Let's Encrypt Error on RT-AX88U Latest firmware

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

sanke1

Senior Member
The error I get is this
Code:
Dec 18 13:54:21 rc_service: httpd 4378:notify_rc restart_ddns_le
Dec 18 13:54:21 start_ddns: update WWW.ASUS.COM dyndns, wan_unit 0
Dec 18 13:54:21 ddns update: ez-ipupdate: starting...
Dec 18 13:54:21 ddns update: asus_private() interface =ppp0
Dec 18 13:54:21 ddns update: g_asus_ddns_mode == 2
Dec 18 13:54:21 ddns update: connected to nwsrv-ns1.asus.com (52.250.42.40) on port 443.
Dec 18 13:54:22 ddns update: Asus update entry:: return: HTTP/1.1 200 OK^M Date: Fri, 18 Dec 2020 08:24:22 GMT^M Server: Apache^M Content-Length: 0^M Connection: close^M Content-Type: text/html; charset=UTF-8^M ^M
Dec 18 13:54:22 ddns update: retval= 0, ddns_return_code (,200)
Dec 18 13:54:22 ddns update: asusddns_update: 0
Dec 18 13:54:22 ddns: ddns update ok
Dec 18 13:54:22 ddns update: exit_main
Dec 18 13:54:24 kernel: [Fri Dec 18 13:54:24 GMT 2020]
Dec 18 13:54:24 kernel: Registering account
Dec 18 13:54:27 kernel: [Fri Dec 18 13:54:27 GMT 2020]
Dec 18 13:54:27 kernel: Already registered
Dec 18 13:54:27 kernel: [Fri Dec 18 13:54:27 GMT 2020]
Dec 18 13:54:27 kernel: ACCOUNT_THUMBPRINT='9AcLHiJv7olWAwq8SvMxtAf-VkTNc02tt7QsaSIIEQk'
Dec 18 13:54:27 kernel: [Fri Dec 18 13:54:27 GMT 2020]
Dec 18 13:54:27 kernel: Creating domain key
Dec 18 13:54:30 kernel: [Fri Dec 18 13:54:30 GMT 2020]
Dec 18 13:54:30 kernel: The domain key is here: /jffs/.le/xxxxxx.asuscomm.com/xxxxxx.asuscomm.com.key
Dec 18 13:54:30 kernel: [Fri Dec 18 13:54:30 GMT 2020]
Dec 18 13:54:30 kernel: Single domain='xxxxxx.asuscomm.com'
Dec 18 13:54:30 kernel: [Fri Dec 18 13:54:30 GMT 2020]
Dec 18 13:54:30 kernel: Getting domain auth token for each domain
Dec 18 13:54:32 kernel: [Fri Dec 18 13:54:32 GMT 2020]
Dec 18 13:54:32 kernel: Getting webroot for domain='xxxxxx.asuscomm.com'
Dec 18 13:54:33 kernel: [Fri Dec 18 13:54:33 GMT 2020]
Dec 18 13:54:33 kernel: xxxxxx.asuscomm.com is already verified, skip dns-01.
Dec 18 13:54:33 kernel: [Fri Dec 18 13:54:33 GMT 2020]
Dec 18 13:54:33 kernel: Verify finished, start to sign.
Dec 18 13:54:33 kernel: [Fri Dec 18 13:54:33 GMT 2020]
Dec 18 13:54:33 kernel: Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/77959972/6806752565
Dec 18 13:54:35 kernel: [Fri Dec 18 13:54:35 GMT 2020]
Dec 18 13:54:35 kernel: Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/030c8ab79a8a2c38bb8deb4d06de0f05a356
Dec 18 13:54:37 kernel: [Fri Dec 18 13:54:37 GMT 2020]
Dec 18 13:54:37 kernel: Cert success.
Dec 18 13:54:37 kernel: cat: write error: Invalid argument
Dec 18 13:54:37 kernel: [Fri Dec 18 13:54:37 GMT 2020]
Dec 18 13:54:37 kernel: Your cert is in  /jffs/.le/xxxxxx.asuscomm.com/xxxxxx.asuscomm.com.cer
Dec 18 13:54:37 kernel: [Fri Dec 18 13:54:37 GMT 2020]
Dec 18 13:54:37 kernel: Your cert key is in  /jffs/.le/xxxxxx.asuscomm.com/xxxxxx.asuscomm.com.key
Dec 18 13:54:37 kernel: [Fri Dec 18 13:54:37 GMT 2020]
Dec 18 13:54:37 kernel: The intermediate CA cert is in  /jffs/.le/xxxxxx.asuscomm.com/ca.cer
Dec 18 13:54:37 kernel: [Fri Dec 18 13:54:37 GMT 2020]
Dec 18 13:54:37 kernel: And the full chain certs is there:  /jffs/.le/xxxxxx.asuscomm.com/fullchain.cer
Dec 18 13:54:37 kernel: [Fri Dec 18 13:54:37 GMT 2020]
Dec 18 13:54:37 kernel: Installing key to:/jffs/.le/xxxxxx.asuscomm.com/domain.key
Dec 18 13:54:37 kernel: [Fri Dec 18 13:54:37 GMT 2020]
Dec 18 13:54:37 kernel: Installing full chain to:/jffs/.le/xxxxxx.asuscomm.com/fullchain.pem
Dec 18 08:25:00 rc_service: service 16571:notify_rc restart_letsencrypt
Dec 18 13:55:02 kernel: [Fri Dec 18 13:55:02 GMT 2020]
Dec 18 13:55:02 kernel: Domains not changed.
Dec 18 13:55:02 kernel: [Fri Dec 18 13:55:02 GMT 2020]
Dec 18 13:55:02 kernel: Skip, Next renewal time is: Tue Feb 16 08:24:37 UTC 2021
Dec 18 13:55:02 kernel: [Fri Dec 18 13:55:02 GMT 2020]
Dec 18 13:55:02 kernel: Add '--force' to force to renew.

