Authorization challenge expired [solution?] about acmephp HOT 29 CLOSED

Hi @tgalopin, any updates on this issue?

from acmephp.

Hello @TheJoin95,

I was pretty sure the problem was coming from something like this but I didn't have time to find the real issue, so: thank you very much, and I really mean it :) !

I will work on changing when authorization should be done in the code as soon as possible.

Thanks!

from acmephp.

Actually this seems a bigger task than I expected, as AcmePHP now needs to be able to automate the authorization process. I'm in vacations next week, I will try to find time to work on this :) .

In the meantime, running the full process work so this can be a temporary solution.

from acmephp.

Hi @tgalopin, any updates on this issue? Many of my cert just expired because I'd cronned them in July :(

from acmephp.

I execute the renew script as an executable. This is my entrypoint for my cronjob. It's main purpose is to add an acme executable to the $PATH.

If you look at the renew script, I add php-bin to my path before running the php renewal script. Inside my php-bin directory, I have a symlink acme that points to the acme.phar.

I have attached things to get you going. I hope it's useful. You can find the actual renewal script at the following github url: https://github.com/alexwilczewski/acmephp-renew-html-challenge

Download links (Github wanted them as .txt files)
config.default.json.txt
renew.txt
renew.php.txt

• Note: The script creates the .well-known/acme-challenge directory with 0777 permissions and does not clean up the directory.

from acmephp.

@alexwilczewski
Thanks for taking the time to be so helpful. I am more of a sys. admin/network person than a programmer and have used bash for years to solve small problems on my servers. As a result I am very comfortable with bash and will try using it along with your previous guide posts to find a solution before my current certificates expires. If it doesn’t work out, I will give your latest suggestions a try and will in all likelihood be back as my only non bash programming experience has been with MS Quick Basic and Borland’s Turbo C++ many years ago. Thanks again.

from acmephp.

The run command should now fix this, as it launches the full renew process including authorization challenge. Don't hesitate to answer here if you still have issues!

from acmephp.

@tgalopin Thanks for the persistence and work on this project! 😄

from acmephp.

@tgalopin A potential solution/add-on would be to add a configuration to set a path to the .well-known/acmechallenge directory for each domain. This would make authorizing as easy to set up and repeat as getting new certificates.

from acmephp.

Hi @tgalopin,
A honest question, not a complaint (I appreciate your work on that tool, I use it for 20+ domains):
As you are still making releases, I wonder how you use the tool yourself, because this issue makes it pretty unusable for me. The need to manually re-authorization each domain after a month defeats the purpose of Let's Encrypt and of acmephp for me.
My question: do you have a workaround for that problem, and if so I would very much appreciate to learn how that works.

from acmephp.

@MatG01 as a workaround you can renew the certs every 20 days or so, that way you don't need to re-authorize the domains. Let's Encrypt has limits far beyond that amounts, don't worry.

from acmephp.

@babblo I tried that once and it didn't work for me. The domains still expired. But if you say that that's the way to do it, then I assume I made a mistake and I will try again. Thanks.

from acmephp.

@MatG01 be sure you --force the updates.

from acmephp.

@babblo that sound like a good hint. Thanks a lot.

from acmephp.

did you try to call the "auth" command to regenerate a new challenge?

I suggest to use the new "run" command to perform everything automatically

from acmephp.

I run a cron once per week $ php acmephp.phar request --force
It was successfully renewing my multi-domain certificates for the first month, then I was receiving the authorization errors. I am using version 1.0.0-beta5.

@jderusse I am looking into your recent changes. I didn't know there was an "auth" or "run" command.

from acmephp.

@alexwilczewski Temporarily, you can redo the authroization process manually. It will fix the problem in short term, but I suggest indeed to use the run command for a better solution.

from acmephp.

I used the run command. It is useful and convenient.

In regards to the run command:
I tried creating a multi-domain certificate by listing subject_alternative_names. However, my alternative domain names route to separate directories on my webserver. This caused problems when using the solver, because only 1 directory can be used for http-file.

In regards to the current version:
I ran into the following errors while using request with the -a option.
In Repository.php line 373:
Loading of domains , certificate order failed
In Filesystem.php line 386:
File not found at path: var//68b1e75f4239736f58668aacff1381fddf9e3fe8/certificate_order.json

Version 1.0.0-beta5 does not produce this error.

from acmephp.

Hi all. I wrote into a post my method of renewing with AcmePHP: https://sslowner.com/lets-encrypt-and-acmephp-for-free-certificates-automatic-renewal-with-dns-challenge.html

I use DNS challenge. Hope this helps us all who have been having problems to automate the process.

from acmephp.

