip for removelevel:
[Sat May 18 05:37:31 CEST 2019] pid
[Sat May 18 05:37:31 CEST 2019] No need to restore nginx, skip.
[Sat May 18 05:37:31 CEST 2019] _clearupdns
[Sat May 18 05:37:31 CEST 2019] dns_entries='company.de,_acme-challenge.company.de,,dns_inwx,MDSv2KSksmA_WDhMS2kbMaWhAxVP0lU7_DSuavUZM00,/root/.acme.sh/dnsapi/dns_inwx.sh
'
[Sat May 18 05:37:31 CEST 2019] Removing DNS records.
[Sat May 18 05:37:31 CEST 2019] d='company.de'
[Sat May 18 05:37:31 CEST 2019] txtdomain='_acme-challenge.company.de'
[Sat May 18 05:37:31 CEST 2019] aliasDomain='_acme-challenge.company.de'
[Sat May 18 05:37:31 CEST 2019] txt='MDSv2KSksmA_WDhMS2kbMaWhAxVP0lU7_DSuavUZM00'
[Sat May 18 05:37:31 CEST 2019] d_api='/root/.acme.sh/dnsapi/dns_inwx.sh'
[Sat May 18 05:37:31 CEST 2019] First detect the root zone
[Sat May 18 05:37:31 CEST 2019] get root
[Sat May 18 05:37:31 CEST 2019] POST
[Sat May 18 05:37:31 CEST 2019] _post_url='https://api.domrobot.com/xmlrpc/'
[Sat May 18 05:37:31 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:32 CEST 2019] _ret='0'
[Sat May 18 05:37:32 CEST 2019] POST
[Sat May 18 05:37:32 CEST 2019] _post_url='https://api.domrobot.com/xmlrpc/'
[Sat May 18 05:37:32 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:32 CEST 2019] _ret='0'
[Sat May 18 05:37:32 CEST 2019] h='company.de'
[Sat May 18 05:37:32 CEST 2019] _sub_domain='_acme-challenge'
[Sat May 18 05:37:32 CEST 2019] _domain='company.de'
[Sat May 18 05:37:32 CEST 2019] Getting txt records
[Sat May 18 05:37:32 CEST 2019] POST
[Sat May 18 05:37:32 CEST 2019] _post_url='https://api.domrobot.com/xmlrpc/'
[Sat May 18 05:37:32 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:32 CEST 2019] _ret='0'
[Sat May 18 05:37:32 CEST 2019] Deleting record
[Sat May 18 05:37:32 CEST 2019] POST
[Sat May 18 05:37:32 CEST 2019] _post_url='https://api.domrobot.com/xmlrpc/'
[Sat May 18 05:37:32 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:33 CEST 2019] _ret='0'
[Sat May 18 05:37:33 CEST 2019] Verify finished, start to sign.