Any way to use force parameter via ssh?
 

RMerlin

Asuswrt-Merlin dev
Why? It just got renewed:

Dec 18 13:55:02 kernel: Skip, Next renewal time is: Tue Feb 16 08:24:37 UTC 2021

There is no need to force anything, the message is simply because it tried to renew it a second time, and told you there was no need to, it just got renewed for three months as expected (certs are valid 3 months, get renewed after 2 months).
 

sanke1

Senior Member
Why? It just got renewed:



There is no need to force anything, the message is simply because it tried to renew it a second time, and told you there was no need to, it just got renewed for three months as expected (certs are valid 3 months, get renewed after 2 months).
Yeah but it was not showing the Let's Encrypt symbol next to my DDNS on Router GUI main page. Now it thrown error that too many tries or something. So need to wait a week for further troubleshooting.
 

Lemon

New Around Here
I have exact same problem with my RT AC-86U with latest firmware after upgrade. I reprogram to previous version but can't resolve it. The Let's Encrypt status is 'updating' and show same log. I have another AC-86U that is not renew cert. and everything looks good. Please help how to resolve it. Thanks

Below log event are repeat again and again.
Dec 19 01:59:00 rc_service: service 6605:notify_rc restart_letsencrypt
Dec 19 01:59:02 kernel: [Sat Dec 19 01:59:02 GMT 2020]
Dec 19 01:59:02 kernel: Domains not changed.
Dec 19 01:59:02 kernel: [Sat Dec 19 01:59:02 GMT 2020]
Dec 19 01:59:02 kernel: Skip, Next renewal time is: Tue Feb 16 14:46:35 UTC 2021
Dec 19 01:59:02 kernel: [Sat Dec 19 01:59:02 GMT 2020]
Dec 19 01:59:02 kernel: Add '--force' to force to renew.
 

RMerlin

Asuswrt-Merlin dev
Yeah but it was not showing the Let's Encrypt symbol next to my DDNS on Router GUI main page. Now it thrown error that too many tries or something. So need to wait a week for further troubleshooting.

Try just rebooting your router, I suspect the real problem is not the renewal, but the fact that the web server does not get restarted with the new certificate installed.
 

Lemon

New Around Here
Try just rebooting your router, I suspect the real problem is not the renewal, but the fact that the web server does not get restarted with the new certificate installed.
I reboot my router for few times but can't resolve it. I check another forum and also report this issue in early Dec. and have same write error in the log. Is it anyway to fix this error? Please advise. Thanks

Dec 18 13:54:37 kernel: Cert success.
Dec 18 13:54:37 kernel: cat: write error: Invalid argument
 

Morpheo

New Around Here
Same problem of sanke1.
I've upgraded my AC68U to 386.1 beta1 and after a factory reset the problem appeared.

