What's new

Lets Encrypt not updating, or?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

The WebUI shows the certificates for httpd (/jffs/.cert/cert.pem and /jffs/.cert/key.pem). Looks like you're running nginx, so you'd either want to point to those in /opt/etc/nginx.conf (ssl_certificate /jffs/.cert/cert.pem; and ssl_certificate_key /jffs/.cert/key.pem;), copy the certificates to wherever they're needed in the acme-renew script, or set them to generate to where they're needed (--fullchain-file and --key-file while using --issue/--install-cert).
 
You should then be able to get a certificate using [I said:
dns_asus[/I] for the dns option, for example
Code:
acme --issue --dns dns_asus -d test.asuscomm.com

EDIT: Without the myip query in the url, the IP address isn't updated, so I've removed the nslookup and used 0.0.0.0 for the password.
EDITEDIT: Actually it just auto detects your IP address.

where do you input this code below:


Code:
acme --issue --dns dns_asus -d test.asuscomm.com
 
I just configured a new router and ddns with duckdns with the custom script.
I also have Diversion installed (with https blocking too).
Could you help me how to configure LE?
 
@abugray, what router? What firmware?

I believe that this is now fixed? I think it was an issue on their end pointing to wrong addresses?
 
asus ac68u, with latest merlin software.
Did you reset the firmware to factory defaults, this happened to me. Make sure your webui is set to both http and https.
 
I have been having the same issue on my AC-5300 running latest stable FW: 384.14_2. It is stuck on updating, I have webui accessible via HTTP and HTTPS to no avail.

This is what I get in my system log:

Feb 8 13:50:06 kernel: [Sat Feb 8 13:50:05 EST 2020] Registering account
Feb 8 13:50:08 kernel: [Sat Feb 8 13:50:08 EST 2020] Already registered
Feb 8 13:50:08 kernel: [Sat Feb 8 13:50:08 EST 2020] ACCOUNT_THUMBPRINT='**************'
Feb 8 13:50:08 kernel: [Sat Feb 8 13:50:08 EST 2020] Single domain='*****.*****.com'
Feb 8 13:50:08 kernel: [Sat Feb 8 13:50:08 EST 2020] Getting domain auth token for each domain
Feb 8 13:50:13 kernel: [Sat Feb 8 13:50:13 EST 2020] Getting webroot for domain='*****.*****.com'
Feb 8 13:50:13 kernel: [Sat Feb 8 13:50:13 EST 2020] get to authz error.

How to I add the --debug or --log parameters to get more info when this is all automated?
Please add '--debug' or '--log' to check more details.
 
Last edited:
I also have an ASUS RT-AC68U at a remote location running firmware version 384.15, but the Let's Encrypt feature isn't working. (I have both HTTP and HTTPS enabled in the Administration > System section.)

This is the relevant error message in the log:

my-ddns-hostname:Verify error:Fetching http://my-ddns-hostname/.well-known/acme-challenge/QD64HWMytdUi8MivTxcZsLvfkkVjPemGgplhcQa94LU: Timeout during connect (likely firewall problem)

(I've replaced my actual DDNS hostname with "my-ddns-hostname".) It seems port 80 on the WAN side is not being opened for the LE server to verify the domain.

Any ideas or suggestions? Is there an iptables command I can run to temporarily open port 80? Thank you.
 
The Let's Encrypt certificate expired today on my Asus RT-AC68U router running Asuswrt-Merlin 384.15 firmware and it wouldn't renew on it's own with system log message "Verify error:Fetching http://[domain_name]/.well-known/acme-challenge/[random_string]: Connection refused".

After trying many settings, removing the usb flash drive containing scripts and even loading the Asuswrt 3.0.0.4.385.20252 firmware, the only thing that worked was deleting the /jffs/.le directory so that a new account was created for usage by let's encrypt service.

I should mention that I only have HTTPS as the Authentication Method on Administration page, System tab, Local Access Config section and Enable Web Access from WAN set to No on the Remote Access Config section.
[...]Timeout during connect (likely firewall problem)[...]

