Hi there,
I've looked through numerous discussions on the issue of SSL (LetsEncrypt) no renewing. Here are the various solutions discussed in other posts which I attempted:
Try to manually update SSL with wo site update domain.com -le
That gave this output, SSL is already configured for given site
Removing old SSL install, and installing again, with wo site update domain.com -le=clean
and then wo site update domain.com -le
That resulted in:
Setting back default certificate for WordOps backend
Testing Nginx configuration [OK]
Reloading Nginx [OK]
Successfully Disabled SSl for Site http://domain.com
couragemyluv@cml-03:~$ wo site update domain.com -le
Certificate type : domain
domain.com point to the IP 172.xx.xxx.131 but your server IP is 20.xxx.xxx.10.
Use the flag --force to bypass this check.
You have to set the proper DNS record for your domain
Aborting SSL certificate issuance
I realised the IP issue was due to Cloudflare being in proxy mode. So I tried adding the CF_Key
and CF_Email
to the /etc/letsencrypt/config/account.conf
(which was empty).
I then tried, sudo -E wo site update domain.com -le --dns=dns_cf
. That resulted in:
Certificate type : domain
You already have an existing certificate for the domain requested.
(ref: /etc/letsencrypt/renewal/domain.com_ecc/domain.com.conf)
Please select an option from below?
1: Reinstall existing certificate
2: Issue a new certificate to replace the current one (limit ~5 per 7 days)
Type the appropriate number [1-2] or any other key to cancel: 2
Issuing new SSL cert with acme.sh
Testing Nginx configuration [OK]
Reloading Nginx [OK]
Congratulations! Successfully Configured SSL on https://domain.com
Your cert already EXPIRED ! .PLEASE renew soon .
That last line didn't make much sense, since I apparently just updated the SSL and yet it's telling me it's already expired and to "Please renew soon".
- I tried restarting the stack, in case the cert was renewed but the Nginx hadn't loaded the new one. That didn't help.
- I saw a forum post referring to using
acme.sh
. But that alias didn't exist, so I added it with the command alias acme.sh='/etc/letsencrypt/acme.sh --config-home '\''/etc/letsencrypt/config'\'''
At which point I tried the suggested, acme.sh --register-account -m myemail@gmail.com --server zerossl
and sudo wo site update domain.com -le
but was again told SSL is already configured for given site
. I again used sudo wo site update domain.com -le=clean
and the output was:
Removing Acme configuration
Testing Nginx configuration [OK]
Reloading Nginx [OK]
Successfully Disabled SSl for Site http://domain.com
I tried sudo wo site update domain.com -le
again. Output was:
Certificate type : domain
Validation mode : Webroot challenge
Issuing SSL cert with acme.sh [OK]
Certificate not found. Deployment canceled
I tried variations of that last command with -le --force
and -le --dns=dns_cf
and finally -le --dns=dns
which gave this output:
Certificate type : domain
Validation mode : DNS mode with dns
Issuing SSL cert with acme.sh [KO]
Please make sure your properly set your DNS API credentials for acme.sh
If you are using sudo, use "sudo -E wo"
So I tried, sudo -E wo site update domain.com -le --dns=dns
, which gave similar output.
I looked in the /var/log/wo/wordops.log
and noticed that on a number of occasions (during all of the above) a new SSL cert was in fact issued successfully. And I also saw that LE was now rejecting my requests because there's been more than 5 in such and such a period.
When I check the SSL cert on the server, it is in fact renewed. In that it has an expiry for 90 days away.
After all of the above, after a complete server reboot, it appears the SSL has been issued, but I am now getting a "403 Forbidden - nginx" error. I see the SSL being loaded is from Cloudflare (sni.cloudflare.com
) which from what I recall is the way it should be. However, when I run wo site info domain.com
it indicates SSL is disabled
. So I am guessing I've somehow managed to get a new SSL cert issued, but I've disabled SSL in the site config. I suspect that may be the cause of the 403 error, but I am only guessing.
So I tried to again renew it view the sudo -E wo site update domain.com -le --dns=dns
command, and the following is the output I see in the log:
2022-02-10 02:26:56,878 (INFO) wo : Initializing WordOps Database
2022-02-10 02:26:56,885 (DEBUG) wo.core.logging : 'Namespace' object has no attribute 'web'
2022-02-10 02:26:56,885 (DEBUG) wo.core.logging : DNS validation enabled
2022-02-10 02:26:56,885 (DEBUG) wo.core.logging : DNS API : dns
2022-02-10 02:26:56,885 (INFO) wo : Certificate type : domain
2022-02-10 02:26:56,885 (DEBUG) wo.core.logging : Running command: /etc/letsencrypt/acme.sh --config-home '/etc/letsencrypt/config' --list --listraw
2022-02-10 02:26:56,984 (DEBUG) wo.core.logging : Command Output: Main_Domain|KeyLength|SAN_Domains|CA|Created|Renew
domain.com|"ec-384"|www.domain.com|LetsEncrypt.org|Thu Feb 10 01:21:16 UTC 2022|Mon Apr 11 01:21:16 UTC 2022
,
Command Error:
2022-02-10 02:26:56,984 (DEBUG) wo.core.logging : Writing content in /var/lib/wo/cert.csv
2022-02-10 02:26:56,984 (DEBUG) wo.core.logging : Changing permission of /var/lib/wo/cert.csv, Perm:384
2022-02-10 02:26:56,985 (INFO) wo : Validation mode : DNS mode with dns
2022-02-10 02:26:56,985 (INFO) wo : Issuing SSL cert with acme.sh
2022-02-10 02:26:56,985 (DEBUG) wo.core.logging : Running command: /etc/letsencrypt/acme.sh --config-home '/etc/letsencrypt/config' --issue -d 'domain.com' -d 'www.domain.com' --dns dns -k "ec-384" -f
2022-02-10 02:26:57,078 (DEBUG) wo.core.logging : Command Output: ,
Command Error: [Thu Feb 10 02:26:57 UTC 2022] It seems that you are using dns manual mode. Read this link first: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode
2022-02-10 02:26:57,078 (INFO) wo : Issuing SSL cert with acme.sh
2022-02-10 02:26:57,078 (ERROR) wo : Please make sure your properly set your DNS API credentials for acme.sh
If you are using sudo, use "sudo -E wo"
At this point I have no idea what else to do.
QUESTION 1
Can anyone shed some light on why SSL didn't auto renew (perhaps hard to say), and why I ran into so many problems when trying to manually renew it (taking the above steps into account)?
ISSUE 2 and QUESTION 2
Cloudflare was set to use STRICT SSL for the past year. Worked fine. I've now changed it to FULL SSL, as I saw comments suggesting to do that whilst I was looking into solutions for the 403 error. It hasn't helped.
I have since updated WO to v3.14.0. I've run wo maintenance
. I also ran wo stack upgrade
(after updating to WO 3.14.0).
Any suggestions on how to now resolve the Nginx error?