lego
lego copied to clipboard
go-acme
Lego certificate renewal failing due to webroot flag
Hi Team,
We have just upgraded to Lego version 3.5.0 but when we try to renew Lego certificates using the below command it fails Command:-
/usr/local/bin/lego -a --email='${email}' --tls --domains='${domain}' --path='${cert_path}' --webroot='${challenge_directory}' --key-type rsa4096 renew
Error:-
2020/03/14 01:42:01 No key found for account [email protected]. Generating a curve P384 EC key.
2020/03/14 01:42:01 Saved key to /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/[email protected]/keys/[email protected]
2020/03/14 01:42:01 [INFO][thrifty-pa.cq.thermeon.io] acme: Trying renewal with 1478 hours remaining
2020/03/14 01:42:01 asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:45 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificate @2
2020/04/14 01:42:01 [INFO][thrifty-pa.cq.thermeon.io] acme: Trying renewal with 734 hours remaining
2020/04/14 01:42:02 asn1: structure error: tags don't match (16 vs {class:0 tag:13 length:45 isCompound:true}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 timeType:0 set:false omitEmpty:false} certificate @2
**Incorrect Usage. flag provided but not defined: -webroot**
When i tried to test the renewal in our test server without the webroot flag then it works
root@test-us:/etc/letsencrypt# /usr/local/bin/lego -a --email='[email protected]' --tls --domains='test-us.cq.thermeon.io' --path='/etc/letsencrypt' --key-type rsa4096 renew
2020/05/22 01:39:56 [test-us.cq.thermeon.io] The certificate expires in 82 days, the number of days defined to perform the renewal is 30: no renewal.
Kindly confirm if i can remove webroot flag without any issues
Thanks in advance for your help as always
Hello,
from which version are you updated?
Because --webroot is --http.webroot since v2.0.0
Thanks ldez for your prompt response as always.
We were on v0.3.1 earlier and moved to v3.5.0 recently. I will implement your suggestion to see if the problem gets resolved
Hi @ldez ,
Kindly find the cronjob command that i updated as per your suggestion
# Renewal cronjob
command => "/usr/local/bin/lego -a --email='${email}' --tls --domains='${domain}' --path='${cert_path}' --http.webroot='${challenge_directory}' --key-type rsa4096 renew >> /var/log/letsencrypt.log 2>&1",
When the cronjob ran i got the below error in letsencrypt.log
2020/05/14 01:42:02 flag provided but not defined: -webroot
2020/05/27 08:34:28 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying renewal with -304 hours remaining
2020/05/27 08:34:28 [INFO] [thrifty-pa.cq.thermeon.io] acme: Obtaining bundled SAN certificate
2020/05/27 08:34:29 [INFO] [thrifty-pa.cq.thermeon.io] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4840919476
2020/05/27 08:34:29 [INFO] [thrifty-pa.cq.thermeon.io] acme: use tls-alpn-01 solver
2020/05/27 08:34:29 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying to solve TLS-ALPN-01
2020/05/27 08:34:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4840919476
2020/05/27 08:34:29 acme: Error -> One or more domains had a problem:
[thrifty-pa.cq.thermeon.io] [thrifty-pa.cq.thermeon.io] acme: error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: address already in use
2020/05/27 08:54:32 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying renewal with -304 hours remaining
2020/05/27 08:54:32 [INFO] [thrifty-pa.cq.thermeon.io] acme: Obtaining bundled SAN certificate
2020/05/27 08:54:32 [INFO] [thrifty-pa.cq.thermeon.io] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4841211768
2020/05/27 08:54:32 [INFO] [thrifty-pa.cq.thermeon.io] acme: use tls-alpn-01 solver
2020/05/27 08:54:32 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying to solve TLS-ALPN-01
2020/05/27 08:54:32 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4841211768
2020/05/27 08:54:32 acme: Error -> One or more domains had a problem:
[thrifty-pa.cq.thermeon.io] [thrifty-pa.cq.thermeon.io] acme: error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: address already in use
The command that worked is as below
root@carsplus:/var/log# /usr/local/bin/lego -a --email='[email protected]' --http --domains='thrifty-pa.cq.thermeon.io' --path='/etc/letsencrypt' --http.webroot='/var/www/letsencrypt' --key-type rsa4096 renew
2020/05/27 09:01:39 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying renewal with -305 hours remaining
2020/05/27 09:01:39 [INFO] [thrifty-pa.cq.thermeon.io] acme: Obtaining bundled SAN certificate
2020/05/27 09:01:40 [INFO] [thrifty-pa.cq.thermeon.io] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4841320121
2020/05/27 09:01:40 [INFO] [thrifty-pa.cq.thermeon.io] acme: Could not find solver for: tls-alpn-01
2020/05/27 09:01:40 [INFO] [thrifty-pa.cq.thermeon.io] acme: use http-01 solver
2020/05/27 09:01:40 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying to solve HTTP-01
2020/05/27 09:01:46 [INFO] [thrifty-pa.cq.thermeon.io] The server validated our request
2020/05/27 09:01:46 [INFO] [thrifty-pa.cq.thermeon.io] acme: Validations succeeded; requesting certificates
2020/05/27 09:01:54 [INFO] [thrifty-pa.cq.thermeon.io] Server responded with a certificate.
root@carsplus:/var/log# ls -al /etc/letsencrypt/certificates/
total 24
drwx------ 2 root root 4096 Feb 14 16:54 .
drwx------ 4 root root 4096 Feb 14 15:10 ..
-rw------- 1 root root 3933 May 27 09:01 thrifty-pa.cq.thermeon.io.crt
-rw------- 1 root root 1648 May 27 09:01 thrifty-pa.cq.thermeon.io.issuer.crt
-rw------- 1 root root 246 May 27 09:01 thrifty-pa.cq.thermeon.io.json
-rw------- 1 root root 3243 May 27 09:01 thrifty-pa.cq.thermeon.io.key
We had to use --http option rather than --tls as previous cronjob
Our Nginx webserver uses the certificate. Can you kindly suggest if moving from tls to http will be safe for us from security perspective or any other problems that we can encounter in future?
Thanks, Suvankar
Also is there any way to use HTTPS rather than HTTP for cert renewals from security perspective.
Thanks in advance for your help