Code:
Dec 19 04:20:01 rc_service: service 24871:notify_rc restart_letsencrypt
Dec 19 04:20:01 custom_script: Running /jffs/scripts/service-event (args: restart letsencrypt)
Dec 19 04:20:01 custom_script: Running /jffs/scripts/service-event-end (args: restart letsencrypt)
Dec 19 04:20:07 kernel: [Sat Dec 19 04:20:07 MEZ 2020] Domains not changed.
Dec 19 04:20:07 kernel: [Sat Dec 19 04:20:07 MEZ 2020] Skip, Next renewal time is: Wed Feb 17 03:16:37 UTC 2021
Dec 19 04:20:07 kernel: [Sat Dec 19 04:20:07 MEZ 2020] Add '--force' to force to renew.

I've tried to force the renew via SSH

Code:
acme.sh --renew -d xxx.ddns.net --force
[Sat Dec 19 03:53:53 MEZ 2020] Renew: 'xxx.ddns.net'
[Sat Dec 19 03:53:53 MEZ 2020] 'xxx.ddns.net' is not a issued domain, skip.


Tried to change the domain name, no different result.
Cert and key is generated and saved correctly.
 

sanke1

Senior Member
Try just rebooting your router, I suspect the real problem is not the renewal, but the fact that the web server does not get restarted with the new certificate installed.
Rebooted 100s of times, did nvram erase, set it up as new. Still log shows at the end:
Code:
Dec 18 13:54:37 kernel: cat: write error: Invalid argument
Dec 18 13:55:02 kernel: Add '--force' to force to renew.

Since many have this error, it seems to be a firmware bug. @ASUSWRT_2020

Accessing my router or any device from outside throws the certificate warning.

Same problem of sanke1.
I've upgraded my AC68U to 386.1 beta1 and after a factory reset the problem appeared.

Tried to change the domain name, no different result.
Cert and key is generated and saved correctly.

Can you try downgrading to previous official 384 release and see if you get the certificate installed correctly? I have to wait for a week before Let's Encrypt re-issues me certificate. Backup your current cert.pem and key.pem from sbin directory first. Use WinSCP for SSH GUI.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Dec 18 13:54:37 kernel: cat: write error: Invalid argument

That is not an error message, just ignore that. It`s just an artifact due to the way acme.sh copies the certs, that message has always been there.
 

RMerlin

Asuswrt-Merlin dev
Dec 18 13:54:37 kernel: cat: write error: Invalid argument Dec 18 13:55:02 kernel: Add '--force' to force to renew.

Neither of these are real error messages and they don`t mean anything. You have to check the certificate used by your browser to determine whether or not it worked, not try to analyze what you see in the log. This is the only way to REALLY determine whether it`s working or not.
 

bubobih

Occasional Visitor
same problem on ac86 u

what i try:

factory reset
reflash firmware
on off on off many stuffs about ssl and ddns
changing ddns asuscomm domain. nothing helps

always says

Dec 19 20:40:01 kernel: Domains not changed.
Dec 19 20:40:01 kernel: [Sat Dec 19 20:40:01 UTC 2020]
Dec 19 20:40:01 kernel: Skip, Next renewal time is: Wed Feb 17 19:29:33 UTC 2021
Dec 19 20:40:01 kernel: [Sat Dec 19 20:40:01 UTC 2020]
Dec 19 20:40:01 kernel: Add '--force' to force to renew.

where to add force to solve this, im trying to make ssl for 10h maybe more
 

bubobih

Occasional Visitor
50736642923_77453b938e_o.png


He create it but

50737489277_d1f14f9d75_o.png


and he keep some old one

50737384476_83c72e9b1c_o.png


50737386026_3ae0d48e43_o.png
 

RMerlin

Asuswrt-Merlin dev

Morpheo

New Around Here
Can you try downgrading to previous official 384 release and see if you get the certificate installed correctly? I have to wait for a week before Let's Encrypt re-issues me certificate. Backup your current cert.pem and key.pem from sbin directory first. Use WinSCP for SSH GUI.

I tried to downgrade to 384.19. I couldn't backup the certificates because I couldn't find them in the /sbin folder with WinSCP.

After the downgrade I deleted the /jffs/.le/ folder and reactivated the LE certificate.

