Problems to auto renew SSL certificates (Let's Encrypt)

Nanno

The renewal job is set at Cron and was working fine, but now it does not works anymore and at the log is this:

|-A total of 1 certificates need to be renewed
|-Renew the visa certificate and start checking the environment
|-Renewing certificate number of 1?domain: ['mywebsite.me', 'www.mywebsite.me']..
|-Creating order..
|-Getting verification information..
|-Verify the dir?/www/wwwroot/mywebsite.me//.well-known/acme-challenge
|-Verification type: http-01
|-Verifying domain name..
|-1 Query verification results..
|-Verification failed
error_result: 2606:4700:3033::6815:bae: Invalid response from http://www.mywebsite.me/.well-known/acme-challenge/fDJNzr4_mbqBp3QV6JKBfxSMQCIQT8vmAKr2HhwcnI0: 404
|-Verification failed, domain name resolution error or verification URL cannot be accessed! 
----------------------------------------------------------------------------
?[2024-04-13 00:10:17] Successful
----------------------------------------------------------------------------

The problem seems to be that mywebsite.me is a Flask+Python website, and requests to /.well-known/acme-challenge/ are directed to the Flask app static folder, rather than /www/wwwroot/mywebsite.me//.well-known/acme-challenge

The requests to http://www.mywebsite.me/.well-known/acme-challenge/fDJNzr4_mbqBp3QV6JKBfxSMQCIQT8vmAKr2HhwcnI0 are logged at the Flask app as an Error 404

Nanno

Two more information...

I am running aaPanel version 6.8.36 at Ubuntu 20.04.

Cron has this setting:

aaPanel_Kern

Hello, it prompts 404 Unable to access verification, please check whether to use reverse proxy, CDN, redirection, URL rewirte?

Nanno

aaPanel_Kern

Yes, it is an Error 404.
The automatic certificate renewal was working properly and I did not changed my system in last 6 months, except update the aaPanel and I created the /.well-known/ at /home/mywebsiteme/mywme/static/.well-known/ directory, but already removed the /.well-known/

The Error 404 is because the Let's Encrypt authentication file is created here:
/www/wwwroot/mywebsite.me/.well-known/acme-challenge

But the verification link:
http://www.mywebsite.me/.well-known/acme-challenge/CWfrdST7Y6352LcVO0vvoy25487yXlS0VLa35248rEM
points to here:
/home/mywebsiteme/mywme/static/.well-known/acme-challenge

I am searching at days what is generating the Error 404, but I have little experience.
My system is a Flask+Python + Gunicorn + Nginx website.

At the aaPanel Website -> mywebsite.me -> Config I have this:

server
{
    listen 80;
	listen 443 ssl http2;
    server_name mywebsite.me www.mywebsite.me;
    index index.php index.html index.htm default.php default.htm default.html;
    root /www/wwwroot/mywebsite.me;

    #SSL-START SSL related configuration, do NOT delete or modify the next line of commented-out 404 rules
    #error_page 404/404.html;
    ssl_certificate    /www/server/panel/vhost/cert/mywebsite.me/fullchain.pem;
    ssl_certificate_key    /www/server/panel/vhost/cert/mywebsite.me/privkey.pem;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497  https://$host$request_uri;

    #SSL-END

    #ERROR-PAGE-START  Error page configuration, allowed to be commented, deleted or modified
    #error_page 404 /404.html;
    #error_page 502 /502.html;
    #ERROR-PAGE-END

    #PHP-INFO-START  PHP reference configuration, allowed to be commented, deleted or modified
    #Clear cache

    location ~ /purge(/.*) {
        proxy_cache_purge cache_one $host$1$is_args$args;
        #access_log  /www/wwwlogs/mywebsite.me_purge_cache.log;
    }
	#Referenced reverse proxy rule, if commented, the configured reverse proxy will be invalid
	include /www/server/panel/vhost/nginx/proxy/mywebsite.me/*.conf;

	include enable-php-00.conf;
    #PHP-INFO-END

    #REWRITE-START URL rewrite rule reference, any modification will invalidate the rewrite rules set by the panel
    include /www/server/panel/vhost/rewrite/mywebsite.me.conf;
    #REWRITE-END

    # Forbidden files or directories
    location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
    {
        return 404;
    }

    # Directory verification related settings for one-click application for SSL certificate
    location ~ \.well-known{
        allow all;
    }

    access_log  /www/wwwlogs/mywebsite.me.log;
    error_log  /www/wwwlogs/mywebsite.me.error.log;
}

And at /www/server/panel/vhost/rewrite/mywebsite.me.conf this is the content:

#One-click application for SSL certificate verification directory related settings
    location ~ \.well-known{
        allow all;
    }

And at /www/server/panel/vhost/nginx/proxy/mywebsite.me/*.conf there is one single .conf file with this content:

#PROXY-START/

location ^~ /
{
    proxy_pass http://127.0.0.1:5010;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header REMOTE-HOST $remote_addr;

    #Persistent connection related configuration

    add_header X-Cache $upstream_cache_status;
    #Set Nginx Cache

    set $static_fileU3K9VTe4 0;
    if ( $uri ~* "\.(gif|png|jpg|css|js|woff|woff2)$" )
    {
        set $static_fileU3K9VTe4 1;
        expires 1m;
    }
    if ( $static_fileU3K9VTe4 = 0 )
    {
        add_header Cache-Control no-cache;
    }
}
#PROXY-END/

The certificate renewal works only if done manually at the aaPanel Website -> mywebsite.me -> SSL -> Renewal SSL

Any idea on where the problem with the automatic renewal is?

aaPanel_Kern

Hello, it is recommended that you use DNS verification

Nanno

aaPanel_Kern
I could workaround by creating an "alias" at Nginx config file at Website -> [website domain] -> Config
With that it is capable to reach the validation file for SSL renewal.

.
I had to wait for about 50 days to see if the automatic certificate renewal is fully working, but it is not.

There is another problem that seems to be a bug at the renewal mechanism.
The certificate will expire in 28 days, but according to the Cron job there is no certificate withing the 30 days of expiration to perform the renewal.

Seems the Cron job looks for the certificate expiration somewhere else, instead the certificate itself.
Is that because two months ago I had to manually renew the certificate one time using the "Renewal SSL" button?
Any idea how to fix to have the automatic renewal working properly again?

aaPanel_Kern

Hello, I suggest you try turning off SSL and save it again. Is it okay?

Nanno

aaPanel_Kern

I tried, turned off and on the SSL, but the problems stands.

aaPanel_Kern

Hi, can you give us your aapanel information? The server makes a snapshot backup first, if possible, please send it to kern@aapanel.com.
It is recommended to fill in the following
Post link:
SSH IP address, account password and port:
aapanel login link address and account password:
Detailed problem description:

No post link will not be able to know which user's information is, and the problem will not be processed

Nanno

aaP_matyas_simek

I have the same issue, did you find the solution?

aaPanel_Kern

Hello, is it possible to solve the problem by trying to close and reapply?

aaP_matyas_simek

aboubacart

I have the same problem but when I deactivate then reapply it works

FredNativ

Same problem; No SSL renw through cron.
|-No SSL certificate found within 30 days!

|-All tasks have been processed!

★[2024-10-09 02:08:02] Successful

aaPanel_Kern

No post link will not be able to know which user's information is, and the problem will not be processed

FredNativ

KristianP

Same problem.

aaPanel_Kern

No post link will not be able to know which user's information is, and the problem will not be processed

KristianP