Control Web Panel

WebPanel => CentOS 7 Problems => Topic started by: devloraa on March 20, 2024, 02:28:16 PM

Title: Acme.sh, try to renew all domain or subdomain removed
Post by: devloraa on March 20, 2024, 02:28:16 PM
Lately, I have started to receive some logs by mail about acme.sh trying to renew certificate that no longer exists on the server.
Every domain, or subdomain that I removed, that previously was previously on the server with Let's Encrypt certificates to autorenew, will fall into that bug.
This is the log I receive, for every domain or subdomain falling into that situation.

[Wed Mar 20 00:17:12 EDT 2024] Invalid status, [domain_name]:Verify error detail:no valid A records found for  [domain_name]; no valid AAAA records found for  [domain_name]
[Wed Mar 20 00:17:12 EDT 2024] Please check log file for more details: /[complete_path_to]/acme.sh.log
[Wed Mar 20 00:17:13 EDT 2024] Error renew  [domain_name].ca_ecc.

Two things here
1-it's a bug and should be fixed.
2-What should I do to prevent acme.sh trying to renew these certs?

CWPpro version: 0.9.8.1177 |


Thank you
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: overseer on March 20, 2024, 08:11:17 PM
Is your DNS set up correctly? Can we get a sample domain to test against to see how external DNS looks from here?
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: devloraa on April 02, 2024, 12:27:21 PM
Hello,
I don't manage DNS with CWP, they are all manage outside the server, and they point to the server.
I could give you a domain, but it won't exist anymore, that's the point.  Still need one?

Just to make sure I was clear enough :
- Domain was pointed to the server, the certificate was working.
- Delete the domain from the DNS, and remove the domain from CWP. 
- Let's Encrypt try, and fail (because the domain is not pointed to the domain anymore) to renew the cert.
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: Starburst on April 02, 2024, 01:21:52 PM
If you delete the domain name in CWP, you also delete the SSL certificate.

And if the domain name doesn't exit anymore or isn't pointed to the server, then Let's Encrypt won't create a new SSL certificate.


So to answer your question, YES, you NEED a domain name pointed to the CWP server to create and maintain a SSL certificate.

Even IF the domain name IS still pointed to the CWP server, and you Delete it from the CWP panel, you have to Recreate the SSL.
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: devloraa on April 03, 2024, 04:31:35 PM
Hello,
thank you for your answer but, respectfully, you do not understand the problem.
The domain does not exist anymore, I removed it. There is no domain pointing to the server, because there are no more of this site. It’s down. Out. We won’t ever use it again.

The problem : Let's encrypt try to renew a domain that does not exist.  It's OK it fails, the domain do not exist and do not point to the server. 
What should happen (and what is not happening) : Let's encrypt stop trying renewing any certificate of a domain that is removed from cwp.

Hopefully I have manage to explain the problem clearerly now?
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: Starburst on April 03, 2024, 05:19:07 PM
Delete the .bundle and .cert for the domain name.

Then restart the web browser.
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: devloraa on April 08, 2024, 01:22:31 PM
Hello,

Where would be located those files on the server?

Why would I need to restart the web browser for something that happens in a cron job on the server?  This makes me think I am still not understood.
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: overseer on April 08, 2024, 01:51:03 PM
Code: [Select]
/ etc /pki/tls/certs/
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: Starburst on April 08, 2024, 05:26:27 PM
@overseer, I'm glad you got the path posted, it kept failing on me.
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: devloraa on April 09, 2024, 01:42:50 PM
The cert does not exists in the folder, thus I can't delete them, thus this does not fix the problem.
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: Starburst on April 09, 2024, 05:25:23 PM
That is where CWP stores all of the SSL certificates & information to and from Let's Encrypt.

So if it's not there, it's not a CWP issue.
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: LPJon on April 10, 2024, 04:08:52 PM
So I have found an issue since the last few days as well. I believe it is related to this issue. This is NOT a DNS problem, that is incorrectly reported by acme.sh. The challenge file that is placed in
Code: [Select]
/usr/local/apache/autossl_tmp/.well-known/acme-challenge is not the same as what Letsencrypt is looking for resulting in a 404 error. That's why it's reporting a connection/DNS issue. I'm using Nginx->varnish->Apache setup. Not sure what happened but it looks like the file names are not being generated properly.
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: devloraa on April 18, 2024, 12:22:42 PM
Starburst,
acme.sh must check a list of the domain to renew. It is definitely not based on the file in the folder you mentioned, because the files are not there and acme.sh still try to renew the cert for the domain.