[Sat May 18 05:37:33 CEST 2019] i='2'
[Sat May 18 05:37:33 CEST 2019] j='16'
[Sat May 18 05:37:33 CEST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/52444607/457125037
[Sat May 18 05:37:33 CEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/finalize/52444607/457125037'
[Sat May 18 05:37:33 CEST 2019] payload='{"csr": "MIICnzCCAYcCAQAwHTEbMBkGA1UEAwwSKi5zeXN0ZW0tZmFicmlrLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoksmuYZzUYqDjW2swPGYTRifRRI2iN3fYRBKUcVS69kAYOs8okCu6a_1d2lOWbpt-32QC-VIjqF1u5TmbQCJJ3f8cG1NXSu_UParl25GPfNWwx4p8YqwEPbddIrMkRQPRPMvyY3MJPCtd50Tw5CTXqGXF71OukQPBzjDR3x8y0pgYucuPUjVrGxndNLqFt3d_1G1vzgHvrY5Lbx_QKhWQI3VuH8KHMvdcY6REJErkYsqLQ9MMwLw5oXjv04k9CqVeJImk4Kq-mrdL6I0OCkSNdXqIQbRTQ9XsACbglcHC6XEf41iBDL-N2qTgwDihKiNYC6HI-MRdFlAcMIM81VZzwIDAQABoD0wOwYJKoZIhvcNAQkOMS4wLDALBgNVHQ8EBAMCBeAwHQYDVR0RBBYwFIISKi5zeXN0ZW0tZmFicmlrLmRlMA0GCSqGSIb3DQEBCwUAA4IBAQBdHNVztfBX6QoOTFEX8Irj_6LUFJANTUEvfh9knMpMMvqEuIJqBZ2BJdZI1z1oIEPxPmWF5y-34ieT48b_PRsFpFjNs9dIPNgl22-XziHTE11BhQnLolg5PX2PGLA5t2wqfPd6g1snRMPlj7p3vDZqHasejfyOAtthXpWHYx1uBAZb_z8b4uf15z1uFA7DGT4Q_3o3IrPm4hLsqEwbGC2eyAZIifyTQmLjWrUtxLdQsvK5EtSJC1X6hxdQ5JL33rXDlvhsZic2uscYRQCy2HbHyL02TDGjeZSKO3KgkJciaxDFZ-fEHu_xK4DO_MaLXsH1uYKGIfFthotA2_h2HnOR"}'
[Sat May 18 05:37:33 CEST 2019] POST
[Sat May 18 05:37:33 CEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/finalize/52444607/457125037'
[Sat May 18 05:37:33 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:35 CEST 2019] _ret='0'
[Sat May 18 05:37:35 CEST 2019] code='200'
[Sat May 18 05:37:35 CEST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/03ab993ebc2972e26fc56995b160182b93f8
[Sat May 18 05:37:35 CEST 2019] url='https://acme-v02.api.letsencrypt.org/acme/cert/03ab993ebc2972e26fc56995b160182b93f8'
[Sat May 18 05:37:35 CEST 2019] payload
[Sat May 18 05:37:35 CEST 2019] POST
[Sat May 18 05:37:35 CEST 2019] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/03ab993ebc2972e26fc56995b160182b93f8'
[Sat May 18 05:37:35 CEST 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g '
[Sat May 18 05:37:35 CEST 2019] _ret='0'
[Sat May 18 05:37:35 CEST 2019] code='200'
[Sat May 18 05:37:35 CEST 2019] Found cert chain
[Sat May 18 05:37:35 CEST 2019] _end_n='31'
[Sat May 18 05:37:35 CEST 2019] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03ab993ebc2972e26fc56995b160182b93f8'
[Sat May 18 05:37:36 CEST 2019] Cert success.
[Sat May 18 05:37:36 CEST 2019] Your cert is in /root/.acme.sh/*.company.de/*.company.de.cer
[Sat May 18 05:37:36 CEST 2019] Your cert key is in /root/.acme.sh/*.company.de/*.company.de.key
[Sat May 18 05:37:36 CEST 2019] v2 chain.
