Let's encrypt renewal stuck

  • Hi,


    I use i-MSCP 1.3.14 with LetsEncrypt plugin v 3.0.0 on Debian Jessie.
    Some of my domains do not renew the certificates properly. I've two domains where the status field sais:

    Code
    1. Saving debug log to /var/log/letsencrypt/letsencrypt.logStarting new HTTPS connection (1): acme-v01.api.letsencrypt.orgRenewing an existing certificateAn unexpected error occurred:The server experienced an internal error :: Failed to get registration by keyPlease see the logfiles in /var/log/letsencrypt for more details.


    The status seems to be like this for several weeks now, as I received warning emails from letsencrypt that the certificates will expire soon.


    I've also upgraded to the newest plugin version, but the problem persists.
    I've several other domains on this server where everything seems to work just fine.


    When I run the letsencrypt cronjobs manually, nothing happens with the stuck domains:

    Code
    1. # /usr/bin/perl /var/www/imscp/gui/plugins/LetsEncrypt/cronjobs/pending.pl -d -n[Sun Apr 2 08:34:41 2017] [debug] iMSCP::Bootstrapper::boot: Booting backend....[Sun Apr 2 08:34:41 2017] [debug] iMSCP::Bootstrapper::lock: Acquire exclusive lock on /tmp/imscp.lock[Sun Apr 2 08:34:41 2017] [debug] iMSCP::Config::_init: Tying /etc/imscp/imscp.conf file in readonly mode[Sun Apr 2 08:34:41 2017] [debug] iMSCP::EventManager::_init: Loading /etc/imscp/listeners.d/10_apache2_dualstack.pl listener file[Sun Apr 2 08:34:41 2017] [debug] iMSCP::Service::__ANON__: Systemd init system has been detected[Sun Apr 2 08:34:41 2017] [debug] iMSCP::Execute::execute: /bin/systemctl --system is-active apache2.service[Sun Apr 2 08:34:41 2017] [debug] iMSCP::Provider::Service::Sysvinit::_exec: active[Sun Apr 2 08:34:41 2017] [debug] iMSCP::Execute::execute: /bin/systemctl --system is-active mysql.service[Sun Apr 2 08:34:41 2017] [debug] iMSCP::Provider::Service::Sysvinit::_exec: active[Sun Apr 2 08:34:41 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Plugin tasks...[Sun Apr 2 08:34:41 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Plugin (enabled) tasks for: LetsEncrypt (ID 1)[Sun Apr 2 08:34:41 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Plugin (enabled) tasks for: OpenDKIM (ID 2)[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::NetworkInterfaces tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::NetworkInterfaces[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::SSLcertificate tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::SSLcertificate[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::User tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::User[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Domain tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::Domain[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Subdomain tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::Subdomain[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Alias tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::Alias[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::SubAlias tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::SubAlias[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::CustomDNS tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::CustomDNS[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::CustomDNS tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::CustomDNS[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::FtpUser tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::FtpUser[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Mail tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::Mail[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Htpasswd tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::Htpasswd[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Htgroup tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::Htgroup[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Htaccess tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::Htaccess[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::SubAlias tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::SubAlias[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Alias tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::Alias[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Subdomain tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::Subdomain[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::Domain tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::Domain[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: Processing Modules::User tasks...[Sun Apr 2 08:34:42 2017] [debug] iMSCP::DbTasksProcessor::_process: No task to process for Modules::User[Sun Apr 2 08:34:42 2017] [debug] iMSCP::Bootstrapper::unlock: Releasing exclusive lock on /tmp/imscp.lock



    How can I force the renewal of the certificates?


    Thanks!
    Luke

  • @lukeit


    The issue


    The server experienced an internal error :: Failed to get registration by key
    Please see the logfiles in /var/log/letsencrypt for more details.

    looks like a boulder issue (Let's Encrypt side). But in anycase, you should provide us with logs from /var/log/letsencrypt/letsencrypt.log.


    See also: https://community.letsencrypt.…gistration-by-key/25808/6


    Edit: If you don't figure out alone, give us access to your server.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • The last entry in /var/log/letsencrypt/letsencrypt.log was over a week old. So I ran the certbot manually:


    Code
    1. /usr/local/sbin/certbot-auto certonly --agree-tos --email [[email protected]][email protected][/email] --webroot --webroot-path /var/www/imscp/gui/plugins/LetsEncrypt/acme --preferred-challenges http --allow-subset-of-names --force-renewal --cert-name customdomain1.ch --domains customdomain1.ch,www.customdomain1.chSaving debug log to /var/log/letsencrypt/letsencrypt.logRenewing an existing certificatePerforming the following challenges:http-01 challenge for customdomain1.chhttp-01 challenge for [url]www.customdomain1.ch[/url]Using the webroot path /var/www/imscp/gui/plugins/LetsEncrypt/acme for all unmatched domains.Waiting for verification...Cleaning up challengesGenerating key (2048 bits): /etc/letsencrypt/keys/0118_key-certbot.pemCreating CSR: /etc/letsencrypt/csr/0118_csr-certbot.pemIMPORTANT NOTES:- Congratulations! Your certificate and chain have been saved at/etc/letsencrypt/live/customdomain1.ch/fullchain.pem.Your cert will expire on 2017-07-01. To obtain a new or tweakedversion of this certificate in the future, simply run certbot-autoagain. To non-interactively renew *all* of your certificates, run"certbot-auto renew"- If you like Certbot, please consider supporting our work by:Donating to ISRG / Let's Encrypt: [url]https://letsencrypt.org/donate[/url]Donating to EFF: [url]https://eff.org/donate-le[/url]

    So it works, the new certificate is now in /etc/letsencrypt/live:


    Code
    1. openssl x509 -in /etc/letsencrypt/live/customdomain1.ch/cert.pem -noout -text | grep -e "Not \(Before\|After\)"
    2. Not Before: Apr 2 07:28:00 2017 GMT
    3. Not After : Jul 1 07:28:00 2017 GMT


    As far as I know, it now needs to be in /var/www/imscp/gui/data/certs/customdomain1.ch.pem together with the key right?


    How do I proceed?


    Thanks!
    Luke

  • As far as I know, it now needs to be in /var/www/imscp/gui/data/certs/customdomain1.ch.pem together with the key right?


    How do I proceed?


    Now, about your question: First, I need to know the status of the SSL certificate as it appear in the control panel interface.


    And please, use bbcode in your posts.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • The status of the SSL certificate in the control panel is still the same:


    Code
    1. Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2. Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    3. Renewing an existing certificate
    4. An unexpected error occurred:
    5. The server experienced an internal error :: Failed to get registration by key
    6. Please see the logfiles in /var/log/letsencrypt for more details.


    As you can see in my first post, I already tried the -n / --now option.


    Thanks again!
    Lukas

  • The status of the SSL certificate in the control panel is still the same:

    So, connect to pma and remove the entry from the letsencrypt table (in the imscp database) for the domain. Once done, re-enable letsencrypt for the domain.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • @lukeit


    You're welcome ;)


    Thread closed.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206