How to renew Lets Encrypt cert on self-hosted AppVeyor
So a while back I got things working with Lets Encrypt (https://help.appveyor.com/discussions/problems/26476-self-hosted-cant-get-lets-encrypt-working)
60 days later it's expired but AppVeyor has not automatically renewed it.
Is this something I need to do manually, and if so how would I do it? I found some instructions relating to AppVeyor Enterprise, but that details a different approach for originally setting up Lets Encrypt. I just used the AppVeyor build-in web-interface.
Any advice appreciated. I suppose I could just delete the cert and get a new one?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
1 Posted by Oliver Collyer on 03 Jun, 2020 10:20 AM
So in the end I've just deleted the cert from %ProgramData%\AppVeyor\Server and then gone through the usual steps again and that has worked.
Can I request a feature for this to be automatically done by AppVeyor if that is possible?
Support Staff 2 Posted by Feodor Fitsner on 03 Jun, 2020 05:15 PM
In theory, it should be renewed automatically 30 days before expiration. There is a constant task running on a background every 1 hour checking the cert. Must be something went wrong. Are there any errors/warnings in AppVeyor Event Log?
Feodor Fitsner closed this discussion on 03 Aug, 2020 09:03 PM.
Oliver Collyer re-opened this discussion on 09 Apr, 2021 12:43 PM
3 Posted by Oliver Collyer on 09 Apr, 2021 12:43 PM
So this has continued to happen every time it needs to renew, and today I finally got around to checking the log, which has the following entry:
Category: Appveyor.Services.SslManagementService
EventId: 0
Cannot renew Let's Encrypt certificate: Fail to load resource from 'https://acme-v02.api.letsencrypt.org/acme/new-order'.
urn:ietf:params:acme:error:badNonce: JWS has an invalid anti-replay nonce: "0003l5k9IZK-JykwwzeedaBjHq9o11vhjtDI7ZCS0iuo4o4"
4 Posted by Oliver Collyer on 09 Apr, 2021 12:48 PM
Also, just to add, that I got an email from Lets Encrypt today saying it was time to renew (with 30 days left), and so far there are two entries for the above error in the log (but with a different anti-replace nonce each time).
The entires are spaced exactly an hour apart, so I'm guessing it will try this every hour now that it has started trying to renew.
Support Staff 5 Posted by Feodor Fitsner on 12 Apr, 2021 06:13 PM
Is it install on Windows, Linux or macOS?
6 Posted by Oliver Collyer on 12 Apr, 2021 07:17 PM
Helo
It’s Windows - I think I figured it out though.
I didn’t realise that it was necessary to have port 80 open on my router and forwarded to my server, for the renewal to work. So once I did this, and then restarted the server, it renewed.
Ideally I wouldn’t have to leave port 80 open like that, perhaps it can be improved.
This thread has a discussion on this very topic
https://community.letsencrypt.org/t/is-port-80-required-for-renewals/121432/3
Regards
Oliver
Support Staff 7 Posted by Feodor Fitsner on 12 Apr, 2021 09:57 PM
Oh, of course it expects 80 port available for renewal (which I agree is a weird requirement). The error is confusing though. Thanks for update!
Feodor Fitsner closed this discussion on 13 Jun, 2021 09:03 PM.