[Sat May 18 05:37:36 CEST 2019] The intermediate CA cert is in /root/.acme.sh/*.company.de/ca.cer
[Sat May 18 05:37:36 CEST 2019] And the full chain certs is there: /root/.acme.sh/*.company.de/fullchain.cer
[Sat May 18 05:37:36 CEST 2019] Installing key to:/etc/ssl/private/wildcard-company-de.key
[Sat May 18 05:37:36 CEST 2019] Installing full chain to:/etc/ssl/certs/wildcard-company-de.pem
[Sat May 18 05:37:36 CEST 2019] Run reload cmd: service apache2 force-reload
[Sat May 18 05:37:36 CEST 2019] Reload success
[Sat May 18 05:37:36 CEST 2019] _on_issue_success
[Sat May 18 05:37:36 CEST 2019] _deployApi='/root/.acme.sh/deploy/ssh.sh'
[Sat May 18 05:37:36 CEST 2019] _cdomain='*.company.de'
[Sat May 18 05:37:36 CEST 2019] _ckey='/root/.acme.sh/*.company.de/*.company.de.key'
[Sat May 18 05:37:36 CEST 2019] _ccert='/root/.acme.sh/*.company.de/*.company.de.cer'
[Sat May 18 05:37:36 CEST 2019] _cca='/root/.acme.sh/*.company.de/ca.cer'
[Sat May 18 05:37:36 CEST 2019] _cfullchain='/root/.acme.sh/*.company.de/fullchain.cer'
[Sat May 18 05:37:36 CEST 2019] Deploy certificates to remote server [email protected]
[Sat May 18 05:37:36 CEST 2019] will copy private key to remote file /etc/ssl/private/wildcard-company-de.key
[Sat May 18 05:37:36 CEST 2019] will copy fullchain to remote file /etc/ssl/certs/wildcard-company-de.pem
[Sat May 18 05:37:36 CEST 2019] Will execute remote command /usr/sbin/service apache2 force-reload
[Sat May 18 05:37:36 CEST 2019] Backup of old certificate files will be placed in remote directory ~/.acme_ssh_deploy/*.company.de-backup-2019-05-18-03:37:36
[Sat May 18 05:37:36 CEST 2019] Backup directories erased after 180 days.
[Sat May 18 05:37:36 CEST 2019] Remote commands to execute: ='[hidden](please add '--output-insecure' to see this value)'
[Sat May 18 05:37:36 CEST 2019] Submitting sequence of commands to remote server by ssh
[Sat May 18 05:37:37 CEST 2019] Success
[Sat May 18 05:37:37 CEST 2019] Return code: 0
[Sat May 18 05:37:37 CEST 2019] ===End cron===
This is the complete information taken from .acme.sh directorys fullchain.cer:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:ab:99:3e:bc:29:72:e2:6f:c5:69:95:b1:60:18:2b:93:f8
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Mar 1 09:19:30 2019 GMT
Not After : May 30 09:19:30 2019 GMT
Subject: CN=*.company.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a2:4b:26:b9:86:73:51:8a:83:8d:6d:ac:c0:f1:
98:4d:18:9f:45:12:36:88:dd:df:61:10:4a:51:c5:
52:eb:d9:00:60:eb:3c:a2:40:ae:e9:af:f5:77:69:
4e:59:ba:6d:fb:7d:90:0b:e5:48:8e:a1:75:bb:94:
e6:6d:00:89:27:77:fc:70:6d:4d:5d:2b:bf:50:f6:
ab:97:6e:46:3d:f3:56:c3:1e:29:f1:8a:b0:10:f6:
dd:74:8a:cc:91:14:0f:44:f3:2f:c9:8d:cc:24:f0:
