CentOS 7.x Owncloud bitnami lego lets-encrypt certificate renewal issue
Home > CentOS > CentOS 7.x > Web Based Tools > owncloud > CentOS 7.x Owncloud bitnami lego lets-encrypt certificate renewal issue
It is better to use /opt/owncloud-<versin>/bncert-tool with --perform_dns_validation 0 option to renew certificate via bncert tool. This will add entry in crontab with '0 0 * * *' schedule. Change it to something like 'A B * * 0' where A is between 0 and 59 (minutes) and B is between 0 to 6 (in night).
Similar article at CentOS 8.x wordpress bitnami lets encrypt certificate renewal error
It was found that on one production server /etc/lego/renew-certificate.sh with following contents:
#!/bin/bash /opt/owncloud-10.0.10-2/ctlscript.sh stop /usr/local/bin/lego --email="saurabh@example.com" --domains="<fqdn>" --path="/etc/lego" --http renew /opt/owncloud-10.0.10-2/ctlscript.sh start
stopped working. Below command was running without any output and existing with 0 status.
/usr/local/bin/lego --email="saurabh@example.com" --domains="<fqdn>" --path="/etc/lego" --http renew
The above script was created based on below reference:
To resolve following steps were used:
- /opt/owncloud-10.0.10-2/ctlscript.sh stop
- yum -y install python2-certbot-apache
- yum -y install httpd
- Created /etc/httpd/conf.d/<servername>.conf with:
- <VirtualHost *:80>
- DocumentRoot "/var/www/html"
- ServerName <server-fqdn>
- # Other directives here
- </VirtualHost>
- systemctl start httpd
- Used following to create required certificate in /etc/letsencrypt/live folders:
- certbot --apache
- systemctl stop httpd
- In above setup following symbolic links were present:
- /etc/lego/certificates/<fqdn>.crt linked to /opt/owncloud-10.0.10-2/apache2/conf/server.crt
- /etc/lego/certificates/<fqdn>.key linked to /opt/owncloud-10.0.10-2/apache2/conf/server.key
- Thus updated /etc/lego/renew-certificate.sh to have:
- #!/bin/bash
- /opt/owncloud-10.0.10-2/ctlscript.sh stop
- /usr/local/bin/lego --email="saurabh@example.com" --domains="<fqdn>" --path="/etc/lego" --http renew
- #The above is not working so using certbot instead
- systemctl start httpd
- certbot renew
- systemctl stop httpd
- cp /etc/letsencrypt/live/<fqdn>/fullchain.pem /etc/lego/certificates/<fqdn>.crt
- cp /etc/letsencrypt/live/<fqdn>/privkey.pem /etc/lego/certificates/<fqdn>.key
- /opt/owncloud-10.0.10-2/ctlscript.sh start
bncert-tool renewal issue
bncert-tool that comes with bitnami wordpress-5.6.0 stopped working with errors similar to:
2021/05/18 17:15:22 [INFO] [sbarjatiya.com] acme: Trying renewal with 480 hours remaining 2021/05/18 17:15:22 [INFO] [sbarjatiya.com, www.sbarjatiya.com] acme: Obtaining bundled SAN certificate 2021/05/18 17:15:24 [INFO] [sbarjatiya.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13228692289 2021/05/18 17:15:24 [INFO] [www.sbarjatiya.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13228692290 2021/05/18 17:15:24 [INFO] [sbarjatiya.com] acme: Could not find solver for: tls-alpn-01 2021/05/18 17:15:24 [INFO] [sbarjatiya.com] acme: use http-01 solver 2021/05/18 17:15:24 [INFO] [www.sbarjatiya.com] acme: Could not find solver for: tls-alpn-01 2021/05/18 17:15:24 [INFO] [www.sbarjatiya.com] acme: use http-01 solver 2021/05/18 17:15:24 [INFO] [sbarjatiya.com] acme: Trying to solve HTTP-01 2021/05/18 17:15:29 [INFO] [www.sbarjatiya.com] acme: Trying to solve HTTP-01 2021/05/18 17:15:36 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13228692289 2021/05/18 17:15:37 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13228692289 2021/05/18 17:15:37 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13228692290 2021/05/18 17:15:37 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/13228692290 2021/05/18 17:15:37 error: one or more domains had a problem: [sbarjatiya.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://sbarjatiya.com/ [13.234.253.51]: "<!DOCTYPE html>\n<html class=\"html\" lang=\"en-US\">\n<head>\n\t<meta charset=\"UTF-8\">\n\t<link rel=\"profile\" href=\"https://gmpg.org/xfn/", url: [www.sbarjatiya.com] acme: error: 403 :: urn:ietf:params:acme:error:unauthorized :: Invalid response from https://sbarjatiya.com/ [13.234.253.51]: "<!DOCTYPE html>\n<html class=\"html\" lang=\"en-US\">\n<head>\n\t<meta charset=\"UTF-8\">\n\t<link rel=\"profile\" href=\"https://gmpg.org/xfn/", url:
Running bncert-tool with --perform_dns_validation 0 required entering many details and later since email ID did not match earlier certificate generations the process failed with erorr such as:
2021/05/18 17:19:03 Saved key to /opt/wordpress-5.6-0/letsencrypt/accounts/acme-v02.api.letsencrypt.org/saurabh@gb b.co.in/keys/saurabh@sbarjatiya.com.key 2021/05/18 17:19:04 Account saurabh@sbarjatiya.com is not registered. Use 'run' to register a new account. child process exited abnormally
Even if you configure correct email ID that was used to generate certificate it fails with error:
/Warning: Certificates may not renew automatically, due to a web server configuration issue. For more information see: https://docs.bitnami.com/general/how-to/understand-bncert/#certificates-not-renew ed-automatically Press [Enter] to continue: ---------------------------------------------------------------------------- Some errors occurred The configuration was applied, but some of the changes could not be applied. Find the details below.
Using Installing lets-encrypt SSL certificate is tricky and time consuming as we need to stop bitnami stack, install regular httpd, mod_ssl; configure virtual hosts and then request for certificates. Even after that certificate format in /etc/letsencrypt/live/<domain>/ is quite different then existing certificates in /opt/wordpress-5.6-0/letsencrypt/certificates.
Finally the only thing that worked is:
/opt/wordpress-5.6-0/ctlscript.sh stop cd /opt/wordpress-5.6-0/letsencrypt/ ./lego --path /opt/wordpress-5.6-0/letsencrypt/ -d sbarjatiya.com -d www.sbarjatiya.com -m saurabh@sbarjatiya.com --http run /opt/wordpress-5.6-0/ctlscript.sh start
Home > CentOS > CentOS 7.x > Web Based Tools > owncloud > CentOS 7.x Owncloud bitnami lego lets-encrypt certificate renewal issue
