Letsencrypt certificate failure to renew

I think it’s been years since I’ve seen a let’s encrypt certificate fail to renew, but I’ve had three sites in the past week or two that have stale certificates. A rebuild fixes it and I have heretofore failed to look for clues in the logs.

Next time I’ll do a bit more to diagnose the problem before fixing it for the site.

Please see:

• Transitioning to ISRG's Root - Let's Encrypt
• DST Root CA X3 Expiration (September 2021) - Let's Encrypt

Thanks, Daniela! That does seem like it may be related, but I can’t tell what to do about it or how to know if a site should force getting a new certificate. I just checked a handful of sites and several have renewed in the past few days. I believe in all cases the certificate had expired (I double-checked only the one that I just fixed), so the more I think about it, the less I think this explains it–unless some of these sites had an old enough base image that it would fail to retrieve a new certificate because that base image had an out-of-date root certificate?

AH! That might explain it. Another docker-based Debian 9 site that I manage is getting errors using curl because its root image is bad.

How old is the Discourse base image in those sites? Please share the exact image tag.

Here’s the list of images from the site that I just upgraded (looks like time for a ./launcher cleanup!). So I guess it was 2.0.20210528-1735?

REPOSITORY                      TAG                 IMAGE ID            CREATED             SIZE
local_discourse/app             latest              dab985be22b0        17 minutes ago      2.84GB
discourse/base                  2.0.20210528-1735   482386bf57af        4 months ago        2.36GB
<none>                          <none>              38be7702e0fc        5 months ago        2.75GB
discourse/base                  2.0.20210415-1332   30e4746e631e        5 months ago        2.23GB
discourse/base                  2.0.20201221-2020   c0704d4ce2b4        9 months ago        2.11GB
discourse/base                  2.0.20201004-2310   b64c37d7ab06        12 months ago       2.4GB
discourse/base                  2.0.20200429-2110   dc919e1dae2c        17 months ago       2.13GB
local_discourse/mail-receiver   latest              711fb527de35        21 months ago       128MB
discourse/base                  2.0.20191219-2109   4a99baef7044        21 months ago       2.23GB
discourse/mail-receiver         release             06fe375fe2c8        22 months ago       128MB
discourse/base                  2.0.20190901-2315   10f636afbeaf        2 years ago         2.29GB
discourse/base                  2.0.20190625-0946   2b3a5b47565f        2 years ago         1.93GB
discourse/base                  2.0.20190505-2322   ed87227f60d2        2 years ago         1.91GB
discourse/base                  2.0.20190321-0122   7db99586b5b5        2 years ago         1.97GB
discourse/mail-receiver         1.1.2               44042627246b        4 years ago         142MB

Here’s the certificate info for the last certificate:

Issued On	Saturday, June 26, 2021 at 7:31:09 PM
Expires On	Friday, September 24, 2021 at 7:31:08 PM

It doesn’t seem to be all or many sites, though.

Right. It’s just the 3rd time it’s happened and each time I’ve made getting the site back online the priority. Next time I’ll try to make better notes.

See the calls to acme.sh in the logs, but the output goes to /dev/null.

Oh so the information is lost here. We would need to know which was source of the parent layer of the old local_discourse/app.

I have a test site with the latest image and the certificate was renewed last week just fine.

Yeah. And I just looked at half a dozen others and they’re all fine too.

I guess I should have tagged this #mystery.

I have the same problem. Just rebuild, but my discourse let’s encrypt certificate doesn’t renew.
How could I check my installation?

Solved rebuilding and waiting

Aha! It’s that error having to do with using ZeroSSL as the default CA. Now I remember that being a problem in the semi-recent past.

Here’s one that I haven’t rebuilt yet:

root@community:~# docker ps
CONTAINER ID   IMAGE                           COMMAND        CREATED        STATUS      PORTS                                      NAMES
9b97fe9b5c22   local_discourse/web_only        "/sbin/boot"   9 months ago   Up 5 days   0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp   web_only
b3eae8a90cd7   local_discourse/mail-receiver   "/sbin/boot"   9 months ago   Up 5 days   0.0.0.0:25->25/tcp                         mail-receiver
5e90805e6d0d   local_discourse/data            "/sbin/boot"   9 months ago   Up 5 days                                              data
root@community:~# docker images
REPOSITORY                      TAG                 IMAGE ID       CREATED         SIZE
local_discourse/web_only        latest              ffd890f053e7   9 months ago    2.39GB
local_discourse/mail-receiver   latest              0d49c641ca25   9 months ago    128MB
<none>                          <none>              e53ed7c5db0f   9 months ago    2.34GB
local_discourse/data            latest              8c1539b06db4   9 months ago    2.15GB
discourse/base                  2.0.20201221-2020   c0704d4ce2b4   9 months ago    2.11GB
discourse/base                  2.0.20201208-1739   9da970f9c0bd   9 months ago    2.1GB
discourse/mail-receiver         release             06fe375fe2c8   22 months ago   128MB

And when I run the acme command in the container, I get this:

root@community-web-only:/# "/shared/letsencrypt"/acme.sh --cron --home "/shared/letsencrypt" 
[Mon 04 Oct 2021 02:01:39 PM UTC] ===Starting cron===
[Mon 04 Oct 2021 02:01:39 PM UTC] Already uptodate!
[Mon 04 Oct 2021 02:01:39 PM UTC] Upgrade success!
[Mon 04 Oct 2021 02:01:39 PM UTC] Auto upgraded to: 3.0.1
[Mon 04 Oct 2021 02:01:39 PM UTC] Renew: 'community.thedaily9.in'
[Mon 04 Oct 2021 02:01:41 PM UTC] Using CA: https://acme.zerossl.com/v2/DV90
[Mon 04 Oct 2021 02:01:41 PM UTC] No EAB credentials found for ZeroSSL, let's get one
[Mon 04 Oct 2021 02:01:41 PM UTC] acme.sh is using ZeroSSL as default CA now.
[Mon 04 Oct 2021 02:01:41 PM UTC] Please update your account with an email address first.
[Mon 04 Oct 2021 02:01:41 PM UTC] acme.sh --register-account -m my@example.com
[Mon 04 Oct 2021 02:01:41 PM UTC] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Mon 04 Oct 2021 02:01:41 PM UTC] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Mon 04 Oct 2021 02:01:41 PM UTC] Error renew community.thedaily9.in.
[Mon 04 Oct 2021 02:01:41 PM UTC] Renew: 'community.thedaily9.in'
[Mon 04 Oct 2021 02:01:43 PM UTC] Using CA: https://acme.zerossl.com/v2/DV90
[Mon 04 Oct 2021 02:01:43 PM UTC] No EAB credentials found for ZeroSSL, let's get one
[Mon 04 Oct 2021 02:01:43 PM UTC] acme.sh is using ZeroSSL as default CA now.
[Mon 04 Oct 2021 02:01:43 PM UTC] Please update your account with an email address first.
[Mon 04 Oct 2021 02:01:43 PM UTC] acme.sh --register-account -m my@example.com
[Mon 04 Oct 2021 02:01:43 PM UTC] See: https://github.com/acmesh-official/acme.sh/wiki/ZeroSSL.com-CA
[Mon 04 Oct 2021 02:01:43 PM UTC] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Mon 04 Oct 2021 02:01:43 PM UTC] Error renew community.thedaily9.in_ecc.
[Mon 04 Oct 2021 02:01:43 PM UTC] ===End cron===
root@community-web-only:/# 

I thnink that this commit solves the problem, and I bet the sites with this issue are before this commit

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.