I looked sakumatto’s renwal script referenced in the URL (….with-dns-challenge.html) above and it appears that the active part that does the renewal is the standard means of forcing a renewal from the command line as shown below.

php /home/user/acmephp.phar request --force $domain -a $www

Am I missing something in the script that makes it more than being an automatic renewal script that can be run from cron?

The reason I ask is that I have been fighting the problem of having Let’s Encrypt indicate that my certificates had expired before I could renew them for months. At first I wrote a script to force a renewal on the first of each month. I tested it by running it manually two days after I wrote it and the renewal succeeded. It also succeeded when cron ran it on the following first of the month about two weeks later. When it ran on the first of the next month however, it failed, and I had to start the whole process over again.

My next attempt was to modify my renewal script to run every 14 days using modulo. That script worked well for weeks two and four, but on week six it again failed, which is why I am surprised sakumatto’s renewal script works and why I am asking if I missed something in what his script does. My last test seemed to indicate that failing to renew after a month is independent of the number of times you renew or when you renew during the month.

Unfortunately I did not keep any notes on what I did so I am going to try my scripts again to see if the results repeat and also so I can keep better notes and answer any questions on exact error messages etc.. Perhaps I did something wrong. We can always hope.

from acmephp.

@PK232 I think you may run into the same problem again. It appears that the force script never "renews" something that is necessary for LetsEncrypt. (I don't know what that is.) I wrote a script that runs through the full renewal process and it has been working well for a few months now. I do not have them on hand, but I will outline the process below.

Notes:

• I can run my script on the server where I host my files.
• I satisfy LetsEncrypt's challenge through html -- mydomain.com/.well-known/acme-challenge/...
• I create a multi-domain certificate.

Script outline:
0) I pass in the domains and their directory paths into my script.

1. For each domain I run: php acmephp.phar authorize mydomain.com
   1.1) I parse this output with a regular expression and create a file in the proper location in the file system.
2. For each domain I run: php acmephp.phar check mydomain.com
3. I create the argument list for each domain and I run: php acmephp.phar request mydomain.com -a mydomain2.com ...

I run this script through cron each week and I do not run into the renewal problem upon the apparent 1 month expiry.

from acmephp.

@alexwilczewski

If I am reading your comment right, when you renew you start over as if you never had a certificate before, except for registering, and have automated that whole process using a script. If that is the case I suspect cron could run it every two months since it is only the ability to renew that only lasts 30 days. Thanks for the heads up. It saved me waiting six weeks to find out I was back to square one. I think I can cobble together a script to do what you suggest. It probably won't be the most elegant, but it should work. Thanks again.

from acmephp.

Sounds great! Can you please document the new run command and how to configure domains / wildcards?

from acmephp.

I will work on that indeed, the documentation is lacking.

from acmephp.

I just deployed a new version of the documentation, including explanations on how to use the run command: https://acmephp.github.io/documentation/getting-started/2-obtain-certificate-easy.html.

This should help here :) . Don't hesitate to ping me if needed!

from acmephp.

I am slightly confused on using the new RUN command for renewals handling the 'Authorization expired' issue. The docs on the 'setup automatic renewal' looks like it uses the 'request' command, but it seems like the thing to do is just call the run command again each night. Is that correct?

And when it expires and renews is it going to create a NEW ownership token file in the acme-challenge folder? Meaning I'll have to parse the output for this new name and create a file each month?

from acmephp.

the thing to do is just call the run command again each night. Is that correct

Yes, the run command is more like register + authorize + check + request when needed.
Calling run periodically is right thing to do.

note: running it every day seems overkill to me, because the certificat is valid 90 days. I personally run it once per week with --delay=30 to get 30 days to solve issue if the renewal didnt worked.

Meaning I'll have to parse the output for this new name and create a file each month

No, the file name and location is always the same. The previous certificate's file is replaced by the new one.

A backup of the previous files is stored in the backup folder (check the parameter enable_backup)

from acmephp.

ok, i will try it and see. thank you!

from acmephp.

I've automated by ssl script renewal on windows with a nightly call like this:

php acmephp.phar run config.yml

renewals work fine, except after 60 days, it starts looking for a different challenge authorization file.

"Solving challenge for domain mydomain.com...
Create a text file accessible on URL http://mydomain.com/.well-known/acme-challenge/nI27pIwtgajBU.....ect... containing the following content:"

Is that the normal behavior? It seems problematic to use this for automated renewals, unless I mod my scripts to look for this and create the files and such. I'd rather avoid doing that.

from acmephp.