LetsEncrypt Cert Stopped Updating?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

AppleBag

Regular Contributor
Currently using Merlin 384.16 Alpha 2 on ASUS RT-AC68U, and my LE cert won't update anymore and says it's expired whenever I try to login to my router.

Does anyone know how to solve this?

Here's an interesting snippet form the log:

Code:
[Sun Mar 15 13:10:08 DST 2020] Standalone mode.
Mar 15 13:10:10 kernel: [Sun Mar 15 13:10:10 DST 2020] Registering account
Mar 15 13:10:13 kernel: [Sun Mar 15 13:10:13 DST 2020] Already registered
Mar 15 13:10:14 kernel: [Sun Mar 15 13:10:14 DST 2020] ACCOUNT_THUMBPRINT='redacted'
Mar 15 13:10:14 kernel: [Sun Mar 15 13:10:14 DST 2020] Single domain=' my.domain.rocks'
Mar 15 13:10:15 kernel: [Sun Mar 15 13:10:14 DST 2020] Getting domain auth token for each domain
Mar 15 13:10:18 kernel: [Sun Mar 15 13:10:18 DST 2020] Getting webroot for domain=' my.domain.rocks'
Mar 15 13:10:19 kernel: [Sun Mar 15 13:10:19 DST 2020] Verifying:  my.domain.rocks
Mar 15 13:10:19 kernel: [Sun Mar 15 13:10:19 DST 2020] Standalone mode server
Mar 15 13:10:26 kernel: [Sun Mar 15 13:10:26 DST 2020]  my.domain.rocks:Verify error:Fetching http:// my.domain.rocks/.well-known/acme-challenge/redacted: Connection refused
Mar 15 13:10:26 kernel: [Sun Mar 15 13:10:26 DST 2020] Please add '--debug' or '--log' to check more details.
Mar 15 13:10:26 kernel: [Sun Mar 15 13:10:26 DST 2020] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

And here's a full log with debug mode on:

https://sebsauvage.net/paste/?24e74660a26a3443#JqydYkfLxfGW67cQQ5l8DPwqwHGM/sB+xoTO98yyTeg=
 

RMerlin

Asuswrt-Merlin dev
Mar 15 13:10:26 kernel: [Sun Mar 15 13:10:26 DST 2020] my.domain.rocks:Verify error:Fetching http:// my.domain.rocks/.well-known/acme-challenge/redacted: Connection refused

The Let's Encrypt servers were unable to connect back with you to validate your server.
 

AppleBag

Regular Contributor
The Let's Encrypt servers were unable to connect back with you to validate your server.

I don't have any idea how to go about resolving this? I haven't made any new changes in the router as far as I can remember, that would've somehow affected this?

The router sends out the request, and then what could possibly be blocking it from getting the response? It's all router level (i.e. any firewall on any computer behind the router shouldn't block anything) and I have the actual firewall in the router dsiabled.
 

AppleBag

Regular Contributor
FYI, this could be your issue.


A bug has been identified in the certificate issuance framework. ~3 Million certificates are scheduled for revocation on tomorrow, March 4 2020. Manual renewal will be required for impacted certificates that are not scheduled to automatically renew prior to revocation.

https://letsencrypt.org/caaproblem/
https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591


ty, I used the tool they recommend on that page, and It looks like I'm ok:

The certificate currently available on my.domain.rocks is OK. It is not one of the certificates affected by the Let's Encrypt CAA rechecking problem. Its serial number is <redacted>
 

RMerlin

Asuswrt-Merlin dev
The router sends out the request, and then what could possibly be blocking it from getting the response?

Could be a firewall in front of your router (if for instance you are double NATed). Could also be a bug in the closed source portion of your specific model (I can only properly test LE with a custom domain name with the RT-AX88U).

If you run any firewall extension like Skynet then try disabling it.

Also while acme.sh sends "Pending" entries in your logfile, make sure socat is running and listening to queries. With "ps w", it should look like this:

Code:
socat TCP-LISTEN:46998,crlf,reuseaddr,fork SYSTEM:sleep 1; echo 'HTTP/1.0 200 OK'; echo 'Content-Length\:
 

Markster

Senior Member
I don't have any idea how to go about resolving this? I haven't made any new changes in the router as far as I can remember, that would've somehow affected this?

