CyberHosting

Recent Lets Encrypt Changes

Hello

Lets Encrypt made some changes, due to which you need to upgrade your acme client if you are having issues getting SSLs. (This only applies to old installations, as new installations get latest code). Execute following command:

wget -O - https://get.acme.sh | sh

Regards

Comments

  • When i certbot renew on the command line it gives me following error:

    certbot renew
    Traceback (most recent call last):
    File "/usr/bin/certbot", line 9, in
    load_entry_point('certbot==0.37.2', 'console_scripts', 'certbot')()
    File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 378, in load_entry_point
    return get_distribution(dist).load_entry_point(group, name)
    File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2566, in load_entry_point
    return ep.load()
    File "/usr/lib/python2.7/site-packages/pkg_resources.py", line 2260, in load
    entry = __import__(self.module_name, globals(),globals(), ['__name__'])
    File "/usr/lib/python2.7/site-packages/certbot/main.py", line 17, in
    from certbot import account
    File "/usr/lib/python2.7/site-packages/certbot/account.py", line 17, in
    from acme import messages
    File "/usr/lib/python2.7/site-packages/acme/messages.py", line 11, in
    from acme import challenges
    File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 12, in
    import requests
    File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 97, in
    from . import utils
    File "/usr/lib/python2.7/site-packages/requests/utils.py", line 28, in
    from .compat import (
    ImportError: cannot import name integer_types
  • Hello

    Lets Encrypt made some changes, due to which you need to upgrade your acme client if you are having issues getting SSLs. (This only applies to old installations, as new installations get latest code). Execute following command:

    wget -O - https://get.acme.sh | sh

    Regards

    Thanks!
  • edited September 26
    That's not the problem, CyberPanel. I am still getting errors after updating. It used to be that whenever redirect rules/.htaccess files were active, Let's Encrypt could automatically renew certificates around those redirects. The issue is we have to completely clear out each of those .htaccess files individually, then renew manually, and then restore those .htaccess files.

    EDIT: All the domains appear to renew without issue after renewing. It must be a permissions issue that requires an initial renewal after upgrading depending on the age of the certificate.
  • edited September 27

    Hello

    Lets Encrypt made some changes, due to which you need to upgrade your acme client if you are having issues getting SSLs. (This only applies to old installations, as new installations get latest code). Execute following command:

    wget -O - https://get.acme.sh | sh

    Regards

    After update having this:

    Cannot issue SSL. Error message: [Fri Sep 27 09:10:20 UTC 2019] dev1.exista.dev:Verify error:Invalid response from https://dev1.exista.dev/.well-known/acme-challenge/j0zzRjwK15N13l_M2Qtzd8udOIoTJP3xNwO9ceRlv3c [159.69.144.185]: [Fri Sep 27 09:10:20 UTC 2019] Please add '--debug' or '--log' to check more details. [Fri Sep 27 09:10:20 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Fri Sep 27 09:10:33 UTC 2019] dev1.exista.dev:Verify error:Invalid response from https://dev1.exista.dev/.well-known/acme-challenge/5gZ7VZxjt0-WuTcp-L8SMRXZcg8MFCi353iTiQrBy80 [159.69.144.185]: [Fri Sep 27 09:10:33 UTC 2019] Please add '--debug' or '--log' to check more details. [Fri Sep 27 09:10:33 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]

    and this:

    Cannot issue SSL. Error message: [Fri Sep 27 09:13:18 UTC 2019] Create new order error. Le_OrderFinalize not found. { "type": "urn:ietf:params:acme:error:rateLimited", "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/", "status": 429 } [Fri Sep 27 09:13:18 UTC 2019] Please add '--debug' or '--log' to check more details. [Fri Sep 27 09:13:18 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Fri Sep 27 09:13:22 UTC 2019] Create new order error. Le_OrderFinalize not found. { "type": "urn:ietf:params:acme:error:rateLimited", "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/", "status": 429 } [Fri Sep 27 09:13:22 UTC 2019] Please add '--debug' or '--log' to check more details. [Fri Sep 27 09:13:22 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]

    CyberPanel is latest (clean installed two weeks ago)
  • edited September 27
    AKr0nizz said:

    Hello

    Lets Encrypt made some changes, due to which you need to upgrade your acme client if you are having issues getting SSLs. (This only applies to old installations, as new installations get latest code). Execute following command:

    wget -O - https://get.acme.sh | sh

    Regards

    After update having this:

