LetsEncrypt Certificate is not renewed -> revokation seems to fail

**Levitas** · May 25th 2017

Hello there,

i had a certificate for my services (FTP, Mail etc). This certificate endet on 21.05.2017.
I tried to manually renew it. There weren't any errors, but the end-Date of the certificate showed up "21.05.".
The LetsEncrypt Log itself said "the renew configuration ist invalid" so i tried to remove the certificate (revoke) to create a new one.

The creation failed and the frontend shows "there are technical problems, we will try it later" but now im waiting about 30 minutes and there are no pending actions in the debugger interface (also no erros, yes debug = 1)

The LetsEncrypt Plugin Log:

Code

[Thu May 25 08:21:56 2017] [debug] Modules::Plugin::_call: Executing run() action on Plugin::LetsEncrypt[Thu May 25 08:21:56 2017] [debug] iMSCP::Service::__ANON__: Systemd init system has been detected[Thu May 25 08:21:56 2017] [debug] iMSCP::Execute::execute: /bin/systemctl --system is-active apache2.service[Thu May 25 08:21:56 2017] [debug] iMSCP::Provider::Service::Sysvinit::_exec: active[Thu May 25 08:21:56 2017] [debug] Plugin::LetsEncrypt::run: Executing `todelete' tasks for the `web01.srv.fluxter.net' SSL certificate[Thu May 25 08:21:56 2017] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto revoke --quiet --agree-tos --email [email protected] --reason unspecified --cert-path /etc/letsencrypt/live/web01.srv.fluxter.net/cert.pem[Thu May 25 08:21:59 2017] [debug] Plugin::LetsEncrypt::_deleteLineages: Deleting any SSL certificate lineage matching the web01.srv.fluxter.net domain name[Thu May 25 08:21:59 2017] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto delete --cert-name web01.srv.fluxter.net-0005[Thu May 25 08:22:00 2017] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto delete --cert-name web01.srv.fluxter.net-0003[Thu May 25 08:22:02 2017] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto delete --cert-name web01.srv.fluxter.net-0002[Thu May 25 08:22:03 2017] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto delete --cert-name web01.srv.fluxter.net-0006[Thu May 25 08:22:05 2017] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto delete --cert-name web01.srv.fluxter.net[Thu May 25 08:22:06 2017] [debug] iMSCP::Execute::getExitCode: Command exited with value: 1[Thu May 25 08:22:06 2017] [error] Plugin::LetsEncrypt::run: pending