This list of domains that acme.sh renew is managed by CWP, I have never touched any settings linked to acme.sh/let's encrypt outside of the interface provided by CWP.  I have never called acme.sh directly from the command line neither.

How does CWP tell acme.sh to generate a certificate (and to renew it)? That would be a good starting point for me to find and remove these domains from acme.sh config, and help others who'll end up in the same situation.

Edit:
Additionnaly, I see that folders of the probelamatic old domain still exsits in /root/.acme.sh/cwp_certs
So cleeearly there is something going on with cwp.
Rejecting the fact that this is not a cwp bug was not the right answer.

Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: devloraa on April 18, 2024, 12:26:04 PM
LP Jon,
I don't think you are talking about the same problem that I have, because this is not a DNS problem I have.
Please provide more details if I misunderstood or remove your comment so the thread stay clean.
Thank you
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: Starburst on April 18, 2024, 09:17:58 PM
@devloraa

The location myself & @overseer gave you IS CORRECT FOR CWP Managed SSL Certificates.

See the screenshot below, as CWP gives you the path to all certificates it manages.

From the Admin panel, click on Webserver Settings (1) -> SSL Certificates (2) | List Installed will show the SSL Certificates CWP manages via Let's Encrypt & Also allows you to Delete, Edit, or Manually Renew | AutoSSL [FREE] (3) is where you can create new Let's Encrypt SSL Certificates via CWP.

NOTE THE BLUE BOX - And the Paths we mentioned are listed there as the CORRECT PATH.

(https://starburstservices.com/image-links/CWP/CWP-SSL-Cert-Location.jpg)


There is also a small FAQ at: https://forum.centos-webpanel.com/ssl/how-to-install-multiple-ssl-certificates-on-shared-ip/ (https://forum.centos-webpanel.com/ssl/how-to-install-multiple-ssl-certificates-on-shared-ip/)

If you are still having a problem, I would suggest you open a paid support ticket directly with CWP.

Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: Starburst on April 19, 2024, 02:05:20 AM
One other place you can look is:

Code: [Select]
cd /root/.acme.sh/cwp_certs
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: devloraa on April 22, 2024, 11:59:42 AM
Hello,
for the record, I have never doubted the certificates were located there.

My point is, acme.sh does not base is renew to do list on the files in this folder.

Thank you for trying, I'll post the fix when I found it .
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: devloraa on April 22, 2024, 12:36:12 PM
As I point out, the folder /root/.acme.sh/cwp_certs, was the key here.

After reading the log file in /root/.acme.sh/acme.sh.log , it is clear to me (it would need confirmation from someone who really knows how cwp handle cert with acme.sh), that the parameter "home" in the cron task, indicates to acme.sh where to start is renewal work.

Code: [Select]
/root/.acme.sh/acme.sh --cron --home /root/.acme.sh/cwp_certs > /dev/null
Every domain has its own folder in cwp_certs folder. In every of these folders, there is a file that ends ending with .conf (ex: www.mydomain.com.conf).
In these files, you'll find many var, some of them are used by acme.sh to decide if it will or not, renew the domain.

Quick fix :
Go to the folder given as parameter 'home' to the cron task, and delete the folder of the domain.

This is not a bug fix.

CWP should have deleted these folders when we removed the domain from CWP panel.  This is the bug, and the provided "fix" does not repair the bug.
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: Starburst on April 22, 2024, 04:43:45 PM
Which is the folder that I had told you to look in and delete the domain from on 2024-04-19

But am glad you got it fixed.
This seems to be a problem with how Let's Encrypt acme cron works, and not CWP.

Quote
One other place you can look is:

Code: [Select]
cd /root/.acme.sh/cwp_certs
Title: Re: Acme.sh, try to renew all domain or subdomain removed
Post by: chrisk on January 17, 2025, 02:09:01 AM
devloraa thank you for pushing on this and finding the real answer. I also found that folder but it wasn't clear if removing the folder would have the desired effect or not. In my situation I was installing a paid certificate and it kept getting over-written upon renewal of the R3 cert. Specifics: I had deleted the R3 cert via the CWP panel and then did an install of the paid cert. The delete does not remove the directory in the folder ( /root/.acme.sh/cwp_certs ) hence upon renewal it overwrites the paid cert.

Again thank you!