    Cannot issue SSL. Error message: [Fri Sep 27 09:10:20 UTC 2019] dev1.exista.dev:Verify error:Invalid response from https://dev1.exista.dev/.well-known/acme-challenge/j0zzRjwK15N13l_M2Qtzd8udOIoTJP3xNwO9ceRlv3c [159.69.144.185]: [Fri Sep 27 09:10:20 UTC 2019] Please add '--debug' or '--log' to check more details. [Fri Sep 27 09:10:20 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Fri Sep 27 09:10:33 UTC 2019] dev1.exista.dev:Verify error:Invalid response from https://dev1.exista.dev/.well-known/acme-challenge/5gZ7VZxjt0-WuTcp-L8SMRXZcg8MFCi353iTiQrBy80 [159.69.144.185]: [Fri Sep 27 09:10:33 UTC 2019] Please add '--debug' or '--log' to check more details. [Fri Sep 27 09:10:33 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]

    and this:

    Cannot issue SSL. Error message: [Fri Sep 27 09:13:18 UTC 2019] Create new order error. Le_OrderFinalize not found. { "type": "urn:ietf:params:acme:error:rateLimited", "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/", "status": 429 } [Fri Sep 27 09:13:18 UTC 2019] Please add '--debug' or '--log' to check more details. [Fri Sep 27 09:13:18 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Fri Sep 27 09:13:22 UTC 2019] Create new order error. Le_OrderFinalize not found. { "type": "urn:ietf:params:acme:error:rateLimited", "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/", "status": 429 } [Fri Sep 27 09:13:22 UTC 2019] Please add '--debug' or '--log' to check more details. [Fri Sep 27 09:13:22 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]

    CyberPanel is latest (clean installed two weeks ago)
    This issue is that when you update acme.sh, it loses the proper permissions it needs to temporarily disable the .htaccess/URL redirects of your website, which it uses in the certification process in order to verify that your domain is tied to your server. I had this problem with any of my sites that had the .htaccess enabled, be it proxies or WordPress sites. So as a workaround, you have to temporarily (1) copy to a safe place your .htaccess file contents, (2) temporarily clear your .htaccess file, (3) then run the SSL renewal in CyberPanel, and (4) finally restore your .htaccess file. After you complete this process, whenever it needs to renew again anytime in the future, it should renew automatically without you having to clear your .htaccess file.
  • I am experiencing issues deploying new sites with SSL Certificates. ( or deploying them without SSL and trying to get it after the fact).

    I believe it does have something to do with permissions, however I don't have the chance to update or move the .htaccess as it's a new site. Even if I deploy the site without SSL, then try to get one after , there is no .htaccess to move


  • Same issues, upgrading didn't work, can't make new sites because they always go 403, 404 and have errors/issues

    This only started happening recently
  • I just installed cyberpanel and the same is happening with me
  • Just putting this out there......YMMV

    On my homelab with CyberPanel I was getting SSL renewal failure on a baremetal Centos 7.x system

    1). I did update the system / CP to 1.9 / acme.sh script with no success.

    2). I just found the below and switched to --use-wget and everything renewed.

    https://github.com/Neilpang/acme.sh/pull/2499
  • @Redmound How did you add --use-wget? Are you manually requesting the certs from command line?

    I've tried adding it and still getting a 403 forbidden when letsencrypt trys to hit Cyberpanel.
  • If anyone is having the same issue with Centos;
    Editing line 4286 of acme.sh ( newest version)

    Old: if ! _exec "chown -R \"$webroot_owner\" \"$_currentRoot/.well-known\""; then
    New: if ! _exec "chmod -R 755 \"$_currentRoot/.well-known\""; then
  • edited October 3
    My production server is too new for any of the certs to expire.....my development server is older and the certs started expiring and not renewing.

    I did one manually with the entry from cron.....it would show the CA server to be busy and never completed. It was leaving all kinds of orphaned Txt files.

    I tried one domain manually with the --use-wget and it went straight through with curl (default) it hung in a loop.

    I added the --use-wget to the cron entry and today the rest of the domains updated.

    The issue I had was with letsencrypt changing to http/2 and centos (curl) not working. Acme.sh has been updated, but I don't think it has solved all the issues with centos.
  • So what needs to be done here in order to update my code properly? OP posted a method, was told by the community that it didn't work, and the OP has now ignored the community for 2 weeks. . .

    What's going on @CyberPanel
Sign In or Register to comment.
CyberPanel Discord

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!