Thanks for all the help!
The DNS settings were the issue. The ‘www’ A record went missing after the wildcard was removed. I restored the record and was able to renew the certificate.
Thanks for all the help!
The DNS settings were the issue. The ‘www’ A record went missing after the wildcard was removed. I restored the record and was able to renew the certificate.
Sweet, glad it’s all sorted!
I just had the same issue where my cert expired without renewing
$ cat /etc/cron.d/letsencrypt-certificate-renewal
30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py
I don’t know which error logs to look into to show you anything there.
I ran this and the cert is fine now, but hope that this does not happen in 90 days again.
ansible-playbook server.yml -e env=production -K --tags letsencrypt
it is now valid until 12/20
Valid From
Wed, 21 Sep 2016 03:30:00 GMT
Valid Until
Tue, 20 Dec 2016 03:30:00 GMT
Issuer
Let’s Encrypt Authority X3
SCTs
0 SCTs
Open full certificate details
Mine just randomly expired as well. In my case restarting nginx fixed it right up.
I can confirm that the new end date for certificates did not go through until nginx was restarted.
Before that I checked the end date of the certificate with
openssl x509 -enddate -noout -in site.com.cert
and it was further ahead than what the browser was showing.
In the cron file for the letsencrypt-renewal the nginx service is supposed to reload so I am curious as to why it didn’t seem to work (because it obviously had renewed the certificates so the cron should be working).
Had the same issue with a site not renewing the certificate. Could not find errors. Did manage to renew manually. But when I searched for any cron jobs stored I could not find any either. Should there not be any added by Trellis for this?
Please ensure your cron job (normally at /etc/cron.d/letsencrypt-certificate-renewal
) has the full path to service
in its reload command (original PR). That was apparently my issue too—renewal was just fine but nginx never reloaded after renewal.
I just fixed 5 deployments that had this bug. Thank god for organization search on GitHub.
Thank you sir!
I still have the problem.
One of my certificates expires tomorrow mar/02, but my site already have the privacy error.
I try every single solution posted in here, but still no results.
Certificate file /etc/nginx/ssl/letsencrypt/xxxxx.cert already exists
Generating certificate for xxxxx.xxxx
Error while generating certificate for xxxxx.xxxx
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying orei.org...
Traceback (most recent call last):
File "/usr/local/letsencrypt/acme_tiny.py", line 198, in <module>
main(sys.argv[1:])
File "/usr/local/letsencrypt/acme_tiny.py", line 194, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
File "/usr/local/letsencrypt/acme_tiny.py", line 123, in get_crt
wellknown_path, wellknown_url))
ValueError: Wrote file to /srv/www/letsencrypt/LIAgjwgNlBXLrmnfNys_a8i1sFIsNLj_ac2rHZ374BM, but couldn't download http:// xxxxx.xxxx/.well-known/acme-challenge/LIAgjwgNlBXLrmnfNys_a8i1sFIsNLj_ac2rHZ374BM
Any clue?
How recent is your Trellis version?
It might be fastest to back up your database and uploads and try reprovisioning your server with a fresh copy of Trellis (and all your configs, of course).
Here’s a quick overview of how I update Trellis. There are better ways but this is fast:
Copy the following out of your Trellis directory:
.vault_pass
ansible.cfg
/group_vars
/deploy-hooks
/hosts
/nginx-includes
Delete everything in your Trellis directory
Clone Trellis from source into your Trellis directory
Copy back in and overwrite the following:
.vault_pass
ansible.cfg
/group_vars/development
/group_vars/staging
/group_vars/production
/group_vars/all/mail.yml
/group_vars/all/vault.yml
/deploy-hooks
/hosts
Then back up your database and uploads again!!! and rebuild and reprovision your server.
It was not me that make the installation and i never used trellis before…
One off my problems is that the ansible-playbook server.yml -e env=production -K --tags letsencrypt
not run cause do not find the server.yml
. Where i run this command?
About the version, how i get this information?
And there’s no way to install a fresh copy of trellis right now
Thaks!
Hello everyone, I got an issue.
My SSL renewal crashed yesterday.
I was able to do it manually today with this command which works perfectly ansible-playbook server.yml -e env=production -K --tags letsencrypt
However, I’m still interested in the automatic renewal!
I found out in the log that the process might have failed because of this -> ocsp.int-x3.letsencrypt.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
When I tried to access the folder (as root and web users) /var/lib/letsencrypt, the response was ‘Permission denied’.
Can someone help me with this? Please ask me if you need more details.
Thanks a lot,
@MWDelaney is this still a valid option to update trellis?
i saw that it is an old post (2017) but if it is still a valid option, i will try this way because it sounds straightforward to me.
thanks
I am also wondering if this is still valid. I have some rather projects from the last 6 months to a year where the LE SSL is not being auto-renewed.
I would also like to know if the way @MWDelaney guides on trellis updating is still valid. I’d be happy to simply replace my current trellis files with a new one, just want to confirm which files are too be kept and restored.
If you haven’t customized any other files within Trellis (which ideally you shouldn’t) then yes that process is basically correct and the easiest way.
I stumbled upon this issue today. A client notified me that the certificate was about to expire, so I went to investigate.
Seems like I’ve already applied the fix, but that it failed to run the cron job:
cat /etc/cron.d/letsencrypt-certificate-renewal
#Ansible: letsencrypt certificate renewal
30 4 1,11,21 * * root cd /var/lib/letsencrypt && ./renew-certs.py && /usr/sbin/service nginx reload
cd /var/lib/letsencrypt && ./renew-certs.py && /usr/sbin/service nginx reload
Certificate file /etc/nginx/ssl/letsencrypt/domain.tld-933ed6e-bundled.cert already exists
Generating certificate for domain.tld
Created certificate for domain.tld
Is it possible that the cron job simply is not running? How can I debug?
Make sure you’ve reprovisioned the server since updating Trellis. That should fix the cron job, too.