[SOLVED] Can't renew cert on a self-hosted lemmy instance D:
[SOLVED] Can't renew cert on a self-hosted lemmy instance D:
EDIT: Thanks everyone for your time and responses. To break as little as possible attempting to fix this I've opted to go with ZeroSSL's DNS process to acquire a new cert. I wish I could use this process for all of my certs as it was very quick and easy. Now I just have to figure out the error message lemmy is throwing about not being able to run scripts.
Thank you all for your time sincerely. I understand a lot more than I did last night.
Original Post
As the title says I'm unable to renew a cert on a self-hosted lemmy instance. A friend of mine just passed away and he had his hands all up in this and had it working like magic. I'm not an idiot and have done a ton of the legwork to get our server running and working - but lemmy specifically required a bit of fadanglin' to get working correctly. Unfortunately he's not here to ask for help, so I'm turning to you guys. I haven't had a problem with any of my other software such as nextcloud or pixelfed but for some reason lemmy just refuses to cooperate. I'm using acme.sh to renew the cert because that's what my buddy was using when he had set this all up. I'm running apache2 on a bare metal ubuntu server.
Here's my httpd-ssl.conf:
Here's some recent output from my acme.sh/acme.log:
Here's the terminal read out and what I'm attempting to execute:
If you can make any suggestions at all on what I might be missing or what may be configured incorrectly I'd greatly appreciate a nudge in the right direction as I'm ripping my hair out.
Thank you kindly for your time.
Not sure if this is anything or not.
You pasted the httpd-ssl.conf file.
The script output is referencing httpd.conf
I think it’s sending the challenge request via port 80 and that might be where you’re looking in the wrong place.
Thanks I'm gonna check this out first thing. I thought that was weird but I'm not sure what in httpd.conf could be interfering with the process. I will give the file a better read through and see what I can come up with - it's a good starting point.
Hi, just a guess. But
The retryafter=86400 value is too large (> 600), will not retry anymore.
Seems to me like the call to your server in the verification step is failing.
Do you have port 80 blocked or stopping the call in another way ?
The only thing I can think of that might be interfering is HSTS? I'm not sure how acme is accessed when a browser can only access a site with ssl. Perhaps HSTS is interfering with the cert process somehow?
The process makes file to read via http (not https), it’s just a nonce ( some random characters). Once their server reads that file, using the domain (and not the ip) and compares with what is expected, this shows you own the domain , and they give you a new ssl cert, modifying your server’s https configuration file (usually). And deletes the file it made .
Would concur, that was the only thing I could find.
I'm really surprised noone mentioned Caddy which handles all the SSL business for you. Not to mention an easier config :)
Caddy is awesome! I originally went for nginx proxy manager to manage my certs as it has a GUI. However, despite being text based, Caddy is so even easier to configure...
email [email protected] } jellyfin.mydomain.net { reverse_proxy 192.168.0.1:8096 }``` That's all there is to it. Caddy does the heavy lifting.I don't think you even need to configure the email.
If I recall correctly emails are optional for Let's Encrypt but Caddy are partnered with ZeroSSL who do require emails so you're encouraged to provide one.
How hard would it be to switch in your experience... I'd love something this simple. Nervous to tear stuff down though.
You've just reminded me to fix cert renewal on my instance. I'm using let's encrypt & their certbot with nginx and it is great.
Recently my nginx config got too complex, so nginx plugin stopped working correctly, because it wasn't able to inject the config for ACME challenge correctly anymore. The solution was to manually configure
location /.well-known/acme-challangeto read from a local directory and configure certbot to use a local webroot directory instead of fiddling with nginx config.This is out of my skillset but I'm sure there's documentation online I can check out to give it a shot. We use this server for our (very) small business so I'm trying not to jack anything up worse than it is but it seems like something I could potentially tackle. Thank you.
Just popping in this morning to thank everyone for their suggestions overnight. I have some stuff to look at now when I get to the office this morning. Can't respond to every comment at the moment but I will. Just wanted to say thanks.
Are you using cloudflare to proxy the server? If so, just download a 10-year certificate and don’t worry about renewing short term ones.
Unfortunately no, though that sounds very nice.
You can just try zeroSSL. Either add a DNS record they give you or host the file they give you, it's much simpler
This sounds like a good backup plan and I'll probably definitely have to resort to trying it - thank you for the suggestion.
Are you using cloud flare?
I am not.
What's in the acme.log file in the last line there?
Are you referring to the 'does not contain DNS'? Or the 'apache,/' because both are a bit confusing to me honestly
'cat /root/.acme.sh/acme.log'
Why use Apache over Nginx?
My friend chose it, he was old school. I don't personally have a preference between the two but we use this server for our small business so I haven't really wanted to risk messing everything up to switch when it's (mostly) currently functional.