Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

[SOLVED] apache2 server certificate renewal fails
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
jankom
Guru
Guru


Joined: 30 Aug 2021
Posts: 329
Location: USA
PostPosted: Wed Jan 03, 2024 4:56 pm    Post subject: [SOLVED] apache2 server certificate renewal fails Reply with quote
After a few days of trying to renew my certificate I had to turn to this forum for help.
Background: I have a virtual server hosting my https web site. For some reason in October '23 I had to reinstall the whole thing. Everything worked, including acme.sh and having the proper certificate. It came up for renewal end of December, but it failed. In the past I had a similar problem, and this forum helped me to solve it. https://forums.gentoo.org/viewtopic-t-1163742-highlight-apache.html
This did not help, my virtual server does listen to port 80.
I tried to reinstall acne.sh, everything else I could think of, including web search, but I'm stuck. Here is the relevant excerpt from the log file:
Code:
link: <https://acme.zerossl.com/v2/DV90>;rel="index"
retry-after: 86400
strict-transport-security: max-age=15724800; includeSubDomains

'
[Wed Jan  3 16:03:00 UTC 2024] code='200'
[Wed Jan  3 16:03:00 UTC 2024] original='{"identifier":{"type":"dns","value":"jgklinux.jankom.net"},"status":"invalid","expires":"2024-01-26T02:11:26Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/qc4NNHSMmD8yxpwZ6o2XRQ","status":"invalid","error":{},"token":"WzEJHLf3Sab7LTf-soe2wK_jEeTvEwkYfV0l8l5gPF4"}]}'
and
Code:
[Wed Jan  3 16:03:00 UTC 2024] entry='"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/qc4NNHSMmD8yxpwZ6o2XRQ","status":"invalid","error":{'
[Wed Jan  3 16:03:01 UTC 2024] token
[Wed Jan  3 16:03:01 UTC 2024] Error, can not get domain token "type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/qc4NNHSMmD8yxpwZ6o2XRQ","status":"invalid","error":{
[
The /home/acme/ directory is empty.

jankom

Last edited by jankom on Thu Jan 04, 2024 9:21 pm; edited 1 time in total
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3882
PostPosted: Wed Jan 03, 2024 7:56 pm    Post subject: Reply with quote
What was the exact invocation of acme.sh you used?
Also plz add
Code:

/etc/apache2/vhosts.d/00_default_vhost.conf------->>>>>


ServerAlias jgklinux.jankom.net

Also make sure you have
Code:

APACHE2_OPTS="-D DEFAULT_VHOST -D INFO -D SSL -D SSL_DEFAULT_VHOST -D LANGUAGE"

in
/etc/conf.d/apache2
Then restart apache,make sure port 80 is open in your router and forwarded to the server ip, and your domain is resolved to your ip.
and rerun your acme.sh script.
_________________
:)
Back to top
View user's profile Send private message
jankom
Guru
Guru


Joined: 30 Aug 2021
Posts: 329
Location: USA
PostPosted: Wed Jan 03, 2024 10:24 pm    Post subject: Reply with quote
@alamahant - thanks
Quote:
What was the exact invocation of acme.sh you used?
Code:
./acme.sh --issue --domain jgklinux.jankom.net --apache
I added the ServerAlias statement, all others were correct - but still the same error.
Will revisit this in a day.

jankom
Back to top
View user's profile Send private message
jankom
Guru
Guru


Joined: 30 Aug 2021
Posts: 329
Location: USA
PostPosted: Thu Jan 04, 2024 5:26 pm    Post subject: Reply with quote
Additional details:
Quote:
make sure port 80 is open in your router and forwarded to the server ip, and your domain is resolved to your ip

I can do
Code:
curl http://jgklinux.jankom.net
from any computer connected to Internet. curl https://jgklinux.jankom.net fails because of certificate problem.

In my attempts to debug, fix this certificate renewal issue I did revoke the certificate for jgklinux.jankom.net domain. This is why I wanted to start from scratch, reinstalled acme.sh, and "issue" the certificate. If I use the command --renew acme will recognize that there is no certificate for this domain.

I found a token-like file in my home directory, dated December 27. Was it mistakenly put there instead of /home/acme/? This was before I reinstalled acme.sh, etc. The cron job runs every day, and the renewal date was December 27 and the renewal failed leading to this issue.

Frustrating, please help
Back to top
View user's profile Send private message
alamahant
Advocate
Advocate


Joined: 23 Mar 2019
Posts: 3882
PostPosted: Thu Jan 04, 2024 7:43 pm    Post subject: Reply with quote
Have you considered certbot instead?
As of late acme changed the default CA to zerossl.
Try
Code:

acme.sh --set-default-ca --server letsencrypt


then rerun your script to issue the certs.
Plz see
https://github.com/acmesh-official/acme.sh/wiki/Change-default-CA-to-ZeroSSL
_________________
:)
Back to top
View user's profile Send private message
jankom
Guru
Guru


Joined: 30 Aug 2021
Posts: 329
Location: USA
PostPosted: Thu Jan 04, 2024 9:20 pm    Post subject: Solved Reply with quote
Bingo!

Yes, thanks.

I did see something to that extent, but could not really appreciate it or understand entirely.

Peace,

jankom
P.S. will mark it as solved
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy