Installing Let's Encrypt SSL Certificates On Namecheap Hosting: Difference between revisions
Tag: wikieditor |
|||
| Line 95: | Line 95: | ||
== Troubleshooting == | == Troubleshooting == | ||
=== Script doesn't have access to `/.well-known/acme-challenge` === | |||
The script reports it can't access `http://mysite.com/.well-known/acme-challenge/[VERIFICATION_FILE]`. | |||
Make sure if the web root is in a subdirectory, that you include the subdirectory in the `--webroot` argument!!! e.g. `--webroot ~/mysite.com/app` | |||
=== Certificate not renewing === | === Certificate not renewing === | ||
Latest revision as of 12:22, 30 November 2024
Acme.sh[edit]
In theory, his process only needs to be performed once. Running the acme.sh script creates a cron job that will handle certificate renewals.
- How to use acme.sh with cPanel for automatically renewing Let's Encrypt SSL (Gist)
- Let’s Encrypt SSL certificate in Namecheap AutoRenewal – Verified & working – Using ACME.sh (dev.to)
Same basic instructions as above, but with comments and some extra information.
Installing certificates[edit]
Run a test install[edit]
--webroot points to the working root of the website. If there is an "app" subdirectory that contains the web root, this path will need to reflect that.
$ acme.sh --issue --webroot ~/damienjay.com -d www.mydomain.com -d mydomain.com -d etc.mydomain.com --staging
Run the actual certificate installation[edit]
$ acme.sh --issue --webroot ~/damienjay.com -d www.mydomain.com -d mydomain.com -d etc.mydomain.com --force
Apply the certificate to the site in cPanel[edit]
There is only one domain identifier for the website. This is the first domain listed for the site when issuing the certificate in the previous step.
$ acme.sh --deploy --deploy-hook cpanel_uapi --domain www.mydomain.com
Make certificate active in cPanel[edit]
It's still necessary to make this the active certificate in cPanel.
- cPanel > Security > SSL/TLS > Certificates (CRT) > Generate, view, upload, or delete certificates
- Locate the new certificate in the list > Click the Install link to the right of the certificate.
- Under Manage Installed SSL Websites locate the new certificate
- Click Make primary to the right of the certificate.
At this point the new certificate should handling secure requests on the website.
Delete old certificates[edit]
Clean up older certificates in cPanel.
- Click Return to SSL Manager at the bottom of the page.
- Certificates (CRT) > Generate, view, upload, or delete certificates
- Delete any certificates for the domain in question with older expiration dates.
Listing websites managed by acme.sh[edit]
At a command prompt on the server, list the contents of ~/.acme.sh. Each certificate managed by acme.sh will have its own directory here.
$ ls ~/.acme.sh
Updating acme.sh[edit]
$ acme.sh --upgrade
Specifying default acme.sh CA server[edit]
$ acme.sh --set-default-ca --server letsencrypt
See https://github.com/acmesh-official/acme.sh/wiki/Server
Renewals[edit]
Renewals are supposed to happen automatically after installing a certificate with acme.sh, but I have been receiving expiration notices for domains up to two days prior to the expiration date. Not sure when exactly a domain would be renewed?
Confirm expiration date of a certificate[edit]
Using a browser[edit]
- Load the site in a Chrome browser.
- Open Developer Tools.
- Click the Security tab.
- Certificate > View Certificate button.
- Expiration Date is displayed in the dialog.
Using cPanel[edit]
- Log into cPanel.
- Security > SSL/TLS
- Generate, view, upload, or delete SSL certificates will show who issued the certificates in use.
- Manage SSL Sites will show which sites have certificates, and when those certificates expire.
Troubleshooting[edit]
Script doesn't have access to /.well-known/acme-challenge[edit]
The script reports it can't access http://mysite.com/.well-known/acme-challenge/[VERIFICATION_FILE].
Make sure if the web root is in a subdirectory, that you include the subdirectory in the --webroot argument!!! e.g. --webroot ~/mysite.com/app
Certificate not renewing[edit]
After installing a certificate with acme.sh it should be renewed automatically. However, it's possible to manually renew certificates.
Certificate failing to verify on password-protected server[edit]
Use case
The server is password-protected with .htaccess directives.
Resolution
Option 1[edit]
Edit the .htaccess file installed in the web app root directory.
# Authentication exception for validating the server when issuing SSL certificates SetEnvIf Request_URI ^/.well-known/acme-challenge/ noauth=1 # login prompt AuthType Basic AuthUserFile "/path/to/auth/file" <RequireAny> Order Deny,Allow Satisfy Any Deny from all Require valid-user Allow from env=noauth </RequireAny>
Option 2[edit]
Make an exception for directory .well-known/acme-challenge/ but placing an .htaccess file there with the following contents:
require all granted
This seems like the cleaner solution, but in at least one instance (June 2023) it did not work as needed.
Certificate failing to verify using .well-known challenge[edit]
Use case
- Log into the server using ssh.
- Run
acme.shscript from the command line to renew certificate. - There will be errors to effect of
"verify error"and"invalid response from [domain]/.well-knonwn/acme-challenge/...".
Cause
Permissions errors prevent the script from writing the file to .well-known/acme-challenge/ that is used to verify ownership of the domain.
Fix
The last time this happened, I compared the permissions for the web roots and .well-known directories for two sites hosted on the same server where one site's certificate was being renewed and the other was failing. I could not find any differences in the permissions.
What I ended up doing was to move the root directory of the site, create a new directory for the site, put a potboiler index html page in the directory, and then run the acme script. After this allowed me to renew the certificate, I copied all the content from the original directory back into the new one.
Also! Remember that the root of many of the web apps is in the app/ subdirectory! When issuing the certificate make sure to set the web root option appropriately, e.g. --webroot ~/mydomain.com/app
Timeout polling order status while issuing certificate[edit]
Use case
Manually issue a certificate with the following command:
$ acme.sh --issue --webroot ~/my_webapp_root -d mydomain.com --force
Expected result
acme.sh sends request to the CA server and receives successful response.
Actual result
[Sat Apr 9 17:40:56 EDT 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/dtElfwFq1sLFiXaP188uDw [Sat Apr 9 17:40:59 EDT 2022] Order status is processing, lets sleep and retry. [Sat Apr 9 17:40:59 EDT 2022] Retry after: 15 [Sat Apr 9 17:41:15 EDT 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/dtElfwFq1sLFiXaP188uDw [Sat Apr 9 17:41:18 EDT 2022] Order status is processing, lets sleep and retry. [Sat Apr 9 17:41:18 EDT 2022] Retry after: 15
Over and over again until finally the script times out with an error similar to this:
[Sat Apr 9 17:42:29 EDT 2022] Sign error, wrong status
Solution
This happened using the default acme.sh CA server which is ZeroSSL. Changing the default CA server to Let's Encrypt fixed this.
$ acme.sh --set-default-ca --server letsencrypt
See also[edit]
Let's Encrypt SSL Certificates on Namecheap Hosting (Legacy)