Acme.sh: certificate and key deleted on automatic renewal
Using le.sh version 2.0.2
Last night
"/root/.le/le.sh --cron --home /root/.le > /dev/null"
was running.
There is no log of the output but right afterwards the Apache2 configtest failed because the certificate and key file of one domain had 0 byte in length.
An investigation showed the following situation:
root@kleinbetrieb ~ # ls -la /root/.le/kleinbetrieb.biz/
total 24K
drwxr-xr-x 2 root root 4.0K Jun 29 19:54 .
drwxr-xr-x 8 root root 4.0K Sep 1 18:11 ..
-rw-r--r-- 1 root root 0 Sep 18 00:00 ca.cer
-rw-r--r-- 1 root root 3.2K Sep 18 00:00 fullchain.cer
-rw-r--r-- 1 root root 0 Sep 18 00:00 kleinbetrieb.biz.cer
-rw-r--r-- 1 root root 978 Sep 18 00:00 kleinbetrieb.biz.conf
-rw-r--r-- 1 root root 517 Mar 31 05:34 kleinbetrieb.biz.csr
-rw-r--r-- 1 root root 0 Sep 18 00:00 kleinbetrieb.biz.key
-rw-r--r-- 1 root root 124 Mar 31 05:34 kleinbetrieb.biz.ssl.conf
root@kleinbetrieb ~ # /root/.le/le.sh --cron --home /root/.le
[Sun Sep 18 07:54:45 CEST 2016] renewAll
...
[Sun Sep 18 07:54:45 CEST 2016] renew kleinbetrieb.biz
[Sun Sep 18 07:54:45 CEST 2016] Skip, Next renewal time is: Tue Dec 6 22:00:30 UTC 2016
...
Based on the date the le.sh script must have renewed that certificate last night.
However it left behind a 0 byte Key and Certificate.
Obviously without an exiting certificate I can't force-renew that certificate to get a new one
/root/.le/le.sh --renew --force --domain kleinbetrieb.biz
[Sun Sep 18 07:58:56 CEST 2016] Creating account key
[Sun Sep 18 07:58:56 CEST 2016] Account key exists, skip
[Sun Sep 18 07:58:57 CEST 2016] Skip register account key
[Sun Sep 18 07:58:57 CEST 2016] Creating domain key
[Sun Sep 18 07:58:57 CEST 2016] Use length 384
[Sun Sep 18 07:58:57 CEST 2016] Using ec name: secp384r1
[Sun Sep 18 07:58:57 CEST 2016] Domain key exists, skip
[Sun Sep 18 07:58:57 CEST 2016] Creating csr
[Sun Sep 18 07:58:57 CEST 2016] Multi domain='DNS:www.kleinbetrieb.biz'
unable to load Private Key
140316540049048:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: ANY PRIVATE KEY
[Sun Sep 18 07:58:57 CEST 2016] Create CSR error.
Restoring the old certificate from a backup and force-renewing the certificate caused the same thing to happen again with no error message.
/root/.le/le.sh --renew --force --domain kleinbetrieb.biz
[Sun Sep 18 08:08:41 CEST 2016] Creating account key
[Sun Sep 18 08:08:41 CEST 2016] Account key exists, skip
[Sun Sep 18 08:08:42 CEST 2016] Skip register account key
[Sun Sep 18 08:08:42 CEST 2016] Creating domain key
[Sun Sep 18 08:08:42 CEST 2016] Use length 384
[Sun Sep 18 08:08:42 CEST 2016] Using ec name: secp384r1
[Sun Sep 18 08:08:42 CEST 2016] Domain key exists, skip
[Sun Sep 18 08:08:42 CEST 2016] Creating csr
[Sun Sep 18 08:08:42 CEST 2016] Multi domain='DNS:www.kleinbetrieb.biz'
[Sun Sep 18 08:08:42 CEST 2016] Verify each domain
[Sun Sep 18 08:08:42 CEST 2016] Getting webroot for domain='kleinbetrieb.biz'
[Sun Sep 18 08:08:42 CEST 2016] Getting token for domain='kleinbetrieb.biz'
[Sun Sep 18 08:08:43 CEST 2016] Getting webroot for domain='www.kleinbetrieb.biz'
[Sun Sep 18 08:08:43 CEST 2016] Getting token for domain='www.kleinbetrieb.biz'
[Sun Sep 18 08:08:45 CEST 2016] Verifying:kleinbetrieb.biz
[Sun Sep 18 08:08:52 CEST 2016] Success
[Sun Sep 18 08:08:52 CEST 2016] Verifying:www.kleinbetrieb.biz
[Sun Sep 18 08:08:59 CEST 2016] Success
[Sun Sep 18 08:08:59 CEST 2016] Verify finished, start to sign.
