lua-resty-auto-ssl icon indicating copy to clipboard operation
lua-resty-auto-ssl copied to clipboard
verified publisher icon auto-ssl

Unable to reissuing certificate. How can we solve this?

Open danielbentov opened this issue 8 years ago • 6 comments

2017/04/19 15:26:40 [error] 5547#0: *1155021 [lua] lets_encrypt.lua:32: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=c2d5f64508a4c2edee0c4faf1c19f3f81908264232eb56b23d9602cd4bfaef36 HOOK_SERVER_PORT=8999 /usr/local/share/lua/5.1/resty/auto-ssl/vendor/dehydrated --cron --no-lock --domain www.imagecon.com --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/share/lua/5.1/resty/auto-ssl/shell/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config Processing www.imagecon.com

  • Checking domain name(s) of existing cert... err: # !! WARNING !! Extra configuration directory /etc/resty-auto-ssl/letsencrypt/conf.d exists, but no configuration found in it. unable to load certificate 140039407040152:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: TRUSTED CERTIFICATE , context: ssl_certificate_by_lua*, client: 10.169.165.199, server: 0.0.0.0:443 2017/04/19 15:26:40 [error] 5547#0: 1155021 [lua] ssl_certificate.lua:88: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua, client: 10.169.165.199, server: 0.0.0.0:443 2017/04/19 15:26:40 [error] 5547#0: 1155021 [lua] ssl_certificate.lua:247: auto-ssl: could not get certificate for www.imagecon.com - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua, client: 10.169.165.199, server: 0.0.0.0:443

danielbentov avatar Apr 19 '17 15:04 danielbentov

What version of lua-resty-auto-ssl are you running? And have you manually created or modified any of the files inside /etc/resty-auto-ssl/letsencrypt/? It looks the dehydrated Let's Encrypt client is failing during an openssl command to read a certificate file. It looks like people have run into this when the files have windows line breaks or the cert is in the wrong format. I'm not sure why dehydrated would be doing this under normal operations.

If you think the files might be corrupted, you could try moving aside the current dehydrated directory (sudo mv /etc/resty-auto-ssl/letsencrypt /etc/resty-auto-ssl/letsencrypt.bak) and then fully restart nginx (a fresh directory should get re-created), and then see if a fresh issuance will work.

GUI avatar Apr 19 '17 16:04 GUI

Thanks a lot for the quick response @GUI. Much appreciated! Your solution worked but I also needed to remove all those KEYS from redis. We are using lua-resty-auto-ssl 0.10.5-1. As for you questions: We didn't modified those files manually. Maybe something else is causing it to fail. Let me know if you need more details.

danielbentov avatar Apr 19 '17 17:04 danielbentov

Have the same issue several times – cleaning redis helps. Looks like when I had directory certificate storage, it worked successfully (but I am not sure), but after switching to Redis definitely did not work

gugu avatar Oct 08 '17 15:10 gugu

This issue still comes when redis is used. Any permanent solution to this?

adityapatadia avatar Oct 03 '20 06:10 adityapatadia

Sorry my bad, it was due to us hitting certificate issue limit.

adityapatadia avatar Oct 03 '20 06:10 adityapatadia

any update on this issue I am also getting into the production environment thanks in advance.

pra-cloud avatar Jun 17 '23 09:06 pra-cloud