NethServer Version: 7.9. with 3 vhosts/domains
- Thread shield disabled
- IPS disabled
- Firewall no blocking of port 80
There are a lot of postings here
But I can’t find any idea why my expired LE certificates (mydomain2.de and mydomain3.de) are not automatically renewed. The cert of mydomain1.de (the main domain) is still not expired.
I don’t get any error messages by mail.
#sh /etc/cron.daily/nethserver-check-uploaded-certificates
…tell me only that the 2 certs are expired.
# sh nethserver-letsencrypt-certs
produces such log entries
# cat /var/log/letsencrypt/letsencrypt.log
2021-04-20 08:24:52,262:DEBUG:certbot._internal.main:certbot version: 1.11.0
2021-04-20 08:24:52,262:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2021-04-20 08:24:52,262:DEBUG:certbot._internal.main:Arguments: [’–text’, ‘–non-interactive’, ‘–agree-tos’, ‘–email’, ‘admin@externalmail.com’, ‘–preferred-challenges’, ‘http’, ‘–webroot’, ‘–webroot-path’, ‘/var/www/html/’, ‘-d’, ‘mydomain1.de’, ‘-d’, ‘collabora.mydomain1.de’, ‘-d’, ‘imap.mydomain1.de’, ‘-d’, ‘mail.mydomain1.de’, ‘-d’, ‘nextcloud.mydomain1.de’, ‘-d’, ‘smtp.mydomain1.de’, ‘-d’, ‘wp.mydomain1.de’, ‘-d’, ‘www.mydomain1.de’, ‘-d’, ‘webtop.mydomain1.de’, ‘-d’, ‘ns-srv01.mydomain1.de’, ‘-d’, ‘status.mydomain1.de’, ‘–quiet’]
2021-04-20 08:24:52,262:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-04-20 08:24:52,279:DEBUG:certbot._internal.log:Root logging level set at 30
2021-04-20 08:24:52,279:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-04-20 08:24:52,280:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-04-20 08:24:52,281:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f4d2e673a90>
Prep: True
2021-04-20 08:24:52,283:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f4d2e673a90> and installer None
2021-04-20 08:24:52,283:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-04-20 08:24:52,308:DEBUG:certbot._internal.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/98774805’, new_authzr_uri=None, terms_of_service=None), 4507e00e979072793c396c2a3ee407aa, Meta(creation_host=u’ns-srv01.mydomain1.de’, register_to_eff=None, creation_dt=datetime.datetime(2020, 10, 8, 22, 54, 4, tzinfo=)))>
2021-04-20 08:24:52,318:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-04-20 08:24:52,329:INFO:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
2021-04-20 08:24:52,874:DEBUG:urllib3.connectionpool:“GET /directory HTTP/1.1” 200 658
2021-04-20 08:24:52,874:DEBUG:acme.client:Received response:
HTTP 200
content-length: 658
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
cache-control: public, max-age=0, no-cache
date: Tue, 20 Apr 2021 06:24:52 GMT
x-frame-options: DENY
content-type: application/json
{
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org”
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert”,
“vHIlDm_eqbU”: “https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417”
}
2021-04-20 08:24:52,899:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer <certbot._internal.cli.cli_utils._Default object at 0x7f4d2ddd3410>
2021-04-20 08:24:52,915:DEBUG:certbot.ocsp:Querying OCSP for /etc/letsencrypt/archive/mydomain1.de/cert6.pem
2021-04-20 08:24:52,916:DEBUG:certbot.ocsp:openssl ocsp -no_nonce -issuer /etc/letsencrypt/archive/mydomain1.de/chain6.pem -cert /etc/letsencrypt/archive/mydomain1.de/cert6.pem -CAfile /etc/letsencrypt/archive/mydomain1.de/chain6.pem -verify_other /etc/letsencrypt/archive/mydomain1.de/chain6.pem -trust_other -timeout 10 -header Host r3.o.lencr.org -url http://r3.o.lencr.org
2021-04-20 08:24:52,948:INFO:certbot._internal.renewal:Cert not yet due for renewal
2021-04-20 08:24:52,949:INFO:certbot._internal.main:Keeping the existing certificate
2021-04-20 08:24:52,949:DEBUG:certbot.display.util:Notifying user: Certificate not yet due for renewal; no action taken.
That means, this script checks only mydomain1.de (not expired) and not my expired mydomain2.de and mydomain3.de
How can I start the autorenewal script correctly for all of my domains/vhosts?
Sincerely, MArko