The renewal of certificates does not take place

tomasenskede

@Gertjan

last entry in the log is from last time i had to update manually;

tomasenskede

@Gertjan

/usr/local/etc/rc.d/haproxy,sh restart

its a comma

Gertjan

@tomasenskede

A file name that contains a comma.
Never seen that before.

Cut and paste is failing ?

The "examples" use a dot :

tomasenskede

@Gertjan thanks, its corrected now. but still, the cert isnt renewed... can this be the error?

Gertjan

@tomasenskede

When you activate a manual renewal, by hitting :

does it work ?
If it didn't, at the end a log file is mentioned, that contains all the "why it didn't work' messages.
The acme log file ^^

Btw : don't hit that button to often !! You are not allowed to renew the cert several,times (5 or so per week). Doing it more often and you will be punished (renewal will fail).

tomasenskede

@Gertjan

Services / Acme / Certificates

Renewing certificate
...
[Sat Aug 17 11:47:27 CEST 2024] Cert success.
update cert![Sat Aug 17 11:47:29 CEST 2024] Reload success

Success! So... why isn't this done automatically? What's the issue?

Gertjan

@tomasenskede said in The renewal of certificates does not take place:

What's the issue?

I'll put my bet on : you are - or were - the issue

This :

to be read from bottom to top.
The auto renewal cron job start.
It decides that it is time, as it compares the certificate end date minus the ( 90 days - your "Certificate renewal after" whic is set to '60).
If the period lasting is less then (90-60) = 30, then it is

Its time to renew ""

The issue was here

I presume that, since you set up two scripts to be executed upon end of renewal, and one of them, the one with a coma in the file name ( that's a good old syntax error ), everything failed. You did probably did get the new certificate, but it wasn't written into the system as there was an error.

To be sure all is well now, you don't have to wait for 60 days.
The minimal LE grace period is 7 days or so, so set your "Certificate renewal after" to 10 days or so.
Now, wait for then days, and then see what happens.
By 'see' I mean : inspect the main acme.sh log file, the /tmp/acme/[your-acme-account-name]/acme_issuecert.log
I'm pretty sure this time you'll find your renewed cert under System > Certificates > Certificates and as you restart the webgui, you can inspect the certificate right away in your browser, and see the start and end date. The certificate serial number also changed.

We'll meet up here over 10 days ?

tomasenskede

Aug 17 11:47:29 php 23097 Acme, Running /usr/local/etc/rc.d/haproxy.sh restart
Aug 17 11:47:29 php 23097 Acme, Running /etc/rc.restart_webgui
Aug 17 11:47:27 php 23097 /usr/local/pkg/acme/acme_command.sh: Beginning configuration backup to https://acb.netgate.com/save
Aug 17 11:47:27 check_reload_status 439 Syncing firewall
Aug 17 11:47:27 php 23097 /usr/local/pkg/acme/acme_command.sh: Configuration Change: (system): Services: Acme: Storing signed certificate: domain.xyz
Aug 17 11:47:27 php 23097 Acme, storing new certificate: domain.xyz
Aug 17 11:47:21 php-fpm 58099 Acme, renewing certificate: domain.xyz
Aug 17 11:47:08 php-fpm 82902 /acme/acme_certificates_edit.php: Successful login for user 'admin' from: 192.168.1.53 (Local Database)

Gertjan

@tomasenskede

Looks fine to me.

tomasenskede

@Gertjan said in The renewal of certificates does not take place:

@tomasenskede

Looks fine to me.

So, why didnt the auto update ran? will it ran next time?

Gertjan

@tomasenskede said in The renewal of certificates does not take place:

So, why didnt the auto update ran

It did :

or was to you, at 03h16 AM (middel in the night for me) clicking on 'run' ?