未能续订让我们加密SSL

Question

I easily installed an SSL certificate the first time through, but I am unable to get it to renew.

I scheduled the terminal command to automatically renew the certificate each month, but it is responding with an error. I also get the same response when running it manually.

Terminal Command

curl -X POST https://forge.laravel.com/api/servers/<serverNumber>/sites/<siteNumber>/ssl/renew?api_token=<my-token>

Response

Cloning into 'letsencrypt1462928414'...
nginx stop/waiting
nginx start/running, process 10734
# INFO: Using main config file /root/letsencrypt1462928414/config.sh
+ Generating account key...
+ Registering account key with letsencrypt...
Processing donniebrandt.com with alternative names: www.donniebrandt.com
 + Signing domains...
 + Creating new directory /root/letsencrypt1462928414/certs/donniebrandt.com ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for donniebrandt.com...
 + Requesting challenge for www.donniebrandt.com...
 + Responding to challenge for donniebrandt.com...
ERROR: Challenge is invalid! (returned: invalid) (result: {"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http://donniebrandt.com/.well-known/acme-challenge/JdG5PtzEcqZMMDVhx2VNN5Wmvldwtl84B6q3j1AQcP0 [104.18.50.184]: 526"},"uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/S6oIx5ZFyzu80fkpjoCcAgVDp7p8aLo6UGLLt7flP-g/81801388","token":"JdG5PtzEcqZMMDVhx2VNN5Wmvldwtl84B6q3j1AQcP0","keyAuthorization":"JdG5PtzEcqZMMDVhx2VNN5Wmvldwtl84B6q3j1AQcP0.0N_sDHF2rXqfyPHGi4ZmXDAkrmwbMJ-S_ZghYPtSN2g","validationRecord":[{"url":"http://donniebrandt.com/.well-known/acme-challenge/JdG5PtzEcqZMMDVhx2VNN5Wmvldwtl84B6q3j1AQcP0","hostname":"donniebrandt.com","port":"80","addressesResolved":["104.18.50.184","104.18.51.184"],"addressUsed":"104.18.50.184"},{"url":"https://donniebrandt.com/.well-known/acme-challenge/JdG5PtzEcqZMMDVhx2VNN5Wmvldwtl84B6q3j1AQcP0","hostname":"donniebrandt.com","port":"443","addressesResolved":["104.18.50.184","104.18.51.184"],"addressUsed":"104.18.50.184"}]})

I also verified that the .well-known/acme-challenge directory exists, but it doesn't change the error.

Answer 1

The error message shows your website is offline for one of the domains:

ERROR: [...]"Invalid response from http://donniebrandt.com/[...]526"},[...]

Try access http://donniebrandt.com and you will get error 526 (invalid SSL certificate).

As cloudfare states :

The HTTP Error Response Code 526 occurs when CloudFlare is unable to successfully validate the SSL certificate on the origin web server and the CloudFlare SSL configuration on the website is set to "Full SSL (Strict)".

In other words, the CDN you´ve setup in front of your server tries to reach your server through HTTPS, however your SSL certificate is invalid (maybe expiered or root CA not trusted by Cloudfare CDN). So Cloudfare will not fetch content from your server.

I am not familiar with Cloudfare but you can do one of the following:

• disable temporally strict SSL in cloudfare until you renew your certificate and, next time, renew before it expires so there is no need to disable it again.
• temporally redirect your DNS direct to you server instead of CDN, renew certificate and redirect it again. The downside here is that DNS propagation might take sometime and you will loose benefit of CDN for a long period depending on DNS setup.

Since you said you got SSL working first time I am assuming Cloudfare trusts LetsEncrypt (or it would not work for the first time). However worth check it.

Answer 2

It's not really a fix, but I skirted the issue by recreating the site in Forge and reinstalling an SSL.

This should no longer be an issue since Forge now handles SSLs better.

Forge will now automatically renew LetsEncrypt certificates for you every week. You no longer need to manually add a scheduled job to perform the renewal. To generate an auto-renewing LetsEncrypt certificate, simply obtain and activate a new certificate using the form above.