acmesh-official
Synology certificate renewal not deploying automatically
I've followed the Synology NAS Guide in the Wiki to deploy a certificate configured the cron job. Today, the certificate I initially created had expired in DSM. The cron job successfully creates a new certificate (when I ran it the cert was newer than the DSM one), but the certificate is not deployed to DSM automatically, so the first DSM cert created by acme expired.
Should the cron task deploy the certificate, or have I misunderstood how it all ties together? I also tried it with --force from SSH to ensure it was creating a certificate, which it did, but it also didn't deploy it, I had to manually run deploy again (and set it as the default, but that might be my fault for not setting the same name as last time).
Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Should have mentioned I also ran acme.sh --upgrade. I didn't think the debug log would be useful in this case, but here it is (domain replaced with my.domain):
[Fri Feb 2 10:16:50 GMT 2024] Lets find script dir.
[Fri Feb 2 10:16:50 GMT 2024] _SCRIPT_='/usr/local/share/acme.sh/acme.sh'
[Fri Feb 2 10:16:50 GMT 2024] _script='/usr/local/share/acme.sh/acme.sh'
[Fri Feb 2 10:16:50 GMT 2024] _script_home='/usr/local/share/acme.sh'
[Fri Feb 2 10:16:50 GMT 2024] Using config home:/usr/local/share/acme.sh
[Fri Feb 2 10:16:50 GMT 2024] LE_WORKING_DIR='/usr/local/share/acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Fri Feb 2 10:16:50 GMT 2024] Running cmd: cron
[Fri Feb 2 10:16:50 GMT 2024] Using config home:/usr/local/share/acme.sh
[Fri Feb 2 10:16:50 GMT 2024] default_acme_server
[Fri Feb 2 10:16:50 GMT 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Feb 2 10:16:50 GMT 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Fri Feb 2 10:16:50 GMT 2024] _ACME_SERVER_PATH='v2/DV90'
[Fri Feb 2 10:16:50 GMT 2024] ===Starting cron===
[Fri Feb 2 10:16:50 GMT 2024] Using config home:/usr/local/share/acme.sh
[Fri Feb 2 10:16:50 GMT 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Feb 2 10:16:50 GMT 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Fri Feb 2 10:16:50 GMT 2024] _ACME_SERVER_PATH='v2/DV90'
[Fri Feb 2 10:16:50 GMT 2024] _stopRenewOnError
[Fri Feb 2 10:16:50 GMT 2024] _server
[Fri Feb 2 10:16:50 GMT 2024] _set_level='2'
[Fri Feb 2 10:16:50 GMT 2024] di='/usr/local/share/acme.sh/my.domain_ecc/'
[Fri Feb 2 10:16:50 GMT 2024] d='my.domain_ecc'
[Fri Feb 2 10:16:50 GMT 2024] _renewServer
[Fri Feb 2 10:16:50 GMT 2024] Using config home:/usr/local/share/acme.sh
[Fri Feb 2 10:16:50 GMT 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Feb 2 10:16:50 GMT 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Fri Feb 2 10:16:50 GMT 2024] _ACME_SERVER_PATH='v2/DV90'
[Fri Feb 2 10:16:50 GMT 2024] DOMAIN_PATH='/usr/local/share/acme.sh/my.domain_ecc'
[Fri Feb 2 10:16:50 GMT 2024] Renew: 'my.domain'
[Fri Feb 2 10:16:50 GMT 2024] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Fri Feb 2 10:16:50 GMT 2024] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
[Fri Feb 2 10:16:50 GMT 2024] initpath again.
[Fri Feb 2 10:16:50 GMT 2024] Using config home:/usr/local/share/acme.sh
[Fri Feb 2 10:16:50 GMT 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Feb 2 10:16:50 GMT 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
[Fri Feb 2 10:16:50 GMT 2024] _ACME_SERVER_PATH='directory'
[Fri Feb 2 10:16:50 GMT 2024] Skip, Next renewal time is: 2024-04-01T09:40:51Z
[Fri Feb 2 10:16:50 GMT 2024] Add '--force' to force to renew.
[Fri Feb 2 10:16:50 GMT 2024] Return code: 2
[Fri Feb 2 10:16:50 GMT 2024] Skipped my.domain_ecc
[Fri Feb 2 10:16:50 GMT 2024] _error_level='3'
[Fri Feb 2 10:16:50 GMT 2024] _set_level='2'
[Fri Feb 2 10:16:50 GMT 2024] ===End cron===
Sure thing @Neilpang, here's the output:
DOMAIN_CONF=/root/.acme.sh/my.domain/my.domain.conf
cat: /root/.acme.sh/my.domain/my.domain.conf: No such file or directory
There is a my.domain_ecc folder that has a my.domain.conf file within it and certs and the like.
I had a similar issue that lead to my certificate not being deployed
- On Jan 27th the script generated a new certificate but could not deploy it (my certmanager account may have broken somehow, I had to disable/re-enable 2FA today for it to work again)
- Until the old cert's expiration date the script did nothing (the undeployed cert is not due for renewal)
- After fixing the account login I noticed the deploy's debug logs were saying
[Wed Feb 21 08:53:15 PM CET 2024] Restarting HTTP services failed - Tried the curl and saw I have 2 LE certificates, the new one not being the default and no service is using it
- Updated from DSM and the deploy script now properly restarts DSM
The double cert is probably my fault, I can't find where the old environment was sourced from so I had to create a new configuration
Anyway, I think the deployment state should be tracked alongside the cert expiration date. This way it can retry before the old cert expires
DOMAIN_CONF=/root/.acme.sh/my.domain_ecc/my.domain.conf
cat: /root/.acme.sh/my.domain_ecc/my.domain.conf: No such file or directory
Note that /root/.acme.sh/ doesn't appear to exist. I'm running the script from /usr/local/share/acme.sh/, which is where the _ecc folder sits.
Deployment of the certificates failed again, despite the certificate being updated. Because of this, I re-followed the guide (which has been simplified since I originally set this up) and deployment of the certificate succeeded using the temporary admin account. I then ran the cron job with --force and the cron job successfully deployed too, which wasn't happening previously, so I can only assume something in the old config wasn't correct.
Side note, turns out the above --info commands were failing because I needed to add --home . to tell them to look in the script directory I was running from and not the default folder.