[Sun Sep 18 08:09:01 CEST 2016] Cert success.
-----BEGIN CERTIFICATE-----
MII....
-----END CERTIFICATE-----
[Sun Sep 18 08:09:01 CEST 2016] Your cert is in /root/.le/kleinbetrieb.biz/kleinbetrieb.biz.cer
[Sun Sep 18 08:09:01 CEST 2016] The intermediate CA cert is in /root/.le/kleinbetrieb.biz/ca.cer
[Sun Sep 18 08:09:01 CEST 2016] And the full chain certs is there: /root/.le/kleinbetrieb.biz/fullchain.cer
[Sun Sep 18 08:09:02 CEST 2016] Run Le_ReloadCmd: service apache2 reload
Job for apache2.service failed because the control process exited with error code. See "systemctl status apache2.service" and "journalctl -xe" for details.
Trying again with 2.3.0 the exact same thing happend with the exact same shell output.
No sign that anything was going wrong but it still ended up with a 0 byte key and 0 byte certificate.
As a temporary meassure I'll have to disable the cron job until this is resolved, so it doesn't break my server every night.
No matter how it happened, the amount of error checking and logging in this script is insufficient to automatically fiddle with something like certificates that can break entire servers.
MarcusWolschon
All 6 comments
Please upgrade to the latest version and try again.
Neilpang
on 18 Sep 2016
As I said, I did update to the latest 2.3.0 and tried again.
Further investigation showed that the problematic domain had
Le_RealCertPath
Le_RealCACertPath
Le_RealKeyPath
configured in it's .conf file. They where pointing to the place where the certificate was supposed to be on this server (below /etc/ssl). Since acme.se ignored these settings (in the past),
there are symbolic links in that place pointing to the /root/.le/
(I really don't like that place because services are not supposed to have read access for anything below /root)
Removing these 3 settings made the renewal work.
Still obviously it should have failed with an error message and never, ever destroyed keys and certificates without at least a backup copy to restore the old ones in case of such a failure.
(The symlinks are now removed and replaced by copies of the 3 files are it should be and as it is for all domains that where added at a later time.)
MarcusWolschon
on 18 Sep 2016
I just made a new release 2.5.2 for you.
Please upgrade.
Neilpang
on 18 Sep 2016
(I really don't like that place because services are not supposed to have read access for anything below /root)
Please do not use/symbol link to the files in ~/.le or ~/.acme.sh.
You should copy the certs from .le folder to the target folder the service using. For example: in /etc/ssl
And you should use --installcert command to copy.
acme.sh --installcert --certpath /path/to/target/cert.pem --keypath /path/to/target/key.pem --fullchainpath /path/to/target/fullchain.pem.
It copies the files to the target path, and records the paths in the conf file.
When the cert is renewed, it can copy them again automatically.
Neilpang
on 18 Sep 2016
Here are a few guides for you:
https://github.com/Neilpang/acme.sh/wiki/Blogs-and-tutorials
Neilpang
on 18 Sep 2016
吼吼,原来不能软链接的出处在这里,执行自动拷贝的问题也在这里有答案。
Github的这个系统真不好用,想找个贴子都难。
那么,如果我买了其它证书,是否可以把证书相关文件放到这个文件夹下,利用它这个自动拷贝的功能?我是说,acme.sh也可以不止针对LE这一个证书吧?
baoang
on 26 Mar 2018
Related issues
hxx-fetch
·
4Comments
FernandoMiguel
·
5Comments
AriaLyy
·
5Comments
xiagw
·
3Comments
extensionsapp
·
4Comments
Most helpful comment
Please do not use/symbol link to the files in
~/.leor~/.acme.sh.You should copy the certs from
.lefolder to the target folder the service using. For example: in/etc/sslAnd you should use
--installcertcommand to copy.It copies the files to the target path, and records the paths in the conf file.
When the cert is renewed, it can copy them again automatically.