The LetsEncrypt Log

Code

2017-05-25 06:22:06,572:DEBUG:certbot.main:certbot version: 0.14.1
2017-05-25 06:22:06,573:DEBUG:certbot.main:Arguments: ['--cert-name', 'web01.srv.fluxter.net']
2017-05-25 06:22:06,573:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-05-25 06:22:06,614:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7fcc3a795650> and installer <certbot.cli._Default object at 0x7fcc3a795650>
2017-05-25 06:22:06,614:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x7fcc3a76f050>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x7fcc3a76f410>, apache=<certbot.cli._Default object at 0x7fcc3a795950>, apache_challenge_location=<certbot.cli._Default object at 0x7fcc3a79c590>, apache_ctl=<certbot.cli._Default object at 0x7fcc3a79c990>, apache_dismod=<certbot.cli._Default object at 0x7fcc3a795f90>, apache_enmod=<certbot.cli._Default object at 0x7fcc3a795e90>, apache_handle_modules=<certbot.cli._Default object at 0x7fcc3a79c710>, apache_handle_sites=<certbot.cli._Default object at 0x7fcc3a79c890>, apache_init_script=<certbot.cli._Default object at 0x7fcc3a79cad0>, apache_le_vhost_ext=<certbot.cli._Default object at 0x7fcc3a79c110>, apache_logs_root=<certbot.cli._Default object at 0x7fcc3a79c450>, apache_server_root=<certbot.cli._Default object at 0x7fcc3a79c250>, apache_vhost_root=<certbot.cli._Default object at 0x7fcc3a79c350>, authenticator=<certbot.cli._Default object at 0x7fcc3a795650>, break_my_certs=<certbot.cli._Default object at 0x7fcc3a78f2d0>, cert_path=<certbot.cli._Default object at 0x7fcc3a791e10>, certname='web01.srv.fluxter.net', chain_path=<certbot.cli._Default object at 0x7fcc3a795150>, checkpoints=<certbot.cli._Default object at 0x7fcc3a791910>, config_dir=<certbot.cli._Default object at 0x7fcc3a795250>, config_file=None, configurator=<certbot.cli._Default object at 0x7fcc3a795650>, csr=<certbot.cli._Default object at 0x7fcc3a7916d0>, debug=<certbot.cli._Default object at 0x7fcc3a76fd90>, debug_challenges=<certbot.cli._Default object at 0x7fcc3a76fe90>, dialog=None, domains=<certbot.cli._Default object at 0x7fcc3a7d9610>, dry_run=<certbot.cli._Default object at 0x7fcc3a7d5ed0>, duplicate=<certbot.cli._Default object at 0x7fcc3a76f790>, eff_email=<certbot.cli._Default object at 0x7fcc3a7d58d0>, email=<certbot.cli._Default object at 0x7fcc3a7d5a50>, expand=<certbot.cli._Default object at 0x7fcc3a7d5410>, force_interactive=<certbot.cli._Default object at 0x7fcc3a7d9310>, fullchain_path=<certbot.cli._Default object at 0x7fcc3a795050>, func=<function delete at 0x7fcc3a9c1488>, hsts=<certbot.cli._Default object at 0x7fcc3a78f7d0>, http01_port=<certbot.cli._Default object at 0x7fcc3a78f1d0>, ifaces=<certbot.cli._Default object at 0x7fcc3a791c10>, init=<certbot.cli._Default object at 0x7fcc3a791a10>, installer=<certbot.cli._Default object at 0x7fcc3a795650>, key_path=<certbot.cli._Default object at 0x7fcc3a791f10>, logs_dir=<certbot.cli._Default object at 0x7fcc3a795450>, manual=<certbot.cli._Default object at 0x7fcc3a795c50>, manual_auth_hook=<certbot.cli._Default object at 0x7fcc3a795e50>, manual_cleanup_hook=<certbot.cli._Default object at 0x7fcc3a79cd10>, manual_public_ip_logging_ok=<certbot.cli._Default object at 0x7fcc3a79ce10>, must_staple=<certbot.cli._Default object at 0x7fcc3a78f4d0>, nginx=<certbot.cli._Default object at 0x7fcc3a795a50>, nginx_ctl=<certbot.cli._Default object at 0x7fcc3a795ad0>, nginx_server_root=<certbot.cli._Default object at 0x7fcc3a795cd0>, no_bootstrap=<certbot.cli._Default object at 0x7fcc3a76fa90>, no_self_upgrade=<certbot.cli._Default object at 0x7fcc3a76f990>, no_verify_ssl=<certbot.cli._Default object at 0x7fcc3a76ff90>, noninteractive_mode=<certbot.cli._Default object at 0x7fcc3a7d9210>, num=<certbot.cli._Default object at 0x7fcc3a791510>, os_packages_only=<certbot.cli._Default object at 0x7fcc3a76f890>, post_hook=<certbot.cli._Default object at 0x7fcc3a791110>, pre_hook=<certbot.cli._Default object at 0x7fcc3a78ffd0>, pref_challs=<certbot.cli._Default object at 0x7fcc3a78fed0>, prepare=<certbot.cli._Default object at 0x7fcc3a791b10>, quiet=<certbot.cli._Default object at 0x7fcc3a76fb90>, reason=<certbot.cli._Default object at 0x7fcc3a791810>, redirect=<certbot.cli._Default object at 0x7fcc3a78f5d0>, register_unsafely_without_email=<certbot.cli._Default object at 0x7fcc3a7d5d50>, reinstall=<certbot.cli._Default object at 0x7fcc3a7d51d0>, renew_by_default=<certbot.cli._Default object at 0x7fcc3a7dda50>, renew_hook=<certbot.cli._Default object at 0x7fcc3a791210>, renew_with_new_domains=<certbot.cli._Default object at 0x7fcc3a76f490>, rsa_key_size=<certbot.cli._Default object at 0x7fcc3a78f3d0>, server=<certbot.cli._Default object at 0x7fcc3a795550>, staging=<certbot.cli._Default object at 0x7fcc3a76fc90>, standalone=<certbot.cli._Default object at 0x7fcc3a795b50>, standalone_supported_challenges=<certbot.cli._Default object at 0x7fcc3a7958d0>, staple=<certbot.cli._Default object at 0x7fcc3a78fbd0>, strict_permissions=<certbot.cli._Default object at 0x7fcc3a78fdd0>, text_mode=<certbot.cli._Default object at 0x7fcc3a7d9390>, tls_sni_01_port=<certbot.cli._Default object at 0x7fcc3a78f0d0>, tos=<certbot.cli._Default object at 0x7fcc3a76f190>, uir=<certbot.cli._Default object at 0x7fcc3a78f9d0>, update_registration=<certbot.cli._Default object at 0x7fcc3a7d5bd0>, user_agent=<certbot.cli._Default object at 0x7fcc3a791610>, validate_hooks=<certbot.cli._Default object at 0x7fcc3a791310>, verb='delete', verbose_count=<certbot.cli._Default object at 0x7fcc3a7d9510>, webroot=<certbot.cli._Default object at 0x7fcc3a795d50>, webroot_map=<certbot.cli._Default object at 0x7fcc3a7954d0>, webroot_path=<certbot.cli._Default object at 0x7fcc3a795e10>, work_dir=<certbot.cli._Default object at 0x7fcc3a795350>)
2017-05-25 06:22:06,623:DEBUG:certbot.log:Root logging level set at 20
2017-05-25 06:22:06,623:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-05-25 06:22:06,624:DEBUG:certbot.storage:Removed /etc/letsencrypt/renewal/web01.srv.fluxter.net.conf
2017-05-25 06:22:06,624:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
sys.exit(main())
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 742, in main
return config.func(config, plugins)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 548, in delete
cert_manager.delete(config)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/cert_manager.py", line 89, in delete
storage.delete_files(config, certname)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/storage.py", line 280, in delete_files
os.remove(link)
TypeError: coercing to Unicode: need string or buffer, NoneType found