@wavefunction, I saw this error when trying manually the command used by let's encrypt service with --debug flag, so you could try deleting your /jffs/.le directory and then issue service restart_letsencrypt command to see if it works for you also.
 
It seems the ISP where the router is located blocks port 80. :( Is it possible to configure the LE tool to verify the domain on a different port than 80?
 
Thanks @AurelM, but I did as you suggested and I still get the same error. :(
I'm sorry to hear this.
It seems the ISP where the router is located blocks port 80. :( Is it possible to configure the LE tool to verify the domain on a different port than 80?
Port 80 is the only one that can be used according to the final ACME standard (RFC8555).
On page 64:
3. Dereference the URL using an HTTP GET request. This request MUST
be sent to TCP port 80 on the HTTP server.

I've added the edited log messages for the successful issuing of the new certificate so you can compare with the messages in your log:
Feb 17 20:10:37 [router_name] rc_service: service 22544:notify_rc restart_letsencrypt
Feb 17 20:10:37 [router_name] custom_script: Running /jffs/scripts/service-event (args: restart letsencrypt)
Feb 17 20:10:45 [router_name] kernel: [Mon Feb 17 20:10:45 UTC 2020] Standalone mode.
Feb 17 20:10:45 [router_name] kernel: netstat: showing only processes with your user ID
Feb 17 20:10:51 [router_name] kernel: [Mon Feb 17 20:10:51 UTC 2020] Create account key ok.
Feb 17 20:10:52 [router_name] kernel: [Mon Feb 17 20:10:52 UTC 2020] Registering account
Feb 17 20:10:57 [router_name] kernel: [Mon Feb 17 20:10:57 UTC 2020] Registered
Feb 17 20:10:58 [router_name] kernel: [Mon Feb 17 20:10:58 UTC 2020] ACCOUNT_THUMBPRINT='[random_string]'
Feb 17 20:10:58 [router_name] kernel: [Mon Feb 17 20:10:58 UTC 2020] Creating domain key
Feb 17 20:11:02 [router_name] kernel: [Mon Feb 17 20:11:02 UTC 2020] The domain key is here: /jffs/.le/[domain_name]/[domain_name].key
Feb 17 20:11:02 [router_name] kernel: [Mon Feb 17 20:11:02 UTC 2020] Single domain='[domain_name]'
Feb 17 20:11:03 [router_name] kernel: [Mon Feb 17 20:11:03 UTC 2020] Getting domain auth token for each domain
Feb 17 20:11:11 [router_name] kernel: [Mon Feb 17 20:11:11 UTC 2020] Getting webroot for domain='[domain_name]'
Feb 17 20:11:13 [router_name] kernel: [Mon Feb 17 20:11:13 UTC 2020] Verifying: [domain_name]
Feb 17 20:11:14 [router_name] kernel: [Mon Feb 17 20:11:13 UTC 2020] Standalone mode server
Feb 17 20:11:22 [router_name] kernel: [Mon Feb 17 20:11:22 UTC 2020] Success
Feb 17 20:11:22 [router_name] kernel: [Mon Feb 17 20:11:22 UTC 2020] Verify finished, start to sign.
Feb 17 20:11:23 [router_name] kernel: [Mon Feb 17 20:11:23 UTC 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/[random_number]
Feb 17 20:11:26 [router_name] kernel: [Mon Feb 17 20:11:26 UTC 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/[random_string]
Feb 17 20:11:28 [router_name] kernel: [Mon Feb 17 20:11:27 UTC 2020] Cert success.
Feb 17 20:11:28 [router_name] kernel: -----BEGIN CERTIFICATE-----
Feb 17 20:11:28 [router_name] kernel: [multiple_lines_with_certificate_string]
Feb 17 20:11:28 [router_name] kernel: -----END CERTIFICATE-----
Feb 17 20:11:28 [router_name] kernel: [Mon Feb 17 20:11:28 UTC 2020] Your cert is in /jffs/.le/[domain_name]/[domain_name].cer
Feb 17 20:11:28 [router_name] kernel: [Mon Feb 17 20:11:28 UTC 2020] Your cert key is in /jffs/.le/[domain_name]/[domain_name].key
Feb 17 20:11:28 [router_name] kernel: [Mon Feb 17 20:11:28 UTC 2020] The intermediate CA cert is in /jffs/.le/[domain_name]/ca.cer
Feb 17 20:11:28 [router_name] kernel: [Mon Feb 17 20:11:28 UTC 2020] And the full chain certs is there: /jffs/.le/[domain_name]/fullchain.cer
Feb 17 20:11:29 [router_name] kernel: [Mon Feb 17 20:11:29 UTC 2020] Installing key to:/jffs/.le/[domain_name]/domain.key
Feb 17 20:11:29 [router_name] kernel: [Mon Feb 17 20:11:29 UTC 2020] Installing full chain to:/jffs/.le/[domain_name]/fullchain.pem
Feb 17 20:11:29 [router_name] rc_service: le_acme 22681:notify_rc restart_httpd
Feb 17 20:11:29 [router_name] custom_script: Running /jffs/scripts/service-event (args: restart httpd)
Feb 17 20:11:29 [router_name] RT-AC68U: start https:8443
Feb 17 20:11:30 [router_name] RT-AC68U: start httpd:80
As you can see, the router's let's encrypt service created a new account to be used with the let's encrypt servers and the whole procedure took a little under a minute.

