Probelm with renewing SSL certs

Hi I have intended renew my expired certs, webmail... cpanel... etc. In the web interface the renewing is success aparently, but when I reload the webpage, the advice tahr "expired" is still there.  When I check in /etc/pki/tls/certs the .cert files, effectively, they are expired. Somethig is avoiding that the .cert or blundle files be rewriting.
How can I resolv this problem please?? Regards.

Possibly a bug from CWP.
This happened to me migrating domains from another server.
Once the domain was renewed manually, now the renewing process is automatic again.

Try to create a script, named like 'renew-cert.sh', to renew manually:

Code: [Select]

#!/bin/bash

DOM=${1}
/root/.acme.sh/acme.sh --home /root/.acme.sh/cwp_certs --renew --ecc -d ${DOM} --force

Change permissions:

Code: [Select]

# chmod 700 renew-cert.sh
And run the script (replacing "domain.com" with your domain):

Code: [Select]

# ./renew-cert.sh domain.com
Regards,
Netino

I tried with the script, it was going well but finally I got the next error:

cxxxxxxxxxxx.cxx: Invalid status. Verification error details: 157.90.211.236: Fetching http://cxxnxxxx.com/.well-known/acme-challenge/rxt3tCYUqpgL_DtbRhDA7ik31_RQrp_bt1cvzc1jXyk: Timeout during connect (likely firewall problem)
[Mon May 12 13:12:40 -05 2025] Please check log file for more details: /root/.acme.sh/cwp_certs/acme.sh.log
[root@ ~]#

And effectively, I have migrated this domain from another server. our help please. Thanks.

Is your firewall allowing in & outbound port 80? Is iptables configured similarly to this:

Code: [Select]

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTYou could temporarily disable the CSF firewall (csf -x) and test a renewal, either from the CWP web GUI or via Netino's script. This would tell you if it is a firewall problem, which it would appear to be.

Ah but the website is in other server that I dont adimistrate. How can I to change the comprobation mode?

Ah but the website is in other server that I dont adimistrate. How can I to change the comprobation mode?

You simply can't get certificates via LetsEncrypt in apache mode if you can't save tokens in a specific are of the web server.
But with another app (certbot) in DNS mode, you could.
You manage the DNS server of these sites?

Hi, of course, I manage the DNS ZOne of the domain.... Then, how can I procedure?

Use certbot (an ACME client) and run with a configuration like this (obtaining an API key from your DNS provider -- Cloudflare, in this example):
/etc/letsencrypt/renewal/yourdomain.com.conf

Code: [Select]

# renew_before_expiry = 30 days
version = 1.8.0
archive_dir = /etc/letsencrypt/archive/yourdomain.com
cert = /etc/letsencrypt/live/yourdomain.com/cert.pem
privkey = /etc/letsencrypt/live/yourdomain.com/privkey.pem
chain = /etc/letsencrypt/live/yourdomain.com/chain.pem
fullchain = /etc/letsencrypt/live/yourdomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = YOURAPIKEYHERE
authenticator = dns-cloudflare
dns_cloudflare_propagation_seconds = 60
dns_cloudflare_credentials = /some/path/conf/yourdomain.com.key
server = https://acme-v02.api.letsencrypt.org/directoryThen you just call certbot renew in cron and it will renew your SSL cert 30 days before expiry.

Hi, thanks by your reply..... What about if does not exist the folders letsencrypt/renewal/  in /etc??

Read and follow certbot's documentation. https://certbot.eff.org/instructions?ws=apache&os=snap
You should run certbot from the CLI manually once to set it up, then edit the config to switch to DNS mode.

Code: [Select]

sudo certbot --apacheMy example was specifically for Cloudflare, so you may have to adapt it to your situation.