The renewal of certificates does not take place
-
The expiration date is approaching, and the certificate hasn't been renewed. When does pfSense trigger these renewals? Is there a log for this?
-
@tomasenskede said in The renewal of certificates does not take place:
The expiration date is approaching, and the certificate hasn't been renewed. When does pfSense trigger these renewals? Is there a log for this?
There is.
That is, do you want it to renew ?
Check the checks :
Then check your cron settings : [ install the pfSEnse cron package if you haven't done so ] :
You'll find :
And now you know for sure it logs, have a look at the logs :
At 03h16, as the cron has been set up at "03h16" I've found :
edit : Your renewal also happens at 03h16 ...
I really thought this was a random moment.edit 2 :
is that a dot or a comma ?
-
-
-
A file name that contains a comma.
Never seen that before.Cut and paste is failing ?
The "examples" use a dot :
-
@Gertjan thanks, its corrected now. but still, the cert isnt renewed... can this be the error?
-
When you activate a manual renewal, by hitting :
does it work ?
If it didn't, at the end a log file is mentioned, that contains all the "why it didn't work' messages.
The acme log file ^^Btw : don't hit that button to often !! You are not allowed to renew the cert several,times (5 or so per week). Doing it more often and you will be punished (renewal will fail).
-
Services / Acme / Certificates
Renewing certificate
...
[Sat Aug 17 11:47:27 CEST 2024] Cert success.
update cert![Sat Aug 17 11:47:29 CEST 2024] Reload success
Success! So... why isn't this done automatically? What's the issue?
-
@tomasenskede said in The renewal of certificates does not take place:
What's the issue?
I'll put my bet on : you are - or were - the issue
This :
to be read from bottom to top.
The auto renewal cron job start.
It decides that it is time, as it compares the certificate end date minus the ( 90 days - your "Certificate renewal after" whic is set to '60).
If the period lasting is less then (90-60) = 30, then it isIts time to renew ""
The issue was here
I presume that, since you set up two scripts to be executed upon end of renewal, and one of them, the one with a coma in the file name ( that's a good old syntax error ), everything failed. You did probably did get the new certificate, but it wasn't written into the system as there was an error.
To be sure all is well now, you don't have to wait for 60 days.
The minimal LE grace period is 7 days or so, so set your "Certificate renewal after" to 10 days or so.
Now, wait for then days, and then see what happens.
By 'see' I mean : inspect the main acme.sh log file, the /tmp/acme/[your-acme-account-name]/acme_issuecert.log
I'm pretty sure this time you'll find your renewed cert under System > Certificates > Certificates and as you restart the webgui, you can inspect the certificate right away in your browser, and see the start and end date. The certificate serial number also changed.We'll meet up here over 10 days ?
-
Aug 17 11:47:29 php 23097 Acme, Running /usr/local/etc/rc.d/haproxy.sh restart
Aug 17 11:47:29 php 23097 Acme, Running /etc/rc.restart_webgui
Aug 17 11:47:27 php 23097 /usr/local/pkg/acme/acme_command.sh: Beginning configuration backup to https://acb.netgate.com/save
Aug 17 11:47:27 check_reload_status 439 Syncing firewall
Aug 17 11:47:27 php 23097 /usr/local/pkg/acme/acme_command.sh: Configuration Change: (system): Services: Acme: Storing signed certificate: domain.xyz
Aug 17 11:47:27 php 23097 Acme, storing new certificate: domain.xyz
Aug 17 11:47:21 php-fpm 58099 Acme, renewing certificate: domain.xyz
Aug 17 11:47:08 php-fpm 82902 /acme/acme_certificates_edit.php: Successful login for user 'admin' from: 192.168.1.53 (Local Database) -
Looks fine to me.
-
@Gertjan said in The renewal of certificates does not take place:
Looks fine to me.
So, why didnt the auto update ran? will it ran next time?
-
@tomasenskede said in The renewal of certificates does not take place:
So, why didnt the auto update ran
It did :
or was to you, at 03h16 AM (middel in the night for me) clicking on 'run' ?
