Skip to content

Automatic renewal of ZeroSSL didn't happen #1007

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
iliaross opened this issue Feb 16, 2025 · 5 comments
Open

Automatic renewal of ZeroSSL didn't happen #1007

iliaross opened this issue Feb 16, 2025 · 5 comments

Comments

@iliaross
Copy link
Member

Hello Jamie!

Three months ago, I set up ZeroSSL to be used for one of my domains, but today it expired without renewing automatically. Background status collection is enabled, and other Let’s Encrypt renewals are working fine.

It seems like a bug.
@jcameron
Copy link
Collaborator

Hmm ... do you have automatic renewal enabled on the Let's Encrypt page in Virtualmin? Also, did you get any email about the renewal failure? Also, does renewing manually work?

@iliaross
Copy link
Member Author

Yes, automatic renewal is enabled. The manual renewal just worked—but it literally took 30 minutes.

And, there were emails! First was a failure email:

An error occurred requesting a new certificate for usermin.dev, *.usermin.dev from
Let's Encrypt : DNS-based validation failed : 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for usermin.dev and *.usermin.dev

Certbot failed to authenticate some domains (authenticator: manual). The Certificate
Authority reported these problems:
  Domain: usermin.dev
  Type:   dns
  Detail: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.usermin.dev -
check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the DNS TXT records created by the
--manual-auth-hook. Ensure that this hook is functioning correctly and that it waits
a sufficient duration of time for DNS propagation. Refer to "certbot --help manual"
and the Certbot User Guide.

...which must be false-positive. And then, in a about an hour it happened to be successful:

A new certificate was successfully requested from Let's Encrypt, and installed for
usermin.dev, *.usermin.dev.

...and then two more emails, with interval of 2 days, which are extremely misleading:

A new certificate was successfully requested from Let's Encrypt, and installed for
usermin.dev, *.usermin.dev.

It's worth noting that this is a ZeroSSL certificate, and, most importantly, neither the certificate itself nor the domain configuration file was actually updated!

@jcameron
Copy link
Collaborator

Whoa, very odd that it said the cert was updated but it actually failed! Do you have any kind of unusual setup for this domain regarding the SSL cert, like it being a symlink or stored in a non-standard location?

@iliaross
Copy link
Member Author

iliaross commented Feb 17, 2025
edited
Loading

Do you have any kind of unusual setup for this domain regarding the SSL cert

No, nothing’s different. Everything is the same as on all other domains—the certificates are in the default /etc/ssl/virtualmin folder (not symlinked)—except I’m using ZeroSSL instead of Let’s Encrypt for testing.

Also, I just realized I should mention that it was originally set up with Let’s Encrypt and then switched to ZeroSSL—might this be related to the issue?

@jcameron
Copy link
Collaborator

Also, I just realized I should mention that it was originally set up with Let’s Encrypt and then switched to ZeroSSL—might this be related to the issue?

No that shouldn't matter. Does this continue to fail consistently on this domain? If so, you might try adding some debug code to see where the SSL cert is being saved to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jcameron @iliaross