Display More

Is there any way to solve this issue, are there more information available?

i-MSCP: v1.4.3
LetsEncrypt: 3.1.0

**Nuxwin** · May 25th 2017

@Levitas

There is a bug in current version. Cron tasks are not registered on i-MSCP reconfiguration/upgrade. Please could you provide the content of your current /etc/cron.d/imscp configuration file?

Quote from Levitas

I tried to manually renew it. There weren't any errors, but the end-Date of the certificate showed up "21.05.".
The LetsEncrypt Log itself said "the renew configuration ist invalid" so i tried to remove the certificate (revoke) to create a new one.

And now this is a mess because you acted before asking us... You shouldn't renew SSL certificates manually. Executing certbot outside of the plugin context can lead to such problems. The error from your letsencrypt.log file means that one file is missing, hence the failure.

Worse:

[Thu May 25 08:21:59 2017] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto delete --cert-name web01.srv.fluxter.net-0005
[Thu May 25 08:22:00 2017] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto delete --cert-name web01.srv.fluxter.net-0003
[Thu May 25 08:22:02 2017] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto delete --cert-name web01.srv.fluxter.net-0002
[Thu May 25 08:22:03 2017] [debug] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto delete --cert-name web01.srv.fluxter.net-0006

Those lines mean that there was different lineages for the same SSL certificate. This shouldn't occurs normally with our plugin because we are acting always on the same lineage. You should really avoid to run certbot manually...

Thank you.

**Levitas** · May 25th 2017

I meant the manual renew in the panel. There is a button for that

// Edit
For this domain I created the certificate before the imscp provided service ssl in the letsencrypt plugin etc.
Probably this could be a problem?

