Installing Let's Encrypt SSL Certificates On Namecheap Hosting: Difference between revisions
Tag: wikieditor |
|||
| Line 43: | Line 43: | ||
=== Certificate not renewing === | === Certificate not renewing === | ||
After installing a certificate with `acme.sh` it should be renewed automatically. | |||
=== Certificate failing to verify using .well-known challenge === | === Certificate failing to verify using .well-known challenge === | ||
Revision as of 17:26, 4 September 2022
Acme.sh
This process only needs to be performed once. Running the acme.sh script creates a cron job that will handle certificate renewals.
- How to use acme.sh with cPanel for automatically renewing Let's Encrypt SSL (Gist)
- Let’s Encrypt SSL certificate in Namecheap AutoRenewal – Verified & working – Using ACME.sh (dev.to)
Same basic instructions as above, but with comments and some extra information.
Updating acme.sh
$ acme.sh --upgrade
Specifying default acme.sh CA server
$ acme.sh --set-default-ca --server letsencrypt
See https://github.com/acmesh-official/acme.sh/wiki/Server
Confirm expiration date of a certificate
Using a browser
- Load the site in a Chrome browser.
- Open Developer Tools.
- Click the Security tab.
- Certificate > View Certificate button.
- Expiration Date is displayed in the dialog.
Using cPanel
- Log into cPanel.
- Security > SSL/TLS
- Generate, view, upload, or delete SSL certificates will show who issued the certificates in use.
- Manage SSL Sites will show which sites have certificates, and when those certificates expire.
Troubleshooting
Certificate not renewing
After installing a certificate with acme.sh it should be renewed automatically.
Certificate failing to verify using .well-known challenge
Use case
- Log into the server using ssh.
- Run
acme.shscript from the command line to renew certificate. - There will be errors to effect of
"verify error"and"invalid response from [domain]/.well-knonwn/acme-challenge/...".
Cause
Permissions errors prevent the script from writing the file to .well-known/acme-challenge/ that is used to verify ownership of the domain.
Fix
The last time this happened, I compared the permissions for the web roots and .well-known directories for two sites hosted on the same server where one site's certificate was being renewed and the other was failing. I could not find any differences in the permissions.
What I ended up doing was to move the root directory of the site, create a new directory for the site, put a potboiler index html page in the directory, and then run the acme script. After this allowed me to renew the certificate, I copied all the content from the original directory back into the new one.
Timeout polling order status while issuing certificate
Use case
Manually issue a certificate with the following command:
$ acme.sh --issue --webroot ~/my_webapp_root -d mydomain.com --force
Expected result
acme.sh sends request to the CA server and receives successful response.
Actual result
[Sat Apr 9 17:40:56 EDT 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/dtElfwFq1sLFiXaP188uDw [Sat Apr 9 17:40:59 EDT 2022] Order status is processing, lets sleep and retry. [Sat Apr 9 17:40:59 EDT 2022] Retry after: 15 [Sat Apr 9 17:41:15 EDT 2022] Polling order status: https://acme.zerossl.com/v2/DV90/order/dtElfwFq1sLFiXaP188uDw [Sat Apr 9 17:41:18 EDT 2022] Order status is processing, lets sleep and retry. [Sat Apr 9 17:41:18 EDT 2022] Retry after: 15
Over and over again until finally the script times out with an error similar to this:
[Sat Apr 9 17:42:29 EDT 2022] Sign error, wrong status
Solution
This happened using the default acme.sh CA server which is ZeroSSL. Changing the default CA server to Let's Encrypt fixed this.
$ acme.sh --set-default-ca --server letsencrypt
See also
Let's Encrypt SSL Certificates on Namecheap Hosting (Legacy)