cyberpanel
cyberpanel copied to clipboard
Expired SSL certificates are not triggering renewal
Environment: Cyberpanel v2.0 build 3, on Ubuntu 18.04 DigitalOcean. OLS installation
The Issue
A client reported to me that her site was not accessible. It was due to the SSL certificate expiring on Jan 15th (four days ago).
Looking in the /home/cyberpanel/error-logs.txt
I can see the "Running SSL Renew Utility" output. It appears to be skipping certificates that are expired. At least it did in the case of this client's site. I've yet to check on the many other sites.
For example:
[01.16.2021_02-00-04] Checking SSL for DOMAIN.se.
[01.16.2021_02-00-04] SSL exists for DOMAIN.se. Checking if SSL will expire in 15 days..
[01.16.2021_02-00-04] SSL exists for DOMAIN.se and is not ready to renew, skipping..
Yet the certificate expired on January 15th.
This is obviously a major problem. But as there's no data in the log showing a failed renewal, I am not sure where to start troubleshooting the cause.
I've searched the log back to Nov 15th, and there was never an instance of this SSL certificate being detected as requiring renewal. No renewal attempts have been made. No errors have been logged related to the renewal of this domain's SSL.
A potentially related issue?
Something else worth pointing out ... I manually renewed the SSL for this domain with the SSL Manager ("Issue SSL").
The log out put was as follows:
[01.18.2021_20-36-09] /root/.acme.sh/acme.sh --issue -d DOMAIN.se -d www.DOMAIN.se --cert-file /etc/letsencrypt/live/DOMAIN.se/cert.pem --key-file /etc/letsencrypt/live/DOMAIN.se/privkey.pem --fullchain-file /etc/letsencrypt/live/DOMAIN.se/fullchain.pem -w /home/DOMAIN.se/public_html --force
[01.18.2021_20-36-17] Successfully obtained SSL for: DOMAIN.se and: www.DOMAIN.se
[01.18.2021_20-36-17] {'[email protected]': (550, b'5.1.1 <[email protected]>: Recipient address rejected: User unknown in virtual mailbox table')}
You'll see the last line is using a '[email protected]' email address for something. I am not sure what this is for, but such an address does not exist.
Is this error of any consequence? I note that it didn't prevent the manual renewal from being successful.
I think the SSL is renewed but web server did not restart (thus reading old certificate file)
So what's the solution to this? Does the automated renewal process not restart LSWS?
Also, I am not 100% sure this is the case, what you've suggested. I'm pretty sure I copied the certificate and decoded it online, and confirmed it was expired. I did that as part of my troubleshooting the issue.
I did that again after manually renewing it, to confirm it was renewed. I see another user is given a +1
to my message about this issue here: https://forums.cyberpanel.net/discussion/comment/11867#Comment_11867
I'll ask him/her to check if it's renewed or not.
+1 Hi, i'm facing the same error on some domain ...
+1 Hi, i'm facing the same error on some domain ...
If you've not yet resolved this, would you check if the certificate on the server is actually still an expired one? I'd like to determine if it's just that LSWS needs restarting or that the cert if expired. You can check the certificate by decoding the crt file here.
@usmannasir Any comments on above questions? Thank you.
I have this issue with a subdomain but. It keeps the old ssl and does not renew. Even after manually doing that. I restarted all services manually and restarted server. Also deleted subdomain and restarted server then creating the subdomain again. Not working also posted on discord and Facebook
This is an ongoing issue. Is there any chance some support on this will be forth-coming? @usmannasir
I now have multiple expired SSL certificates being skipped when they should be renewed.
acme.sh --renew
acme.sh --renew
Thanks for trying to be helpful Yet I already know how to manually renew certificates. The issue is that it's meant to be automated, and it's not viable for me to manually check on and renew the 30+ certificates on this Cyberpanel installation.
Hey I recently faced this issue on multiple servers, seems like something got changed from the acme.sh's end, I found it when I was debugging what went wrong after multiple times clicking Issue SSL, I still got a self-signed certificate.
acme.sh, They now use ZeroSSL as their CA upstream, so now it needs you to first manually run acme.sh and register the account one time, and after that the Cyberpanel automation runs as usual.
I ran the following command with once, and after that ZeroSSL certificates started issuing.
/root/.acme.sh/acme.sh --register-account -m your-email
I have experienced the same problem around 50 times on different servers. Even after cert is expired, acme tool says in log that SSL exists and it skips for renewal. It works fine only after manually running issue ssl. and manual issue ssl doesn't generate any error.
Ran into the same issue. There are a couple of issues here. But the best way to troubleshoot this is to enable the acme.sh log. Edit /root/.acme.sh/account.conf and enabling logging.
LOG_FILE="/root/.acme.sh/acme.sh.log"
LOG_LEVEL=1
Run the renewal, and then check /root/.acme.sh/acme.sh.log
and you might find that you're blocked from too many failed authorizations or you'll get the real error.
It looks like Cyberpanel is passing the www.domain.com to the acme.sh command by default, even on subdomains of which doesn't work when using Cloudflare is also being used as Cloudflare only provides third level SSL domains, not fourth.
You can generate and install the Cloudflare Client SSL and install it in Cyberpanel.
Instead, Cyberpanel should detect if www or provide options for generating SSL on third-level domains.