SSL certificates expiring or not?

Keywords: WordPress + NGINX + SSL - AWS - Technical issue - Secure Connections (SSL/HTTPS)

bndiagnostic ID: d521e8ed-9769-1993-5f17-63f3ee5ac720

bndiagnostic output:

? Apache: Found possible issues
? Resources: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/

bndiagnostic failure reason: The suggested guides are not related with my issue

Description:
I have installed SSL certs on all my sites with the Bitnami bncert-tool. Everything has always been on autopilot and I have never had to do anything - until today. For the first time, I got a bunch of notifications for all my sites, saying that the certificates are all expiring in 15 days and need to be renewed.

I have never received these alerts before, and I was under the impression that the certs are all renewed automatically by the Bitnami tool. So do I need to do anything? Or is this just a default Let’s Encrypt alert I can ignore? (Which is odd because I have never received it before…)

Thanks, -Sasha

If you access your website, you can see your certificate expires on July 2nd. There is a cron job configured in your instance that takes care of renewing the certificate but it’s failing for some reason. Can you try to run it manually and get the error it’s throwing? You can get the lego command from here:

sudo crontab -l -u bitnami

Hi Jota,

Thanks so much for the response. I actually didn’t get the alert about the certificate for my site. But one of the sites I did get an alert for is coveinvestments.com (along with 6 other sites) which appears to expire on June 25. Here is what I get back from your code:

0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="sasha@sparksandfuel.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=coveinvestments.com renew && sudo /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful # bncert-autorenew

Hopefully you can spot the issue and provide a solution. Many thanks,

-Sasha

Hi @Squasha,

I asked you to run the “lego” command :slight_smile: Could you please do so and post the error you get here?

sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="sasha@sparksandfuel.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=coveinvestments.com renew

Dear jota,

I have the same issue with this topic. Many of my websites did not automatically renew the SSL certificates recently, and they were all installed by the Bitnami bncert-tool. I think there would be some systematic problems in somewhere. I’ll follow this post and wait for solution. Thank you and the author of this post.

Jason

1 Like

Hi Jota,

Apologies! I missed the “lego” part. I just grabbed your code and threw it in the Terminal. (Admittedly, I am a digital marketer and not a developer so I know little about command line.)

That said, here is what came back with the code you sent:

bitnami@ip-172-26-8-119:~$ sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="sasha@sparksandfuel.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=coveinvestments.com renew

2022/06/14 13:58:17 [INFO] [coveinvestments.com] acme: Trying renewal with 273 hours remaining

2022/06/14 13:58:17 [INFO] [coveinvestments.com, www.coveinvestments.com] acme: Obtaining bundled SAN certificate

2022/06/14 13:58:17 [INFO] [coveinvestments.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/113637125346

2022/06/14 13:58:17 [INFO] [www.coveinvestments.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/113637125356

2022/06/14 13:58:17 [INFO] [coveinvestments.com] acme: authorization already valid; skipping challenge

2022/06/14 13:58:17 [INFO] [www.coveinvestments.com] acme: authorization already valid; skipping challenge

2022/06/14 13:58:17 [INFO] [coveinvestments.com, www.coveinvestments.com] acme: Validations succeeded; requesting certificates

2022/06/14 13:58:19 [INFO] [coveinvestments.com] Server responded with a certificate.

I see “Server responded with a certificate”. If that means the certificate has been renewed, that’s great. But will it renew automatically in the future? Do I need to run this lego code on all the other sites that did not get renewed? Is there no cron job anymore handling the renewal?

Thanks again for your help! -S

That’s great news! Remember to restart Apache to take the new certificate (I can see you already restarted Apache)

sudo /opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful

Cron should run the jobs. Is the service running?

sudo service cron status

If you generated one certificate with multiple domains, you just need to run the command once to renew all the domains.

Hi Jota,

This is the cron status I am getting. I don’t know exactly what it means, but do you see any reason why the certificates won’t be renewed automatically in the future?

cron.service - Regular background program processing daemon
   Loaded: loaded (/lib/systemd/system/cron.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2021-05-08 17:23:25 UTC; 1 years 1 months ago
     Docs: man:cron(8)
 Main PID: 555 (cron)
    Tasks: 1 (limit: 558)
   Memory: 16.1M
   CGroup: /system.slice/cron.service
           └─555 /usr/sbin/cron -f

Jun 15 12:17:01 ip-172-26-8-119 CRON[22140]: pam_unix(cron:session): session closed for user root
Jun 15 12:24:01 ip-172-26-8-119 CRON[22181]: pam_unix(cron:session): session opened for user bitnami by (uid=0)
Jun 15 12:24:01 ip-172-26-8-119 CRON[22182]: (bitnami) CMD (cd /opt/bitnami/stats && ./agent.bin --run -D)
Jun 15 12:24:02 ip-172-26-8-119 CRON[22181]: pam_unix(cron:session): session closed for user bitnami
Jun 15 13:17:01 ip-172-26-8-119 CRON[22548]: pam_unix(cron:session): session opened for user root by (uid=0)
Jun 15 13:17:01 ip-172-26-8-119 CRON[22549]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
Jun 15 13:17:01 ip-172-26-8-119 CRON[22548]: pam_unix(cron:session): session closed for user root
Jun 15 13:24:01 ip-172-26-8-119 CRON[22589]: pam_unix(cron:session): session opened for user bitnami by (uid=0)
Jun 15 13:24:01 ip-172-26-8-119 CRON[22590]: (bitnami) CMD (cd /opt/bitnami/stats && ./agent.bin --run -D)
Jun 15 13:24:01 ip-172-26-8-119 CRON[22589]: pam_unix(cron:session): session closed for user bitnami

Unfortunately, I manage about 15 sites (all for different clients) and they all have their own certificates. So I guess I will need to renew all of them manually now, and hope they get renewed automatically in September via cron job.

