NethServer Version: 8
Certificates
Hello Ladys and Gentleman, i try to find the solution to renew an existing certificate. NS7 has an Button for that, in NS8 i did not find a possibility for this, can someone lead me a hand?
yes, i had a certificate but it endet 1 day ago and now it not longer possible to receive emails by mobile devices
Usually the certs should renew automatically as it was in NS7.
There was a bug when certificates for NS8 apps were obtained on the TLS certificates page in NS8. The apps have their own certificate and it doesnât need to be obtained manually.
Please check in following thread if your system is affected and how to remove the wrong certs and make renewal work again:
1 Like
i remember that the automatic renew also in NS7 never worked on my side. is there a possibility to start the renew manually? and i think the other thread is not for my prob. i have only one FQDN and it the correct one. there is also no possibility to delete it, because if i want then making a renew it comes up with an error about an existing cert. would it work if i delete the cert and also the entry in configs/_default_cert.yml and then renew it?
If certificate renewal never worked then you may need to check if the right port is open on your firewall and forwarded correctly to the NS8.
With a recent traefik install the needed port is 443, on older installations itâs port 80, see Release notes â NS8 documentation
Please check which challenge is used for letsencrypt:
api-cli run module/traefik1/get-acme-server
If the challenge is HTTP-01 then itâs port 80, if itâs TLS-ALPN-01 then itâs port 443.
To change it for example to TLS-ALPN-01:
api-cli run module/traefik1/set-acme-server --data '{"challenge":"TLS-ALPN-01","url":"https://acme-v02.api.letsencrypt.org/directory"}'
Itâs worth a try.
1 Like
âhttps://acme-v02.api.letsencrypt.org/directoryâ, âemailâ: ââ, âchallengeâ: âHTTP-01â}
is the result, the 443 is alos open to the ns8 from firewall etc. because i use it also for sogo etc. and this worked with an certificate. But returned to my first question, becuase i have on my firewall an countryfilter, where can in do the renew manually? i would like to check it. Maybe this is blocking.
Iâm sure itâs blocking as letsencrypt has servers in different countries AFAIK. This would also explain why it never worked.
It should be enough to check the logs if the renewal works using following command:
journalctl --grep acmeCA
1 Like
so there is no possibility to start manually the renew of the cert?
-bash: https://acme-v02.api.letsencrypt.org/directory,: No such file or director y
Jul 05 14:14:21 ns8 traefik[2589]: 2025-07-05T12:14:21Z INF Testing certificate>
Jul 05 14:14:32 ns8 traefik[2589]: 2025-07-05T12:14:32Z INF Renewing certificat>
Jul 05 14:14:32 ns8 crowdsec1[2991]: time=â2025-07-05T12:14:32Zâ level=error ms>
Jul 05 14:14:49 ns8 traefik[2589]: 2025-07-05T12:14:49Z ERR Error renewing cert>
Jul 05 14:14:49 ns8 crowdsec1[2991]: time=â2025-07-05T12:14:49Zâ level=error ms>
lines 1-5/5 (END)âŚskippingâŚ
Jul 05 14:14:21 ns8 traefik[2589]: 2025-07-05T12:14:21Z INF Testing certificate renew⌠acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=acmeServer.>
Jul 05 14:14:32 ns8 traefik[2589]: 2025-07-05T12:14:32Z INF Renewing certificate from LE : {Main:domain.spdns.de SANs:} acmeCA=https://acme-v02.api.letsencrypt.org>
Jul 05 14:14:32 ns8 crowdsec1[2991]: time=â2025-07-05T12:14:32Zâ level=error msg=âUnmarshalJSON : invalid character â-â after top-level valueâ line="2025-07-05T12:14:3>
Jul 05 14:14:49 ns8 traefik[2589]: 2025-07-05T12:14:49Z ERR Error renewing certificate from LE: {domain.spdns.de } error="error: one or more domains had a problem:>
Jul 05 14:14:49 ns8 crowdsec1[2991]: time=â2025-07-05T12:14:49Zâ level=error msg=âUnmarshalJSON : invalid character â-â after top-level valueâ line="2025-07-05T12:14:4>
~
how often the system try to renew? every day, every hour every minute?
I couldnât find the renewal time interval.
The problem is that thereâs a rate limit when trying to obtain certificates and if you hit the limit, certificate renewal wonât work for an amount of time. Thatâs why itâs not recommended to force a renewal by restarting traefik, see How to Force-Trigger Letâs Encrypt Certificate generation without restarting Traefik - Traefik v2 - Traefik Labs Community Forum and TLS certificate error with mail host aliases - #17 by davidep
1 Like
i agree, but from what i see the system did not reach the acme server so it shoud be okay to do it that way, or? if i reboot the ns8 it should try the renewing of the cert?
I found that on one of my servers the renewals are done 2 times a day.
Yes, rebooting the system or restarting traefik forces a renewal but as already explained, use it with caution.
i rebooted the ns8 but no success. the firewall is open, no country blocking is on but still no success.
What means no success?
No renewal entries in logs or renewal isnât working?
What makes you think that? Certainly nothing youâve posted indicates this is the case.
Rather than the journalctl command, Iâd try searching the system logs in the /cluster-admin pages, but I donât know if it will yield much (or any) more information.
Error handling and reporting have always been weak points for Nethserver, and it seems that NS8 is even worse in this regard than NS7 was.
2 Likes
from the error message above. i saw now that also with this version the port 80 is nessasary ?
From what error message where? Again, nothing youâve posted gives any indication that your system is having trouble reaching the Letâs Encrypt server. A quick test on that would be to run curl https://acme-v02.api.letsencrypt.org/directory at the shell and see what happens.
If that returns output, you can reach the server just fine, meaning the problem is likely on your end. https://letsdebug.net can help sorting out some common errors.
3 Likes