Code:
Dec 20 00:40:56 kernel: [Sun Dec 20 00:40:56 MEZ 2020] Standalone mode.
Dec 20 00:41:02 kernel: [Sun Dec 20 00:41:02 MEZ 2020] Create account key ok.
Dec 20 00:41:02 kernel: [Sun Dec 20 00:41:02 MEZ 2020] Registering account
Dec 20 00:41:06 kernel: [Sun Dec 20 00:41:06 MEZ 2020] Registered
Dec 20 00:41:06 kernel: [Sun Dec 20 00:41:06 MEZ 2020] ACCOUNT_THUMBPRINT='/*criptedkey*/'
Dec 20 00:41:07 kernel: [Sun Dec 20 00:41:07 MEZ 2020] Creating domain key
Dec 20 00:41:08 kernel: [Sun Dec 20 00:41:08 MEZ 2020] The domain key is here: /jffs/.le/xxxxx.ddns.net/xxxxx.ddns.net.key
Dec 20 00:41:08 kernel: [Sun Dec 20 00:41:08 MEZ 2020] Single domain='xxxxx.ddns.net'
Dec 20 00:41:09 kernel: [Sun Dec 20 00:41:09 MEZ 2020] Getting domain auth token for each domain
Dec 20 00:41:13 kernel: [Sun Dec 20 00:41:13 MEZ 2020] Getting webroot for domain='xxxx.ddns.net'
Dec 20 00:41:13 kernel: [Sun Dec 20 00:41:13 MEZ 2020] Verifying: xxxxx.ddns.net
Dec 20 00:41:14 kernel: [Sun Dec 20 00:41:14 MEZ 2020] Standalone mode server
Dec 20 00:41:21 kernel: [Sun Dec 20 00:41:21 MEZ 2020] Success
Dec 20 00:41:21 kernel: [Sun Dec 20 00:41:21 MEZ 2020] Verify finished, start to sign.
Dec 20 00:41:21 kernel: [Sun Dec 20 00:41:21 MEZ 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/106876094/ /*number*/
Dec 20 00:41:24 kernel: [Sun Dec 20 00:41:24 MEZ 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/ /*key*/
Dec 20 00:41:26 kernel: [Sun Dec 20 00:41:26 MEZ 2020] Cert success.
Dec 20 00:41:26 kernel: -----BEGIN CERTIFICATE-----
                        /*cutted the certificate*/
Dec 20 00:41:26 kernel: -----END CERTIFICATE-----
Dec 20 00:41:26 kernel: [Sun Dec 20 00:41:26 MEZ 2020] Your cert is in  /jffs/.le/xxxxx.ddns.net/xxxxx.ddns.net.cer
Dec 20 00:41:26 kernel: [Sun Dec 20 00:41:26 MEZ 2020] Your cert key is in  /jffs/.le/xxxxx.ddns.net/xxxxx.ddns.net.key
Dec 20 00:41:27 kernel: [Sun Dec 20 00:41:27 MEZ 2020] The intermediate CA cert is in  /jffs/.le/xxxxx.ddns.net/ca.cer
Dec 20 00:41:27 kernel: [Sun Dec 20 00:41:27 MEZ 2020] And the full chain certs is there:  /jffs/.le/xxxxx.ddns.net/fullchain.cer
Dec 20 00:41:28 kernel: [Sun Dec 20 00:41:28 MEZ 2020] Installing key to:/jffs/.le/xxxxx.ddns.net/domain.key
Dec 20 00:41:28 kernel: [Sun Dec 20 00:41:28 MEZ 2020] Installing full chain to:/jffs/.le/xxxxx.ddns.net/fullchain.pem

The folder that contains the keys and certificates was successfully recreated but the error remained.

ddnsLE.jpg


Now I try to full reset jffs partition and router to default and reconfigure ddns with 384.19, just to try it!

But at this point seem to be a LetsEncrypt problem (similar to the problem that appeared some time ago when the acme v1 was disused by LE and the certificates did not renew)...
 

sanke1

Senior Member
Neither of these are real error messages and they don`t mean anything. You have to check the certificate used by your browser to determine whether or not it worked, not try to analyze what you see in the log. This is the only way to REALLY determine whether it`s working or not.
I know. When I try to access my router GUI from WAN via DDNS, it throws a certificate warning. Isn’t that enough to determine that something is borked?
 

bubobih

Occasional Visitor
Let's Encrypt is indeed enabled. Dunno then why the router would end up using the regular certificate instead of the LE one.
I understand, but as i see many others have the same problem. Maybe its fault of letsencrypt but new beta force many of us to factory reboot router then problems start for many users. where is a location of regular certificate maybe i can copy le and owerwrite it.

Edit: digging into a logs file i find this line. Can this be a problem?
BOLOvHl.png


Edit2: just to add that runner status is unknow
p2emRgl.png
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Similar threads

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top