Please post your edited messages from the log file, the ones from after you deleted /jffs/.le directory and restarted let's encrypt service.
 
I was having the same problem on my RT-AC5300 ---- Same logs and what not. I chose to use Pixelserv-tls as my certificate authority since i already had to integrate it into each of my devices.
Wait, is this possible? Why isn't this an option in the firmware?
 
If I've read well all posts about Let'sencrypt, there is no easy way to get certificates but updating the firmware. But some of us are still using RT-AC56U, stuck with ACME v.1 and apparently not plan from Asus to update them to ACME v.2 (nor Merlin's firmware). So my only options are disable WAN https UI access or buy a new, expensive and no needed router. Is there a way to update Let's Encrypt only through SSH?
 
If I've read well all posts about Let'sencrypt, there is no easy way to get certificates but updating the firmware. But some of us are still using RT-AC56U, stuck with ACME v.1 and apparently not plan from Asus to update them to ACME v.2 (nor Merlin's firmware). So my only options are disable WAN https UI access or buy a new, expensive and no needed router. Is there a way to update Let's Encrypt only through SSH?
The acme implementation Asus uses is just this script, so it's easy enough to install it yourself (although it'll be missing socat, but you can get that through entware). There's some more info on installing it here.
 
The acme implementation Asus uses is just this script, so it's easy enough to install it yourself (although it'll be missing socat, but you can get that through entware). There's some more info on installing it here.

Thanks for your help.

I guess this is above my paygrade, but let's see if I can understand it:

1-I have optware (because I use Dowload Master). It's not mandatory to install entware, isn't it?

2-I need to create your script with vi in /jffs/scripts and execute it with 'chmod +x filename' and select 'import/persistent option' in WebUI

3- And that's it?
 
Thanks for your help.

I guess this is above my paygrade, but let's see if I can understand it:

1-I have optware (because I use Dowload Master). It's not mandatory to install entware, isn't it?

2-I need to create your script with vi in /jffs/scripts and execute it with 'chmod +x filename' and select 'import/persistent option' in WebUI

3- And that's it?

  1. Nope, it isn't needed unless you want to use the standalone mode of acme.sh which needs socat. You may wish to edit the locations ACME_DIRECTORY and ACME_LOG to somewhere else if you don't have entware installed though (anywhere except the temporary storage should work).
  2. It doesn't matter where you create it, but yes chmod +x will be needed. After running "acme.sh install" you can even delete it if you want. The 'import/persistent option' in WebUI is what you want as well, since it reads certificates from /jffs/.cert.
  3. You'll still need to issue a certificate, after that it will auto renew when needed. For most providers you can use the DNS api, and for asuscomm.com addresses this script still works (just tested myself).
 

Similar threads

Latest threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top