Billing SSL cert won't auto renew


#1

Just went through our first hopeful auto renew for the SSL cert for the billing portal. It failed to auto renew and access to the billing portal stopped right after a billing cycle. Awesome.

In the log file, I see a few of these:

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/billing.auwireless.net/fullchain.pem (failure)
Processing /etc/letsencrypt/renewal/billing.auwireless.net.conf

If I run the “/usr/bin/letsencrypt renew” command manually, it updated just fine, but it does not instill much confidence that in 3 months, it will auto renew again.

My crontab is:

# m h  dom mon dow   command
 
0 3 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
# end of file

That should renew 3am every Monday… What am I missing??


#2

Check out the docs for the Let’s Encrypt renewal on GitHub. It requires a change to be made to the Apache configuration to work automatically.


#3

Finding specifically what you mean on GitHub is not working for me. I get either 1,000’s of repositories or none that match.

However, Digital Ocean has a step by step on this:

Should I substitute that article for the “Installing a custom SSL certificate” steps in the Wiki?


#4

https://github.com/sonarsoftware/customer_portal, specifically, https://github.com/SonarSoftware/customer_portal/wiki/Installing-a-custom-SSL-certificate

Check out the part about editing the Apache configuration file under the ‘Let’s Encrypt’ section.


#5

I definitely followed this when I set it up 90 days ago. I verified my apache.conf file has our portal address listed.

If I run the CRON command manually (/usr/bin/letsencrypt renew), it worked. I also know CRON is running the script since the log file shows that happening. But, it did not auto renew via CRON despite passing 3am on Monday on the day the certificate expired… Later that day, I renewed it manually. If the “/usr/bin/letsencrypt renew” works manually, that would tell me my apache.conf file is correct, right?


#6

Not in my experience. If you send the details in to support, they can have a look for you.