The cron.d imscp file

Code

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Traffic accounting
0,30 * * * * root perl nice -n 10 ionice -c2 -n5 /var/www/imscp/engine/traffic/imscp-srv-traff > /var/log/imscp/imscp-srv-traff.log 2>&1
0,30 * * * * root perl nice -n 10 ionice -c2 -n5 /var/www/imscp/engine/traffic/imscp-vrl-traff > /var/log/imscp/imscp-vrl-traff.log 2>&1
# Quota accounting
@daily root nice -n 10 ionice -c2 -n5 perl /var/www/imscp/engine/quota/imscp-dsk-quota > /var/log/imscp/imscp-dsk-quota.log 2>&1
# Disable expired accounts
@daily root nice -n 10 ionice -c2 -n5 perl /var/www/imscp/engine/tools/imscp-disable-accounts >/dev/null 2>&1
# Backup i-MSCP configuration files and database
@daily root nice -n 10 ionice -c2 -n5 perl /var/www/imscp/engine/backup/imscp-backup-imscp > /var/log/imscp/imscp-backup-imscp-mngr.log 2>&1
# Remove configuration backups older than 7 days
@weekly root find /etc/imscp/*/backup -type f -mtime +7 -regextype sed -regex '.*/.*[0-9]\{10\}$' -exec rm -- {} +
# Remove i-MSCP backups older than 7 days
@weekly root find /var/www/imscp/backups -type f -mtime +7 -exec rm -- {} +
# Remove backend Logs older than 7 days
@weekly root find /var/log/imscp -type f -mtime +7 -exec rm -- {} +
# Backup customers' data depending of the domain properties
40 23 * * * root nice -n 10 ionice -c2 -n5 perl /var/www/imscp/engine/backup/imscp-backup-all > /var/log/imscp/imscp-backup-all-mngr.log 2>&1
# imscp [Package::AntiRootkits::Rkhunter] entry BEGIN
@weekly root nice -n 10 ionice -c2 -n5 perl /var/www/imscp/engine/PerlLib/Package/AntiRootkits/Rkhunter/Cron.pl > /dev/null 2>&1
# imscp [Package::AntiRootkits::Rkhunter] entry ENDING
# imscp [Package::AntiRootkits::Chkrootkit] entry BEGIN
@weekly root nice -n 10 ionice -c2 -n5 bash chkrootkit -e > /var/log/chkrootkit.log 2>&1
# imscp [Package::AntiRootkits::Chkrootkit] entry ENDING
# imscp [Package::Webstats::Awstats] entry BEGIN
15 3-21/6 * * * root nice -n 10 ionice -c2 -n5 perl /var/www/imscp/engine/PerlLib/Package/Webstats/Awstats/Scripts/awstats_updateall.pl now -awstatsprog=/usr/lib/cgi-bin/awstats.pl > /dev/null 2>&1
# imscp [Package::Webstats::Awstats] entry ENDING
# imscp [Plugin::SpamAssassin::DiscoverRazor] entry BEGIN
@weekly root nice -n 15 ionice -c2 -n5 perl /var/www/imscp/gui/plugins/SpamAssassin/cronjobs/cronjob_discover_razor.pl >/dev/null 2>&1
# imscp [Plugin::SpamAssassin::DiscoverRazor] entry ENDING
# imscp [Plugin::SpamAssassin::BayesSaLearn] entry BEGIN
0 */12 * * * root nice -n 15 ionice -c2 -n5 perl /var/www/imscp/gui/plugins/SpamAssassin/cronjobs/cronjob_bayes_sa-learn.pl >/dev/null 2>&1
# imscp [Plugin::SpamAssassin::BayesSaLearn] entry ENDING
# imscp [Plugin::RoundcubePlugins::pop3fetcher] entry BEGIN
*/15 * * * * root nice -n 15 ionice -c2 -n5 perl /var/www/imscp/gui/plugins/RoundcubePlugins/cronjob/cronjob_pop3fetcher.pl >/dev/null 2>&1
# imscp [Plugin::RoundcubePlugins::pop3fetcher] entry ENDING

Display More

**Nuxwin** · May 25th 2017

@Levitas

Ok. So the cron task are missing. I'll release a new LetsEncrypt plugin version in next hour.

For your current problem please try the folllowing:

Shell-Script

# rm -Rf /etc/letsencrypt/{archive,live}/web01.srv.fluxter.net# rm -f /etc/letsencrypt/renewal/web01.srv.fluxter.net.conf

Then, once done:

Shell-Script

# mysql
> use imscp;
> DELETE FROM letsencrypt WHERE domain_name = 'web01.srv.fluxter.net';
> \q

Once done, try to re-enable Let's Encrypt.

**Levitas** · May 25th 2017

Now i've reached the limit. In the last 2 hours there were only 2 certificates.
Probably a loop...?

Thank you for your support. Now i have to wait

**Nuxwin** · May 25th 2017

Quote from Levitas

Now i've reached the limit. In the last 2 hours there were only 2 certificates.
Probably a loop...?

No, there is no loop but the limit is based on the root domain name which here is fluxter.net. This means that if in the last week you have made ssl issuances for that domain or subdomains of that domain, the limit can have been reached.

Now, there is many limits. You don't say us what is the limit that has been reached.

**Nuxwin** · May 25th 2017

Quote from Levitas

# Traffic accounting
0,30 * * * * root perl nice -n 10 ionice -c2 -n5 /var/www/imscp/engine/traffic/imscp-srv-traff > /var/log/imscp/imscp-srv-traff.log 2>&1
0,30 * * * * root perl nice -n 10 ionice -c2 -n5 /var/www/imscp/engine/traffic/imscp-vrl-traff > /var/log/imscp/imscp-vrl-traff.log 2>&1

You should also fix the bugs there, awaiting for next i-MSCP version.

Should be:

Code

# Traffic accounting
0,30 * * * * root nice -n 10 ionice -c2 -n5 perl /var/www/imscp/engine/traffic/imscp-srv-traff > /var/log/imscp/imscp-srv-traff.log 2>&1
0,30 * * * * root nice -n 10 ionice -c2 -n5 perl /var/www/imscp/engine/traffic/imscp-vrl-traff > /var/log/imscp/imscp-vrl-traff.log 2>&1

**Levitas** · May 25th 2017

Im not sure about how many certificates there were on that base domain, but thats not your fault^^
I did the changes to the cron file.

Thanks again!

LetsEncrypt Certificate is not renewed -> revokation seems to fail

Share

Daily visitors