When you are trying to renew Letsencrypt SSL certificate on a website hosted on WordPress via Easyengine, sometimes you face errors (huh, like any other software). I host a bunch of websites on WordPress installed via Easyengine, and I have bumped into some errors while renewing Letsencrypt SSL certificates (that come bundled with Easyengine).
This is just a list of errors I faced and how I solved them:
Error #1: Challenge Authorization failed.
Usually, the docs recommend you you to run ee site ssl-renew somewebsite.com
command, and then the command does it’s voodoo. It prompts you to setup a couple of TXT records on your DNS for verification purposes. Once you have setup TXT records, it tells you to run ee site ssl somewebsite.com
command, but the command give this error:
# ee site ssl somewebsite.com Starting SSL verification. Warning: Challenge Authorization failed. Check logs and check if your domain is pointed correctly to this server. Re-run `ee site ssl somewebsite.com` after fixing the issue. Warning: Failed to verify SSL: Challenge failed (response: {"type":"dns-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Incorrect TXT re cord \"xxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxx-xxxx\" found at _acme-challenge.somewebsite.com","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/xxxxxxxxxx\/ x-xxxx","token":"xxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxx_xxxxx-xxx"}). Warning: Check logs and retry `ee site ssl somewebsite.com` once the issue is resolved. #
How to fix this error? Well, it’s simple. Instead of running ee site ssl-renew somewebsite.com
command in first place, run following command instead:
ee site ssl-renew somewebsite.com --force
As instructed by this command, setup TXT records on your DNS. Once your new TXT records have propagated (might take a few hours), you can run following command to finish SSL verification successfully:
# ee site ssl somewebsite.com Starting SSL verification. The authorization check was successful! You can now cleanup your DNS by removing the domain _acme-challenge._acme-challenge.somewebsite.com.. You can now cleanup your DNS by removing the domain _acme-challenge._acme-challenge.somewebsite.com.. Loading current certificate for somewebsite.com Current certificate will expire in less than 25 days (2020-04-13 20:59:13), renewal is required. Renewing certificate for domain somewebsite.com. Certificate received Certificate stored Certificate renewed successfully! #
Error #2: PHP Fatal error: Uncaught GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired
# ee site ssl-renew somewebsite.com --force Starting SSL cert renewal Loading current certificate for somewebsite.com Starting SSL verification. PHP Fatal error: Uncaught GuzzleHttp\Exception\RequestException: cURL error 60: SSL certificate problem: certificate has expired (see http://curl.haxx.se/libcurl/c/libcurl-errors.html) in phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php:186 Stack trace: #0 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(149): GuzzleHttp\Handler\CurlFactory::createRejection(Object(GuzzleHttp\Handler\EasyHandle), Array) #1 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php(102): GuzzleHttp\Handler\CurlFactory::finishError(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)) #2 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlHandler.php(43): GuzzleHttp\Handler\CurlFactory::finish(Object(GuzzleHttp\Handler\CurlHandler), Object(GuzzleHttp\Handler\EasyHandle), Object(GuzzleHttp\Handler\CurlFactory)) #3 phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/Proxy.php(28): Guz in phar:///usr/local/bin/ee/vendor/guzzlehttp/guzzle/src/Handler/CurlFactory.php on line 186 Warning: An Error occurred. Initiating clean-up. Warning: Exiting gracefully after rolling back. This may take some time. Success: Rollback complete. Exiting now. #
I solved this error by renaming this file to something else:
/opt/easyengine/services/nginx-proxy/certs/somewebsite.crt
After renaming the file, I ran ee site ssl-renew
command and the certificate was renewed successfully:
# ee site ssl-renew somewebsite.com --force Starting SSL cert renewal Loading current certificate for somewebsite.com Starting SSL verification. The authorization check was successful! Loading current certificate for somewebsite.com Forced renewal. Renewing certificate for domain somewebsite.com. Certificate received Certificate stored Certificate renewed successfully! Success: SSL verification completed. Starting site's services. Success: SSL renewal completed. #
Any questions? Feel free to comment below and I will be happy to answer them for you.