Let's encrypt not renewing


(Jay Pfaffman) #1

I’ve got a site that’s gotten a couple of let’s encrypt warning emails. I ignored them, but now the expire date is 9 days away. I did a ./launcher rebuild app, but https://dtqr.literatecomputing.com/ still has the cert that will expire March 30. (N.B. Chrome now requires you to use devel mode/security to see certs).

I don’t see anything obviously wrong in the logs, if I’m looking in the right place. Oh, @tgxworld, before you see the logs, look at this. Even more curious is that it looks like I got new keys:

root@ubuntu-1gb-nyc2-01:/var/discourse# ls -l shared/standalone/ssl/
total 20
-rw-r--r-- 1 root root  424 Jul 22  2016 dhparams.pem
-rw-r--r-- 1 root root 3822 Mar 21 13:21 dtqr.literatecomputing.com.cer
-rw-r--r-- 1 root root 3822 Mar 21 13:21 dtqr.literatecomputing.com.cer.bak
-rw-r--r-- 1 root root 3243 Mar 21 13:21 dtqr.literatecomputing.com.key
-rw-r--r-- 1 root root 3243 Mar 21 13:21 dtqr.literatecomputing.com.key.bak
limit_req_zone $binary_remote_addr zone=bot:10m rate=$reqs_per_minuter/m;
limit_req_status 429;
server {
 in /etc/nginx/conf.d/discourse.conf
I, [2017-03-21T17:20:05.884713 #13]  INFO -- : Replacing (?-mix:location @discourse {) with location @discourse {
  limit_req zone=flood burst=$burst_per_second nodelay;
  limit_req zone=bot burst=$burst_per_minute nodelay; in /etc/nginx/conf.d/discourse.conf
I, [2017-03-21T17:20:05.886020 #13]  INFO -- : > mkdir -p /shared/ssl/
I, [2017-03-21T17:20:05.889188 #13]  INFO -- : 
I, [2017-03-21T17:20:05.890052 #13]  INFO -- : Replacing (?-mix:server.+{) with server {
  listen 80;
  rewrite ^ https://$$ENV_DISCOURSE_HOSTNAME$request_uri? permanent;
}
server {
 in /etc/nginx/conf.d/discourse.conf
I, [2017-03-21T17:20:05.891253 #13]  INFO -- : Replacing (?m-ix:listen 80;\s+gzip on;) with listen 443 ssl http2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;

ssl_certificate /shared/ssl/ssl.crt;
ssl_certificate_key /shared/ssl/ssl.key;

ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:1m;

gzip on;

add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain

if ($http_host != $$ENV_DISCOURSE_HOSTNAME) {
   rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent;
} in /etc/nginx/conf.d/discourse.conf
I, [2017-03-21T17:20:05.892573 #13]  INFO -- : > if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi
I, [2017-03-21T17:20:05.895244 #13]  INFO -- : 
I, [2017-03-21T17:20:05.895629 #13]  INFO -- : > /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi"
I, [2017-03-21T17:20:05.904239 #13]  INFO -- : 
I, [2017-03-21T17:20:05.905219 #13]  INFO -- : > cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard c4c5ecd03de497fd4c3079cbac9d3c56edaffc89
Cloning into 'acme.sh'...
I, [2017-03-21T17:20:07.153958 #13]  INFO -- : HEAD is now at c4c5ecd Merge pull request #525 from bittorf/master

I, [2017-03-21T17:20:07.154530 #13]  INFO -- : > touch /var/spool/cron/crontabs/root
I, [2017-03-21T17:20:07.162748 #13]  INFO -- : 
I, [2017-03-21T17:20:07.164135 #13]  INFO -- : > install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
I, [2017-03-21T17:20:07.171796 #13]  INFO -- : 
I, [2017-03-21T17:20:07.172913 #13]  INFO -- : > cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install
[Tue Mar 21 17:20:07 UTC 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Tue Mar 21 17:20:07 UTC 2017] We use nc for standalone server if you use standalone mode.
[Tue Mar 21 17:20:07 UTC 2017] If you don't use standalone mode, just ignore this warning.
I, [2017-03-21T17:20:07.480151 #13]  INFO -- : [Tue Mar 21 17:20:07 UTC 2017] Installing to /shared/letsencrypt
[Tue Mar 21 17:20:07 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Tue Mar 21 17:20:07 UTC 2017] Installing alias to '/root/.profile'
[Tue Mar 21 17:20:07 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Tue Mar 21 17:20:07 UTC 2017] Installing cron job
[Tue Mar 21 17:20:07 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Mar 21 17:20:07 UTC 2017] OK

I, [2017-03-21T17:20:07.488406 #13]  INFO -- : File > /etc/nginx/letsencrypt.conf  chmod: 
I, [2017-03-21T17:20:07.499197 #13]  INFO -- : File > /etc/runit/1.d/letsencrypt  chmod: +x
I, [2017-03-21T17:20:07.501722 #13]  INFO -- : Replacing (?-mix:ssl_certificate.+) with ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
 in /etc/nginx/conf.d/discourse.conf
I, [2017-03-21T17:20:07.504942 #13]  INFO -- : Replacing (?-mix:#?ACCOUNT_EMAIL=.+) with ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL
 in /shared/letsencrypt/account.conf
I, [2017-03-21T17:20:07.507121 #13]  INFO -- : Replacing (?-mix:ssl_certificate_key.+) with ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
I, [2017-03-21T17:20:07.508929 #13]  INFO -- : Replacing (?-mix:add_header.+) with add_header Strict-Transport-Security 'max-age=63072000'; in /etc/nginx/conf.d/discourse.conf
I, [2017-03-21T17:20:07.510770 #13]  INFO -- : > echo "Beginning of custom commands"
I, [2017-03-21T17:20:07.515541 #13]  INFO -- : Beginning of custom commands

I, [2017-03-21T17:20:07.517065 #13]  INFO -- : > rails r "SiteSetting.notification_email='noreply@literatecomputing.com'"
I, [2017-03-21T17:20:18.997956 #13]  INFO -- : 
I, [2017-03-21T17:20:19.000150 #13]  INFO -- : > echo "End of custom commands"
I, [2017-03-21T17:20:19.002577 #13]  INFO -- : End of custom commands


(Alan Tan) #4

@pfaffman I don’t see anything that is wrong in the logs. Recently, I enabled logging for the acme.sh client so I’m going to close this first. Feel free to ping me if this happens again.


(Alan Tan) #5