ad:77:9d:13:c3:90:93:5e:a1:97:17:bd:4e:ba:44:
0f:07:38:c3:47:7c:7c:cb:4a:60:62:e7:2e:3d:48:
d5:ac:6c:67:74:d2:ea:16:dd:dd:ff:51:b5:bf:38:
07:be:b6:39:2d:bc:7f:40:a8:56:40:8d:d5:b8:7f:
0a:1c:cb:dd:71:8e:91:10:91:2b:91:8b:2a:2d:0f:
4c:33:02:f0:e6:85:e3:bf:4e:24:f4:2a:95:78:92:
26:93:82:aa:fa:6a:dd:2f:a2:34:38:29:12:35:d5:
ea:21:06:d1:4d:0f:57:b0:00:9b:82:57:07:0b:a5:
c4:7f:8d:62:04:32:fe:37:6a:93:83:00:e2:84:a8:
8d:60:2e:87:23:e3:11:74:59:40:70:c2:0c:f3:55:
59:cf
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
14:E2:34:53:D8:1F:37:64:0D:0D:92:C5:1A:01:C6:2F:1A:B5:0F:67
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:*.company.de
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 63:F2:DB:CD:E8:3B:CC:2C:CF:0B:72:84:27:57:6B:33:
A4:8D:61:77:8F:BD:75:A6:38:B1:C7:68:54:4B:D8:8D
Timestamp : Mar 1 10:19:30.142 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:8B:F3:15:58:AD:E5:69:4E:E0:04:1B:
47:01:3E:8A:06:04:8F:AB:AB:3F:92:E6:EA:C8:92:FB:
C5:B6:70:7B:F3:02:21:00:A9:37:34:68:54:38:C8:20:
54:CB:26:6D:2D:05:DD:10:E2:4E:1E:98:ED:F6:0C:C7:
A5:47:6E:09:A9:9E:F4:5A
Signed Certificate Timestamp:
Version : v1(0)
Log ID : E2:69:4B:AE:26:E8:E9:40:09:E8:86:1B:B6:3B:83:D4:
3E:E7:FE:74:88:FB:A4:8F:28:93:01:9D:DD:F1:DB:FE
Timestamp : Mar 1 10:19:30.568 2019 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:44:02:20:0B:3C:CD:64:3F:6C:1A:B9:EA:4B:F5:C1:
E9:E4:CE:12:3D:60:5A:05:30:76:1A:AE:33:54:25:06:
F2:85:53:C0:02:20:27:9C:6E:8F:40:3E:11:A5:7C:B8:
7F:8E:F1:EC:DA:E5:5D:6B:70:25:A7:9E:44:53:CB:7B:
94:0F:AC:BF:F1:29
Signature Algorithm: sha256WithRSAEncryption
78:b6:7c:ca:cd:8e:7d:82:1e:c4:af:be:14:2e:a1:f5:58:d6:
b2:fe:43:25:1d:b5:0b:50:9f:4c:41:b1:35:98:fb:3d:8a:d2:
c8:52:90:6f:07:67:2f:f8:b5:c1:65:f5:db:d0:d6:71:f2:c0:
19:03:e5:cc:20:66:bb:c4:5e:e8:0a:96:97:3a:50:7d:e3:67:
67:a5:95:46:57:ae:60:64:57:ab:41:bb:94:49:e0:08:4a:d9:
e0:f0:e7:1c:eb:95:76:a7:d7:45:30:c8:4f:52:41:91:48:df:
23:70:18:09:f7:a8:e1:37:bc:2f:eb:4b:bf:43:1a:04:15:6d:
92:e8:5d:86:c6:76:45:51:05:5d:f9:f8:36:3c:60:f7:4f:a7:
0d:e5:fb:14:b5:64:7c:db:94:79:0d:dc:3c:84:9e:28:fb:f3:
51:0b:40:4a:aa:b7:7b:de:58:7e:09:43:26:3f:0f:72:59:f7:
bd:d5:37:4c:b0:33:91:8c:86:35:11:b3:87:08:46:a3:9b:8a:
aa:c1:f5:12:f9:f2:cf:aa:cb:36:25:f2:32:75:73:a6:c7:e3:
ee:66:7e:fc:db:40:f6:e6:fe:62:3f:d7:f6:ec:ba:5c:5e:4e:
11:c5:b7:85:72:7c:07:cb:7b:f1:ed:1b:35:a1:fc:2e:fb:13:
a3:e7:2a:e7
-----BEGIN CERTIFICATE-----
MIIFXDCCBESgAwIBAgISA6uZPrwpcuJvxWmVsWAYK5P4MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMDEwOTE5MzBaFw0x
OTA1MzAwOTE5MzBaMB0xGzAZBgNVBAMMEiouc3lzdGVtLWZhYnJpay5kZTCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKJLJrmGc1GKg41trMDxmE0Yn0US
Nojd32EQSlHFUuvZAGDrPKJArumv9XdpTlm6bft9kAvlSI6hdbuU5m0AiSd3/HBt
