Force automated certificate renewal

[Migdiradmin]

Today i get a message via directamin saying this, Error during automated certificate renewal

Setting up certificate for a hostname: server.mydomain.com
2022/03/26 00:10:24 [INFO] [server.mydomain.com] acme: Obtaining SAN certificate
2022/03/26 00:10:24 [INFO] [server.mydomain.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/sdasaas4130
2022/03/26 00:10:24 [INFO] [server.mydomain.com] acme: Could not find solver for: tls-alpn-01
2022/03/26 00:10:24 [INFO] [server.mydomain.com] acme: use http-01 solver
2022/03/26 00:10:24 [INFO] [server.mydomain.com] acme: Trying to solve HTTP-01
2022/03/26 00:10:38 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/234550
2022/03/26 00:10:38 Could not obtain certificates:
    error: one or more domains had a problem:
[server.mydomain.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://server.mydomain.com/.well-known/acme-challenge/sadfassdd--mWbnm1sadasd-9Fo: Timeout during connect (likely firewall problem)
Certificate generation failed.

I know what caused that because the http port blocked in that moment but how can i force manually again the automated certificate renewal for the name machine (server.domain.com)?
Or the automated certificate renewal gone try next day?

 

[Migdiradmin]

Or the automated certificate renewal gone try next day?
Yes, and fixed the problem.

Thanks for all support.

 

[Richard G]

Thanks for all support.

I'm sure somebody would have given support, but personally I wasn't sure either if renewal for the hostname also would try the next day so I didn't answer. Maybe more people didn't know for sure. Also the manual command to renew is stated in the docs and can be found all over the forums.

Thank you for posting your solution!

 

[Migdiradmin]

I'm sure somebody would have given support, but personally I wasn't sure either if renewal for the hostname also would try the next day so I didn't answer. Maybe more people didn't know for sure. Also the manual command to renew is stated in the docs and can be found all over the forums.

Thank you for posting your solution!

But can you share what is the manual command to renew the server.mydomain.com?

In the User / Account Manager / SSL Certificates i can see the option to renew my domain.com and subdomains but i dont find the server.mydomain.com i think this is different to the name of the vps machine.

mydomain.com - Expires in 23 december
server.mydomain.com - Expires in 29 October

And the 2 have same domain.

 

[Richard G]

But can you share what is the manual command to renew the server.mydomain.com?

As said, it's in the docs. Also if you start the letsencrypt.sh script without entry's, it shows you the commandline option.

In your situation, first check if server.domain.com is present as DNS entry.
Check /var/named and see if there is a server.mydomain.com.db in there.

If not, create the server.mydomain.com as domain via the DNS manager.

Renewing the hostname if the certificate is still valid can be done like this:
/usr/local/directadmin/scripts/letsencrypt.sh renew server.mydomain.com

if it's already past the renewal date I would suggest creating a new hostname certificate:
/usr/local/directadmin/scripts/letsencrypt.sh request_single server.mydomain.com 4096

And the 2 have same domain.

Yes that's no problem. I have that the same way.

Be sure your DA and Letsencrypt.sh is the latest version.

 

[Migdiradmin]

Updated

cd /usr/local/directadmin/custombuild
./build update
./build letsencrypt

Forced

/usr/local/directadmin/scripts/letsencrypt.sh renew server.mydomain.com

Returned

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
The server validated our request
 acme: Validations succeeded; requesting certificates
 [server.domain.com] Server responded with a certificate for the preferred certificate chains "ISRG Root X1".
Certificate for server.domain.com has been created successfully!
DirectAdmin certificate has been setup.
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

But after check https://www.digicert.com/ shows

TLS Certificate expires soon

The primary TLS Certificate expires on October 30, 2022 (5 days remaining)
Certificate Name matches server.domain.com
Subject    server.domain.com
Valid from 02/Aug/2022 to 30/Oct/2022
Issuer    R3
    --------------------------------
Subject    R3
Valid from 04/Sep/2020 to 15/Sep/2025
Issuer    ISRG Root X1

Says is 5 days remaining.

 

[Richard G]

Says is 5 days remaining.

Maybe that's the old certificate.

You can better check at https://crt.sh and then put in your hostname.
There you also see older and newer certificates. Check the "Not after" dates for your hostname certificates. There should now be certificates which are again around 90 days valid.

 

[Migdiradmin]

Yes you are right that the certificate in the https://crt.sh already show new date, but in the browser and tools online shows the old.

The server is returning the old why?
Or i have to wait?

 

[Migdiradmin]

After reboot the server now everything ok and shows the new certificate date.

Thanks for all

 

[Richard G]

Other online tools might check the crt.sh too, their results could be cached.
But good to see that it's working after the reboot now.

You're welcome.

 

[Migdiradmin]

Today i have to manually force the renew again.

How can i do this auto?

Regards

 

[Richard G]

It should be done automatically, if it's again not done automatically it is some DA issue, best is to report that in a ticket.