#growth #product #fintech #tech

Errors in Renewing Letsencrypt SSL Certificate on EasyEngine Site

When you are trying to renew Letsencrypt SSL certificate on a website hosted on WordPress via Easyengine, sometimes you face errors (huh, like any other software). I host a bunch of websites on WordPress installed via Easyengine, and I have bumped into some errors while renewing Letsencrypt SSL certificates (that come bundled with Easyengine). This is just a list of errors I faced and how I solved them:

Error #1: Challenge Authorization failed.

Usually, the docs recommend you you to run ee site ssl-renew somewebsite.com command, and then the command does it’s voodoo. It prompts you to setup a couple of TXT records on your DNS for verification purposes. Once you have setup TXT records, it tells you to run ee site ssl somewebsite.com command, but the command give this error:

# ee site ssl somewebsite.com
Starting SSL verification.
Warning: Challenge Authorization failed. Check logs and check if your domain is pointed correctly to this server.
Re-run `ee site ssl somewebsite.com` after fixing the issue.
Warning: Failed to verify SSL: Challenge failed (response: {"type":"dns-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT re
cord \"xxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxx-xxxx\" found at _acme-challenge.somewebsite.com","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/xxxxxxxxxx\/
x-xxxx","token":"xxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxx_xxxxx-xxx"}).
Warning: Check logs and retry `ee site ssl somewebsite.com` once the issue is resolved.
#

How to fix this error? Well, it’s simple. Instead of running ee site ssl-renew somewebsite.com command in first place, run following command instead:

ee site ssl-renew somewebsite.com --force

As instructed by this command, setup TXT records on your DNS. Once your new TXT records have propagated (might take a few hours), you can run following command to finish SSL verification successfully:

# ee site ssl somewebsite.com
Starting SSL verification.
The authorization check was successful!
You can now cleanup your DNS by removing the domain _acme-challenge._acme-challenge.somewebsite.com..
You can now cleanup your DNS by removing the domain _acme-challenge._acme-challenge.somewebsite.com..
Loading current certificate for somewebsite.com
Current certificate will expire in less than 25 days (2020-04-13 20:59:13), renewal is required.
Renewing certificate for domain somewebsite.com.
Certificate received
Certificate stored
Certificate renewed successfully!
#

 

Error #2: PHP Fatal error:  Uncaught GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired

# ee site ssl-renew somewebsite.com --force
Starting SSL cert renewal
Loading current certificate for somewebsite.com
Starting SSL verification.
PHP Fatal error:  Uncaught GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) in phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:186
Stack trace:
#0 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(149): GuzzleHttp\Handler\CurlFactory::createRejection(Object(GuzzleHttp\Handler\EasyHandle), Array)
#1 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(102): GuzzleHttp\Handler\CurlFactory::finishError(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory))
#2 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(43): GuzzleHttp\Handler\CurlFactory::finish(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory))
#3 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): Guz in phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php on line 186
Warning: An Error occurred. Initiating clean-up.
Warning: Exiting gracefully after rolling back. This may take some time.
Success: Rollback complete. Exiting now.
#

I solved this error by renaming this file to something else:

/opt/easyengine/services/nginx-proxy/certs/somewebsite.crt

After renaming the file, I ran ee site ssl-renew command and the certificate was renewed successfully:

# ee site ssl-renew somewebsite.com --force
Starting SSL cert renewal
Loading current certificate for somewebsite.com
Starting SSL verification.
The authorization check was successful!
Loading current certificate for somewebsite.com
Forced renewal.
Renewing certificate for domain somewebsite.com.
Certificate received
Certificate stored
Certificate renewed successfully!
Success: SSL verification completed.
Starting site's services.
Success: SSL renewal completed.
#

Any questions? Feel free to comment below and I will be happy to answer them for you.

Leave a Reply

Your email address will not be published. Required fields are marked *