acmephp: Authorization challenge expired [solution?]

Hi guys,

we have a problem to renew certificates, because we get an authorization errors. The real issue is that let’s encrypt has changed (in January) the expire date of the authorization challenges from 60days to 30days (according to this: https://community.letsencrypt.org/t/upcoming-api-changes/17947).

Acutally, let’s encrypt send us an email 10days before our certificate expire, but if we renew the certificate only 10days before with acmephp we get an error saying that we don’t have authorization. So we need to re-run the whole authorization process and get a new certificate.

You can try to see your active authorization in .acmephp/master/private/yourdomain.com/authorization_challenge.json. Try to make a request to the url that you find in the “url” key: if you get a 404, you need to re-run the authorization, otherwise, you can make a renew.

What we can do? Run the renew each month, when the authorization is still valid.

It’s sound strange that let’s encrypt (with 100.000.000 certs) can’t get an authorization more than 30days, but I think that the problem we got to renew a certificate is this one.

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Comments: 29 (9 by maintainers)

Most upvoted comments

Hi @tgalopin, any updates on this issue?

+3
babblo on Sep 15, 2017

@tgalopin Thanks for the persistence and work on this project! 😄

+1
alexwilczewski on Oct 14, 2018

The run command should now fix this, as it launches the full renew process including authorization challenge. Don’t hesitate to answer here if you still have issues!

+1
tgalopin on Oct 14, 2018

@alexwilczewski Thanks for taking the time to be so helpful. I am more of a sys. admin/network person than a programmer and have used bash for years to solve small problems on my servers. As a result I am very comfortable with bash and will try using it along with your previous guide posts to find a solution before my current certificates expires. If it doesn’t work out, I will give your latest suggestions a try and will in all likelihood be back as my only non bash programming experience has been with MS Quick Basic and Borland’s Turbo C++ many years ago. Thanks again.

+1
PK232 on May 16, 2018

I execute the renew script as an executable. This is my entrypoint for my cronjob. It’s main purpose is to add an acme executable to the $PATH.

If you look at the renew script, I add php-bin to my path before running the php renewal script. Inside my php-bin directory, I have a symlink acme that points to the acme.phar.

I have attached things to get you going. I hope it’s useful. You can find the actual renewal script at the following github url: https://github.com/alexwilczewski/acmephp-renew-html-challenge

Download links (Github wanted them as .txt files) config.default.json.txt renew.txt renew.php.txt

  • Note: The script creates the .well-known/acme-challenge directory with 0777 permissions and does not clean up the directory.
+1
alexwilczewski on May 15, 2018

Hi @tgalopin, any updates on this issue? Many of my cert just expired because I’d cronned them in July 😦

+1
sakumatto on Oct 11, 2017

Actually this seems a bigger task than I expected, as AcmePHP now needs to be able to automate the authorization process. I’m in vacations next week, I will try to find time to work on this 😃 .

In the meantime, running the full process work so this can be a temporary solution.

+1
tgalopin on Jun 30, 2017

Hello @TheJoin95,

I was pretty sure the problem was coming from something like this but I didn’t have time to find the real issue, so: thank you very much, and I really mean it 😃 !

I will work on changing when authorization should be done in the code as soon as possible.

Thanks!

+1
tgalopin on Jun 30, 2017
Read more comments on GitHub
← skulpin: Support for wayland is not implemented
acra: Application crash on ACRA.init() →