Open suvsap opened 4 years ago
Hello,
from which version are you updated?
Because --webroot
is --http.webroot
since v2.0.0
Thanks ldez for your prompt response as always.
We were on v0.3.1 earlier and moved to v3.5.0 recently. I will implement your suggestion to see if the problem gets resolved
Hi @ldez ,
Kindly find the cronjob command that i updated as per your suggestion
# Renewal cronjob
command => "/usr/local/bin/lego -a --email='${email}' --tls --domains='${domain}' --path='${cert_path}' --http.webroot='${challenge_directory}' --key-type rsa4096 renew >> /var/log/letsencrypt.log 2>&1",
When the cronjob ran i got the below error in letsencrypt.log
2020/05/14 01:42:02 flag provided but not defined: -webroot
2020/05/27 08:34:28 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying renewal with -304 hours remaining
2020/05/27 08:34:28 [INFO] [thrifty-pa.cq.thermeon.io] acme: Obtaining bundled SAN certificate
2020/05/27 08:34:29 [INFO] [thrifty-pa.cq.thermeon.io] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4840919476
2020/05/27 08:34:29 [INFO] [thrifty-pa.cq.thermeon.io] acme: use tls-alpn-01 solver
2020/05/27 08:34:29 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying to solve TLS-ALPN-01
2020/05/27 08:34:29 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4840919476
2020/05/27 08:34:29 acme: Error -> One or more domains had a problem:
[thrifty-pa.cq.thermeon.io] [thrifty-pa.cq.thermeon.io] acme: error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: address already in use
2020/05/27 08:54:32 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying renewal with -304 hours remaining
2020/05/27 08:54:32 [INFO] [thrifty-pa.cq.thermeon.io] acme: Obtaining bundled SAN certificate
2020/05/27 08:54:32 [INFO] [thrifty-pa.cq.thermeon.io] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4841211768
2020/05/27 08:54:32 [INFO] [thrifty-pa.cq.thermeon.io] acme: use tls-alpn-01 solver
2020/05/27 08:54:32 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying to solve TLS-ALPN-01
2020/05/27 08:54:32 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4841211768
2020/05/27 08:54:32 acme: Error -> One or more domains had a problem:
[thrifty-pa.cq.thermeon.io] [thrifty-pa.cq.thermeon.io] acme: error presenting token: could not start HTTPS server for challenge -> listen tcp :443: bind: address already in use
The command that worked is as below
root@carsplus:/var/log# /usr/local/bin/lego -a --email='admin@thermeon.com' --http --domains='thrifty-pa.cq.thermeon.io' --path='/etc/letsencrypt' --http.webroot='/var/www/letsencrypt' --key-type rsa4096 renew
2020/05/27 09:01:39 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying renewal with -305 hours remaining
2020/05/27 09:01:39 [INFO] [thrifty-pa.cq.thermeon.io] acme: Obtaining bundled SAN certificate
2020/05/27 09:01:40 [INFO] [thrifty-pa.cq.thermeon.io] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/4841320121
2020/05/27 09:01:40 [INFO] [thrifty-pa.cq.thermeon.io] acme: Could not find solver for: tls-alpn-01
2020/05/27 09:01:40 [INFO] [thrifty-pa.cq.thermeon.io] acme: use http-01 solver
2020/05/27 09:01:40 [INFO] [thrifty-pa.cq.thermeon.io] acme: Trying to solve HTTP-01
2020/05/27 09:01:46 [INFO] [thrifty-pa.cq.thermeon.io] The server validated our request
2020/05/27 09:01:46 [INFO] [thrifty-pa.cq.thermeon.io] acme: Validations succeeded; requesting certificates
2020/05/27 09:01:54 [INFO] [thrifty-pa.cq.thermeon.io] Server responded with a certificate.
root@carsplus:/var/log# ls -al /etc/letsencrypt/certificates/
total 24
drwx------ 2 root root 4096 Feb 14 16:54 .
drwx------ 4 root root 4096 Feb 14 15:10 ..
-rw------- 1 root root 3933 May 27 09:01 thrifty-pa.cq.thermeon.io.crt
-rw------- 1 root root 1648 May 27 09:01 thrifty-pa.cq.thermeon.io.issuer.crt
-rw------- 1 root root 246 May 27 09:01 thrifty-pa.cq.thermeon.io.json
-rw------- 1 root root 3243 May 27 09:01 thrifty-pa.cq.thermeon.io.key
We had to use --http option rather than --tls as previous cronjob
Our Nginx webserver uses the certificate. Can you kindly suggest if moving from tls to http will be safe for us from security perspective or any other problems that we can encounter in future?
Thanks, Suvankar
Also is there any way to use HTTPS rather than HTTP for cert renewals from security perspective.
Thanks in advance for your help
Hi Team,
We have just upgraded to Lego version 3.5.0 but when we try to renew Lego certificates using the below command it fails Command:-
/usr/local/bin/lego -a --email='${email}' --tls --domains='${domain}' --path='${cert_path}' --webroot='${challenge_directory}' --key-type rsa4096 renew
Error:-
When i tried to test the renewal in our test server without the webroot flag then it works
Kindly confirm if i can remove webroot flag without any issues
Thanks in advance for your help as always