Problem with SSL auto renew not working in clon

aaP_master0

Websites with less than 30 days left until SSL certificate expiration do not auto renew with cron jobs. However, manual renewing works fine on individual websites.
What should I check?

aaPanel_Kern

Hello, are you using manual DNS verification?
If it is http verification, please renew it manually first, we will fix it later.

aaP_master0

aaPanel_Kern I installed ssl in file format.

Vladmin-Server

Hello, I was going to write about the same problem. I have this issue for a lot of time several months maybe and always renew manually from the Let's Encrypt tab . The server panel version is 7.0.6 havent updated yet to latest version because the server is running old Centos 7 kernel and im not sure what's gonna break.
Anyway here are the logs I see
Error from acme file starts with
/www/server/panel/class/acme_v2.py:722: SyntaxWarning: invalid escape sequence '\.' 'if ($request_uri ~ "^/\.well-known/acme-challenge/{}.*"){{\n' /www/server/panel/class/acme_v2.py:931: SyntaxWarning: invalid escape sequence '\s' return public.get_msg_gettext("Issuance failed, the root domain name of domain name %s exceeds the maximum weekly issuance limit!" % re.findall("hours:\s+(.+?),", error))

Even with the error renewals for some domains work ... and for othersdont which is odd. Example one that is not working
|-Renewing certificate number of 9，domain: ['domain.com'].. |-Creating order.. |-Getting verification information.. |-Verify the dir：/www/wwwroot/domain.com/.well-known/acme-challenge |-Verification type: http-01 |-Verifying domain name.. |-1 Query verification results.. |-Verification succeeded! |-Sending CSR.. |-Downloading certificate.. |-Renewed successfully!!
It says successfull but it's not . I masked the website name with domain.com on purpose.
Is there another script or utility like cerbot that can be installed and used for certificate autorenewal via cron or another script ?
I havent changed the base cron
/www/server/panel/pyenv/bin/python -u /www/server/panel/class/acme_v2.py --renew=1
Need some info on how the panel acme_v2.py script renew's the certificate and apply an alternative

aaPanel_Kern

Hello, thank you for your feedback, we will test and optimize it

aaP_demo1

aaPanel_Kern

By the way, Does aapanel also provides chain.pem and cert.pem certificate from let's encrypt for SSL site? As far as I can get only fullchain.pem and privkey.pem.

Vladmin-Server

Hey again. By the way you should consider reworking the code . I uses old formatting that is not cool for python3.12
example

New code: Line 722 acme_v2.py
for token, acme_key in self._nginx_cache_file_auth[auth_to]: tmp_data.append( f'if ($request_uri ~ "^/.well-known/acme-challenge/{token}.*")' f' return 200 {acme_key}')#.format(token, acme_key))

Old code:
for token, acme_key in self._nginx_cache_file_auth[auth_to]: tmp_data.append(( 'if ($request_uri ~ "^/\.well-known/acme-challenge/{}.*"){{\n' ' return 200 "{}";\n' '}}\n' ).format(token, acme_key))

Same file line 929 to line 931
Consider using raw strings instead of nothing
New code:
elif error.find("domains in the last 168 hours") != -1 and error.find("Error creating new order") != -1: 929 return public.get_msg_gettext("Issuance failed, the root domain name of domain name %s exceeds the maximum weekly issuanc e limit!" % re.findall(r"hours:\s+(.+?),", error))

Old code "hours:\s+(.+?),", error)) WIthout the r""

Errors that I posted before gone away but still it does not detect ssl that has 23 days until expiration and doesnt renew it

Vladmin-Server

aaP_demo1 Hey. I checked mine on aapanel and another nginx proxy I have . Actually let's encrypt works with cert.pem and chain.pem which is the same as fullchain.pem. Fullchain.pem contains both codes from cert.pem and chain.pem. The privkey.pem is what decodes them etc. In this case the only difference is that you dont have 2 separate files for cert.pem and chain.pem as they are combined in fullchain.pem.

aaP_demo1

Vladmin-Server

Yeah, I know that but I deployed elasticsearch with kibana services. I have to get chain.pem to specify ca-certificate on the service config files.

If you can share on how I can separate the fullchain.pem into chain.pem and cert.pem. I will be much appreciated.

Vladmin-Server

aaP_demo1 They are just codes. Just open the files and copy first part
from -----BEGIN CERTIFICATE-----
to -----END CERTIFICATE----- Into a cert.pem file and

Then copy the second part into anmother chain,pem file . That should work . Try researching for that and surely something will come up

aaP_demo1

Vladmin-Server
Thank you for the info.

aaP_demo1

Vladmin-Server
at /www/server/panel/vhost/letsencrypt/domain.tld/Description.txt there are some files that contains SSL Certificate materials

Document description:
privkey.pem     Certificate private key
fullchain.pem   PEM format certificate with certificate chain (nginx/apache)
root_cert.csr   Root certificate
cert.csr        Domain name certificate
fullchain.pfx   Certificate format for IIS

I can see the files that I need now