TV0rv1D2q5duRj3zVsMeKfGKsBD23XSKzJEUD0TzL8mNzCTwrXedE8OQk16hlxe9
TrpEDwc4w0d8fMtKYGLnLj1I1axsZ3TS6hbd3f9Rtb84B762OS28f0CoVkCN1bh/
ChzL3XGOkRCRK5GLKi0PTDMC8OaF479OJPQqlXiSJpOCqvpq3S+iNDgpEjXV6iEG
0U0PV7AAm4JXBwulxH+NYgQy/jdqk4MA4oSojWAuhyPjEXRZQHDCDPNVWc8CAwEA
AaOCAmcwggJjMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUFOI0U9gfN2QNDZLFGgHG
Lxq1D2cwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH
AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5
cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5
cHQub3JnLzAdBgNVHREEFjAUghIqLnN5c3RlbS1mYWJyaWsuZGUwTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdwBj
8tvN6DvMLM8LcoQnV2szpI1hd4+9daY4scdoVEvYjQAAAWk4xBveAAAEAwBIMEYC
IQCL8xVYreVpTuAEG0cBPooGBI+rqz+S5urIkvvFtnB78wIhAKk3NGhUOMggVMsm
bS0F3RDiTh6Y7fYMx6VHbgmpnvRaAHUA4mlLribo6UAJ6IYbtjuD1D7n/nSI+6SP
KJMBnd3x2/4AAAFpOMQdiAAABAMARjBEAiALPM1kP2wauepL9cHp5M4SPWBaBTB2
Gq4zVCUG8oVTwAIgJ5xuj0A+EaV8uH+O8eza5V1rcCWnnkRTy3uUD6y/8SkwDQYJ
KoZIhvcNAQELBQADggEBAHi2fMrNjn2CHsSvvhQuofVY1rL+QyUdtQtQn0xBsTWY
+z2K0shSkG8HZy/4tcFl9dvQ1nHywBkD5cwgZrvEXugKlpc6UH3jZ2ellUZXrmBk
V6tBu5RJ4AhK2eDw5xzrlXan10UwyE9SQZFI3yNwGAn3qOE3vC/rS79DGgQVbZLo
XYbGdkVRBV35+DY8YPdPpw3l+xS1ZHzblHkN3DyEnij781ELQEqqt3veWH4JQyY/
D3JZ973VN0ywM5GMhjURs4cIRqObiqrB9RL58s+qyzYl8jJ1c6bH4+5mfvzbQPbm
/mI/1/bsulxeThHFt4VyfAfLe/HtGzWh/C77E6PnKuc=
-----END CERTIFICATE-----
As you can see, the file modifications dates proof, that these files have actually been modified:
.acme.sh/*.company.de/:
total 40
drwxr-xr-x 3 root root 4096 Mar 1 11:11 .
drwx------ 7 root root 4096 May 18 09:18 ..
drwxr-xr-x 2 root root 4096 Mar 1 11:19 backup
-rw-r--r-- 1 root root 1648 May 18 05:37 ca.cer
-rw-r--r-- 1 root root 3567 May 18 05:37 fullchain.cer
-rw-r--r-- 1 root root 1919 May 18 05:37 *.company.de.cer
-rw-r--r-- 1 root root 1206 May 18 05:37 *.company.de.conf
-rw-r--r-- 1 root root 985 May 18 05:37 *.company.de.csr
-rw-r--r-- 1 root root 213 May 18 05:37 *.company.de.csr.conf
-rw-r--r-- 1 root root 1675 Mar 1 10:01 *.company.de.key
.acme.sh/*.company.de/backup:
total 16
drwxr-xr-x 2 root root 4096 Mar 1 11:19 .
drwxr-xr-x 3 root root 4096 Mar 1 11:11 ..
-rw-r--r-- 1 root root 3559 Mar 1 11:19 fullchain.bak
-rw------- 1 root root 1675 Mar 1 11:19 key.bak
And not to forget:
acme.sh --version
https://github.com/Neilpang/acme.sh
v2.8.1
@bluenenschloss
please upgrade to the latest code:
acme.sh --upgrade
acme.sh --cron --debug 2
Upgraded to latest version first. Now observing same behavior as dwatrous did. acme.sh kips renwal of certificate, because it is not expired - but it is.
root@host:~# acme.sh --cron --debug 2
[Sun May 19 06:53:41 CEST 2019] Lets find script dir.
