Author Topic: Acme.sh, try to renew all domain or subdomain removed  (Read 2404 times)

0 Members and 1 Guest are viewing this topic.

Offline
*
Acme.sh, try to renew all domain or subdomain removed
« on: March 20, 2024, 02:28:16 PM »
Lately, I have started to receive some logs by mail about acme.sh trying to renew certificate that no longer exists on the server.
Every domain, or subdomain that I removed, that previously was previously on the server with Let's Encrypt certificates to autorenew, will fall into that bug.
This is the log I receive, for every domain or subdomain falling into that situation.

[Wed Mar 20 00:17:12 EDT 2024] Invalid status, [domain_name]:Verify error detail:no valid A records found for  [domain_name]; no valid AAAA records found for  [domain_name]
[Wed Mar 20 00:17:12 EDT 2024] Please check log file for more details: /[complete_path_to]/acme.sh.log
[Wed Mar 20 00:17:13 EDT 2024] Error renew  [domain_name].ca_ecc.

Two things here
1-it's a bug and should be fixed.
2-What should I do to prevent acme.sh trying to renew these certs?

CWPpro version: 0.9.8.1177 |


Thank you

Offline
*****
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #1 on: March 20, 2024, 08:11:17 PM »
Is your DNS set up correctly? Can we get a sample domain to test against to see how external DNS looks from here?

Offline
*
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #2 on: April 02, 2024, 12:27:21 PM »
Hello,
I don't manage DNS with CWP, they are all manage outside the server, and they point to the server.
I could give you a domain, but it won't exist anymore, that's the point.  Still need one?

Just to make sure I was clear enough :
- Domain was pointed to the server, the certificate was working.
- Delete the domain from the DNS, and remove the domain from CWP. 
- Let's Encrypt try, and fail (because the domain is not pointed to the domain anymore) to renew the cert.

Offline
*****
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #3 on: April 02, 2024, 01:21:52 PM »
If you delete the domain name in CWP, you also delete the SSL certificate.

And if the domain name doesn't exit anymore or isn't pointed to the server, then Let's Encrypt won't create a new SSL certificate.


So to answer your question, YES, you NEED a domain name pointed to the CWP server to create and maintain a SSL certificate.

Even IF the domain name IS still pointed to the CWP server, and you Delete it from the CWP panel, you have to Recreate the SSL.

Offline
*
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #4 on: April 03, 2024, 04:31:35 PM »
Hello,
thank you for your answer but, respectfully, you do not understand the problem.
The domain does not exist anymore, I removed it. There is no domain pointing to the server, because there are no more of this site. It’s down. Out. We won’t ever use it again.

The problem : Let's encrypt try to renew a domain that does not exist.  It's OK it fails, the domain do not exist and do not point to the server. 
What should happen (and what is not happening) : Let's encrypt stop trying renewing any certificate of a domain that is removed from cwp.

Hopefully I have manage to explain the problem clearerly now?
« Last Edit: April 03, 2024, 04:35:34 PM by devloraa »

Offline
*****
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #5 on: April 03, 2024, 05:19:07 PM »
Delete the .bundle and .cert for the domain name.

Then restart the web browser.

Offline
*
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #6 on: April 08, 2024, 01:22:31 PM »
Hello,

Where would be located those files on the server?

Why would I need to restart the web browser for something that happens in a cron job on the server?  This makes me think I am still not understood.

Offline
*****
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #7 on: April 08, 2024, 01:51:03 PM »
Code: [Select]
/ etc /pki/tls/certs/

Offline
*****
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #8 on: April 08, 2024, 05:26:27 PM »
@overseer, I'm glad you got the path posted, it kept failing on me.

Offline
*
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #9 on: April 09, 2024, 01:42:50 PM »
The cert does not exists in the folder, thus I can't delete them, thus this does not fix the problem.

Offline
*****
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #10 on: April 09, 2024, 05:25:23 PM »
That is where CWP stores all of the SSL certificates & information to and from Let's Encrypt.

So if it's not there, it's not a CWP issue.

Offline
*
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #11 on: April 10, 2024, 04:08:52 PM »
So I have found an issue since the last few days as well. I believe it is related to this issue. This is NOT a DNS problem, that is incorrectly reported by acme.sh. The challenge file that is placed in
Code: [Select]
/usr/local/apache/autossl_tmp/.well-known/acme-challenge is not the same as what Letsencrypt is looking for resulting in a 404 error. That's why it's reporting a connection/DNS issue. I'm using Nginx->varnish->Apache setup. Not sure what happened but it looks like the file names are not being generated properly.
If they wanted it fixed...then you wouldn't have to fight so hard for them to fix it. Money is made on problems.....problems that you pay them to fix....but they created themselves. Why should you pay CWP to fix their own software? Is that their business model?

Offline
*
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #12 on: April 18, 2024, 12:22:42 PM »
Starburst,
acme.sh must check a list of the domain to renew. It is definitely not based on the file in the folder you mentioned, because the files are not there and acme.sh still try to renew the cert for the domain.

This list of domains that acme.sh renew is managed by CWP, I have never touched any settings linked to acme.sh/let's encrypt outside of the interface provided by CWP.  I have never called acme.sh directly from the command line neither.

How does CWP tell acme.sh to generate a certificate (and to renew it)? That would be a good starting point for me to find and remove these domains from acme.sh config, and help others who'll end up in the same situation.

Edit:
Additionnaly, I see that folders of the probelamatic old domain still exsits in /root/.acme.sh/cwp_certs
So cleeearly there is something going on with cwp.
Rejecting the fact that this is not a cwp bug was not the right answer.

« Last Edit: April 18, 2024, 12:34:55 PM by devloraa »

Offline
*
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #13 on: April 18, 2024, 12:26:04 PM »
LP Jon,
I don't think you are talking about the same problem that I have, because this is not a DNS problem I have.
Please provide more details if I misunderstood or remove your comment so the thread stay clean.
Thank you

Offline
*****
Re: Acme.sh, try to renew all domain or subdomain removed
« Reply #14 on: April 18, 2024, 09:17:58 PM »
@devloraa

The location myself & @overseer gave you IS CORRECT FOR CWP Managed SSL Certificates.

See the screenshot below, as CWP gives you the path to all certificates it manages.

From the Admin panel, click on Webserver Settings (1) -> SSL Certificates (2) | List Installed will show the SSL Certificates CWP manages via Let's Encrypt & Also allows you to Delete, Edit, or Manually Renew | AutoSSL [FREE] (3) is where you can create new Let's Encrypt SSL Certificates via CWP.

NOTE THE BLUE BOX - And the Paths we mentioned are listed there as the CORRECT PATH.




There is also a small FAQ at: https://forum.centos-webpanel.com/ssl/how-to-install-multiple-ssl-certificates-on-shared-ip/

If you are still having a problem, I would suggest you open a paid support ticket directly with CWP.