The router sends out the request, and then what could possibly be blocking it from getting the response? It's all router level (i.e. any firewall on any computer behind the router shouldn't block anything) and I have the actual firewall in the router dsiabled.

I had the same issue. My router is double-NAT'ed so what I tried is forwarding port 80 on my cable modem. restarted the asus router and it started to work. If you are behind a cable modem try that. Letsencrypt amco.sh script that performs updating needs port 80.
 

AppleBag

Regular Contributor
@RMerlin , @Markster Thank you for the responses guys,and apologies if I sound dense on this topic, it's not a strong area of mine. :)

I've had the same modem for maybe a decade; much longer than my router, and the router cert issue just popped up where it used to work fine. So I'm guessing there's no double-nat coming from the modem? That's the only thing physically in front of the router. The connection comes in the house through the wall, directly into the modem, then a cable directly from it into my router.

My router firewall is set to disabled.

Here are my settings:

upload_2020-3-18_13-55-3.png


The only "weird" thing I can think of is in my LAN DHCP settings I have the 2 IP's point to 2 different Pi-holes for DNS resolution. 1 goes to a PC w/PH, and one to a backup Rpi w/PH. Neither of those PH's have their DHCP enabled. And I have those 2 machines added to the DNS Filter like this:

upload_2020-3-18_13-57-57.png


This does cause the issue here, where on page load it shows the correct Internet status, but then switches this to "disconnected", but everything still works:

upload_2020-3-18_13-59-9.png



Is there anything at all in the router settings that would block answering the cloudflare DDNS response? Or even in the ddns-start file?

Another strange thing; I also have an NGINX container on one machine, that pulls in a cert for the same domain, and it's fine, so it seems to just be the router.
 

Attachments

  • upload_2020-3-18_13-58-44.png
    upload_2020-3-18_13-58-44.png
    217.5 KB · Views: 114
Last edited:

Kamikaze01

Regular Contributor
Hello there :)

I have a problem with my Let's encrypt certificate...
It expired on 2020/03/20 and did not renew automatically.

This is, what it looks like at the moment:
20200323_224855.jpg
Everything till 2020/03/20 works like a charm.


As the Router did not renew my certificate, I change settings to use NO certificate - save - and change back for Let's encrypt certificate.
I thought this will renew it...

This is what it looks like after this:
20200323_225043.jpg
This did not work :(
And after changing the menue, I have to relogin into my router.
And then everything looks like in screenshot one (old expired certificate).


So what can I do?
How to manually renew the certificate?

I am on AC68U with 384.15

Maybe someone can help me :)

Thank u !!
 

RMerlin

Asuswrt-Merlin dev
Check your system log, acme.sh will report what went wrong.
 

AurelM

Occasional Visitor
Connect to your router via ssh, delete your /jffs/.le folder and execute service restart_letsencrypt command. Allow a minute for the task to complete.

Connect to your router via ssh, delete your /jffs/.le/[domain_name]/domain.key file (where [domain_name] is the name you set as your ddns host name) and execute service restart_letsencrypt command. Allow a minute for the task to complete.

Looks like the same problem described in this thread: Lets Encrypt not updating, or?

EDIT: Changed deleting the entire .le folder to deleting only one file.
 
Last edited:

Kamikaze01

Regular Contributor
Connect to your router via ssh, delete your /jffs/.le folder and execute service restart_letsencrypt command. Allow a minute for the task to complete.

Looks like the same problem described in this thread: Lets Encrypt not updating, or?
Thank so much :)
This solved my problem - i have a new certificate valid for 3 Month till 2020/06/22 ...

Thank u thausand times for your help !!! :)
 

OOo

Regular Contributor
Not a regular user of SSH but now being forced to fix my Let'sEncrypt issue.
Can someone tell me the actual commands to get to the folder, then delete folder, then execute the service...as laid out in the solution for the Let'sEncrypt issue.
I am using Putty SSH

Just don't want more issues.

TIA
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top