[Sun May 19 06:53:41 CEST 2019] _SCRIPT_='/root/.acme.sh/acme.sh'
[Sun May 19 06:53:41 CEST 2019] _script='/root/.acme.sh/acme.sh'
[Sun May 19 06:53:41 CEST 2019] _script_home='/root/.acme.sh'
[Sun May 19 06:53:41 CEST 2019] Using config home:/root/.acme.sh
[Sun May 19 06:53:41 CEST 2019] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.8.2
[Sun May 19 06:53:41 CEST 2019] Using config home:/root/.acme.sh
[Sun May 19 06:53:41 CEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sun May 19 06:53:41 CEST 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sun May 19 06:53:41 CEST 2019] ===Starting cron===
[Sun May 19 06:53:41 CEST 2019] Using config home:/root/.acme.sh
[Sun May 19 06:53:41 CEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sun May 19 06:53:41 CEST 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sun May 19 06:53:41 CEST 2019] _stopRenewOnError
[Sun May 19 06:53:41 CEST 2019] di='/root/.acme.sh/*.company.de/'
[Sun May 19 06:53:41 CEST 2019] d='*.company.de'
[Sun May 19 06:53:41 CEST 2019] Using config home:/root/.acme.sh
[Sun May 19 06:53:41 CEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sun May 19 06:53:41 CEST 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sun May 19 06:53:41 CEST 2019] DOMAIN_PATH='/root/.acme.sh/*.company.de'
[Sun May 19 06:53:41 CEST 2019] Renew: '*.company.de'
[Sun May 19 06:53:41 CEST 2019] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Sun May 19 06:53:41 CEST 2019] Using config home:/root/.acme.sh
[Sun May 19 06:53:41 CEST 2019] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Sun May 19 06:53:41 CEST 2019] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Sun May 19 06:53:41 CEST 2019] Skip, Next renewal time is: Thu Aug 1 03:37:36 UTC 2019
[Sun May 19 06:53:41 CEST 2019] Add '--force' to force to renew.
[Sun May 19 06:53:41 CEST 2019] Return code: 2
[Sun May 19 06:53:41 CEST 2019] Skipped *.company.de
[Sun May 19 06:53:41 CEST 2019] The NOTIFY_HOOK is empty, just return.
[Sun May 19 06:53:41 CEST 2019] ===End cron===
But: adding --force seems to work with version 2.8.2.
Since all certificates have been renewed now, no further testing is possible until they are near expiry next time.
Thanks for your response so far.
It checks cert file create date and registers it in config. But what if cert is manually copied or left from another install? And it continues to rely on date from config, not from date in certificate which imho is strange. And letsencrypt may issue cert with older start date, while config will get current date, and will have next renew time after actual cert expiration time.
Is this still an issue that people are having? Is it possible to get the certs to renew with having to manually run --force after it silently failed to "really" renew them?
I haven't seen this error for a while, so it may not be a problem right now.
Same for me - no such problem since v2.8.2 Last automatic renewal in August worked w/o any problems.
I host my own ACME provider, certificates are set to expire after 24 hours, and acme.sh seems to fixate on 60 days ($DEFAULT_RENEW value if not overridden), regardless of the expiry date on the certificate. I cannot specify 0 or 1 days, as with 0 it will default to 60, and 1 is too late, nor can I specify decimal points (e.g. for 12 hours) because the math logic can't handle decimal points. It needs to read the certificate expiry and calculate renewal cutoff from that instead, not some predefined value.
Version 2.8.6.
I host my own ACME provider, certificates are set to expire after 24 hours, and acme.sh seems to fixate on 60 days ($DEFAULT_RENEW value if not overridden), regardless of the expiry date on the certificate. [...] It needs to read the certificate expiry and calculate renewal cutoff from that instead, not some predefined value.
I have the same problem as @p3lim, except that my validity length is greater than 24 hours but less than 60 days.
@Neilpang if we use --force then it will renew every single time the cron job executes, which is not desirable.
