Probelm with renewing SSL certs

Hi I have intended renew my expired certs, webmail... cpanel... etc. In the web interface the renewing is success aparently, but when I reload the webpage, the advice tahr "expired" is still there.  When I check in /etc/pki/tls/certs the .cert files, effectively, they are expired. Somethig is avoiding that the .cert or blundle files be rewriting.
How can I resolv this problem please?? Regards.

Possibly a bug from CWP.
This happened to me migrating domains from another server.
Once the domain was renewed manually, now the renewing process is automatic again.

Try to create a script, named like 'renew-cert.sh', to renew manually:

Code: [Select]

#!/bin/bash

DOM=${1}
/root/.acme.sh/acme.sh --home /root/.acme.sh/cwp_certs --renew --ecc -d ${DOM} --force

Change permissions:

Code: [Select]

# chmod 700 renew-cert.sh
And run the script (replacing "domain.com" with your domain):

Code: [Select]

# ./renew-cert.sh domain.com
Regards,
Netino

I tried with the script, it was going well but finally I got the next error:

cxxxxxxxxxxx.cxx: Invalid status. Verification error details: 157.90.211.236: Fetching http://cxxnxxxx.com/.well-known/acme-challenge/rxt3tCYUqpgL_DtbRhDA7ik31_RQrp_bt1cvzc1jXyk: Timeout during connect (likely firewall problem)
[Mon May 12 13:12:40 -05 2025] Please check log file for more details: /root/.acme.sh/cwp_certs/acme.sh.log
[root@ ~]#

And effectively, I have migrated this domain from another server. our help please. Thanks.

Is your firewall allowing in & outbound port 80? Is iptables configured similarly to this:

Code: [Select]

iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPTYou could temporarily disable the CSF firewall (csf -x) and test a renewal, either from the CWP web GUI or via Netino's script. This would tell you if it is a firewall problem, which it would appear to be.

Ah but the website is in other server that I dont adimistrate. How can I to change the comprobation mode?

Ah but the website is in other server that I dont adimistrate. How can I to change the comprobation mode?

You simply can't get certificates via LetsEncrypt in apache mode if you can't save tokens in a specific are of the web server.
But with another app (certbot) in DNS mode, you could.
You manage the DNS server of these sites?

Hi, of course, I manage the DNS ZOne of the domain.... Then, how can I procedure?

Use certbot (an ACME client) and run with a configuration like this (obtaining an API key from your DNS provider -- Cloudflare, in this example):
/etc/letsencrypt/renewal/yourdomain.com.conf

Code: [Select]

# renew_before_expiry = 30 days
version = 1.8.0
archive_dir = /etc/letsencrypt/archive/yourdomain.com
cert = /etc/letsencrypt/live/yourdomain.com/cert.pem
privkey = /etc/letsencrypt/live/yourdomain.com/privkey.pem
chain = /etc/letsencrypt/live/yourdomain.com/chain.pem
fullchain = /etc/letsencrypt/live/yourdomain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = YOURAPIKEYHERE
authenticator = dns-cloudflare
dns_cloudflare_propagation_seconds = 60
dns_cloudflare_credentials = /some/path/conf/yourdomain.com.key
server = https://acme-v02.api.letsencrypt.org/directoryThen you just call certbot renew in cron and it will renew your SSL cert 30 days before expiry.

Hi, thanks by your reply..... What about if does not exist the folders letsencrypt/renewal/  in /etc??

Read and follow certbot's documentation. https://certbot.eff.org/instructions?ws=apache&os=snap
You should run certbot from the CLI manually once to set it up, then edit the config to switch to DNS mode.

Code: [Select]

sudo certbot --apacheMy example was specifically for Cloudflare, so you may have to adapt it to your situation.

Hi, thanks by your reply..... Now, when I run the command that you suggested to me, I get:

 sudo certbot --apache
/opt/certbot/lib64/python3.6/site-packages/OpenSSL/_util.py:6: CryptographyDeprecationWarning: Python 3.6 is no longer supported by the Python core team. Therefore, support for it is deprecated in cryptography. The next release of cryptography will remove support for Python 3.6.
  from cryptography.hazmat.bindings.openssl.binding import Binding
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Python 3.6 support will be dropped in the next release of Certbot - please upgrade your Python version.
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError('Cannot find Apache executable httpd',)
[root@mail ~]#

I have AlmaLinux 8 ... Please your help... Regards..

Try to repair and create a new configuration with run the following script(still working with acme.sh):

Code: [Select]

#!/bin/bash

DOM=${1}
WEBS=""
systemctl -q is-active nginx && WEBS="${WEBS} nginx"
systemctl -q is-active httpd && WEBS="${WEBS} httpd"

/root/.acme.sh/acme.sh --cert-home /root/.acme.sh/cwp_certs --webroot /usr/local/apache/autossl_tmp --issue -d ${DOM} mail webmail ftp cpanel --ecc \
  --cert-file /etc/pki/tls/certs/${DOM}.cert \
  --key-file  /etc/pki/tls/private/${DOM}.key \
  --fullchain-file /etc/pki/tls/certs/${DOM}.bundle \
  --reloadcmd "systemctl restart ${WEBS}"

Run it with:

Code: [Select]

# chmod script.sh
# ./script.sh your-domain.com

After that, try to renew with CWP (because CWP still could claim the domain have not a cert)

Hi friend, I get the next when run the script

ot@mail ~]# ./script.sh xxx.com
[Tue May 20 09:48:46 -05 2025] Unknown parameter: mail

What SANs do you need for your domain? Netino's script has the basic four used by CWP: mail webmail ftp cpanel (in addition to the common www CNAME, which is included in the main domain). Do you not use the "mail" SAN? Personally, I use the other three, but not cpanel.

Hi, I use all de subdamains, mail, www, cpanel...