So to do that, I just SSH into each site and run this command:

sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="sasha@sparksandfuel.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=DOMAIN.COM renew

Correct? Or is there a better way?

Hi @jota ,

ssh’d into and tried using this on my own business site, but got an error.

sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="sasha@sparksandfuel.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=sparksandfuel.com renew

Error is:

open /opt/bitnami/letsencrypt/certificates/sparksandfuel.com.crt: no such file or directory

Hi @Squasha ,

In that instance, the command to renew the certificate is this one (You can obtain it from the crontab configuration as you did before)

sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="sasha@sparksandfuel.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=www.sparksandfuel.com renew
sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful

I need to run this lego code on all the other sites that did not get renewed?

yes @kaamho9. If the cron job is failing, you can renew the certificate manually.

Ahh, I see. I hadn’t included the www…

So going forward, do you have a sense of why these did not renew? Again, this is a new situation - the cron job has always worked before. I have to imagine that the few of us on this thread are not the only people experiencing this.

Should I be thinking of moving all my sites to new WP instances on Lightsail? Could this be an outdated Bitnami stack issue? Is there something easier that can be done? For example, would running /opt/bitnami/bncert-tool again “refresh” the cron job?

Do not know why the certificates are not renewed. As we saw here, you could renew them without problems when running the same exact command. The output of the cron jobs should appear in the
/var/log/syslog file, could you please take a look at it to obtain more info?

https://askubuntu.com/questions/56683/where-is-the-cron-crontab-log

You can also redirect the output of the command in the crontab to a different file and check its output everyday to know what’s happening with the renewal.

This is not a tool/stack issue, Let’s Encrypt simply didn’t return a valid certificate for any reason. We should understand why because the renewal worked when you ran it manually (and everything is the same)

1 Like

Hi @jota,

As always, thanks for your time. I appreciate your thoughtful responses.

I found the syslogs but I am not sure what I am looking for. (There appears to be rolling logs for the last 7 days?) I see all the tasks in the log but I don’t know when the cron job attempted to renew the certificate and when it failed.

The only thing that looks like it could be relevant - many of the syslogs show this at very the bottom:

Jun 16 00:00:01 ip-172-26-6-132 CRON[28985]: (bitnami) CMD (sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="sasha@sparksandfuel.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=www.sparksandfuel.com renew && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful # bncert-autorenew)
Jun 16 00:00:01 ip-172-26-6-132 systemd[1]: Starting Rotate log files...
Jun 16 00:00:01 ip-172-26-6-132 systemd[1]: Starting Daily man-db regeneration...

And then this is shown at the top of the next syslog:

Jun 16 00:00:02 ip-172-26-6-132 rsyslogd:  [origin software="rsyslogd" swVersion="8.1901.0" x-pid="535" x-info="https://www.rsyslog.com"] rsyslogd was HUPed
Jun 16 00:00:02 ip-172-26-6-132 systemd[1]: logrotate.service: Succeeded.
Jun 16 00:00:02 ip-172-26-6-132 systemd[1]: Started Rotate log files.
Jun 16 00:00:03 ip-172-26-6-132 systemd[1]: man-db.service: Succeeded.
Jun 16 00:00:03 ip-172-26-6-132 systemd[1]: Started Daily man-db regeneration.
Jun 16 00:00:11 ip-172-26-6-132 dhclient[425]: PRC: Renewing lease on eth0.
Jun 16 00:00:11 ip-172-26-6-132 dhclient[425]: XMT: Renew on eth0, interval 9060ms.
Jun 16 00:00:11 ip-172-26-6-132 dhclient[425]: RCV: Reply message on eth0 from fe80::10a5:71ff:fe37:6040.
Jun 16 00:00:23 ip-172-26-6-132 CRON[28984]: (CRON) info (No MTA installed, discarding output)

Not sure if any of that is helpful, but I wonder if there is some sort of error log that would show what happened when the cron job failed? If so, can you tell me where it is? (Or is there a terminal command you can provide that will spit out all cron job errors?)

The one thing I think that is strange is that this issue was only a problem for a portion of my domains. I have 12 sites all set up the same way on Lightsail and Bitnami. But the cron job seems to have only failed for only 6 of them…

1 Like

Yes, I expected the log file to include an error. If it’s not there, please update the cron job to look like this

0 0 * * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="sasha@sparksandfuel.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=www.sparksandfuel.com renew >> /tmp/letsencrypt-renew.log && sudo /opt/bitnami/apache/bin/httpd -f /opt/bitnami/apache/conf/httpd.conf -k graceful # bncert-autorenew

The /tmp/letsencrypt-renew.log file will log all the information that the lego binary obtains when renewing the certificate.