Problem with let´s encrypt

You will need to keep following the acme tutorial to “install” them to a different location. The current location will be overwritten and is subject to change per the acme script. I like to install my certs to /etc/nginx/acmecerts/<domainname>.

Once the cert and key are installed to a location of your choice, the .conf file in your acme root directory cert folder for that domain will get populated with the install location. As you are running NGINX you will also need to add into the .conf file service nginx reload for the post update script so NGINX can see the new certs in the future after they get updated to the location of your choice.

And everything else @_jc is saying to do. If you install them as described above, the installed cert and key are ready for use.

Ok. Thank you. I don´t know how, but I have achieved it. The only dude I have is to renew the certificate, because the comand to renew it gives me error.

root@passbolt:~/.acme.sh# acme.sh --renew -d passbolt.krack360.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[jue 28 abr 2022 10:08:54 CEST] Renew: 'passbolt.krack360.com'
[jue 28 abr 2022 10:09:21 CEST] Using CA: https://acme.zerossl.com/v2/DV90
[jue 28 abr 2022 10:09:21 CEST] Single domain='passbolt.krack360.com'
[jue 28 abr 2022 10:09:21 CEST] Getting domain auth token for each domain
[jue 28 abr 2022 10:09:44 CEST] Getting webroot for domain='passbolt.krack360.com'
[jue 28 abr 2022 10:09:44 CEST] Verifying: passbolt.krack360.com
[jue 28 abr 2022 10:09:44 CEST] Nginx mode for domain:passbolt.krack360.com
[jue 28 abr 2022 10:09:45 CEST] Can not find conf file for domain passbolt.krack360.com
[jue 28 abr 2022 10:09:45 CEST] Please add '--debug' or '--log' to check more details.
[jue 28 abr 2022 10:09:45 CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[jue 28 abr 2022 10:09:51 CEST] The dns manual mode can not renew automatically, you must issue it again manually. You'd better use the other modes instead.

root@passbolt:~# acme.sh --issue --nginx --dns -d passbolt.krack360.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[jue 28 abr 2022 09:43:31 CEST] Using CA: https://acme.zerossl.com/v2/DV90
[jue 28 abr 2022 09:43:31 CEST] Single domain='passbolt.krack360.com'
[jue 28 abr 2022 09:43:31 CEST] Getting domain auth token for each domain
[jue 28 abr 2022 09:44:01 CEST] Getting webroot for domain='passbolt.krack360.com'
[jue 28 abr 2022 09:44:01 CEST] Verifying: passbolt.krack360.com
[jue 28 abr 2022 09:44:01 CEST] Nginx mode for domain:passbolt.krack360.com
[jue 28 abr 2022 09:44:01 CEST] Can not find conf file for domain passbolt.krack360.com
[jue 28 abr 2022 09:44:01 CEST] Please add '--debug' or '--log' to check more details.
[jue 28 abr 2022 09:44:01 CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh


The problem here is you are using nginx mode, and it’s having trouble finding the nginx config file with that domain name. It should be possible to not use nginx mode.

  1. If you do acme.sh --issue --dns -d passbolt.krack360.com you will get the TXT to put in your dns settings of your domain.

  2. Then install the cert and key (to existing folder of your choice) :

acme.sh --install-cert -d passbolt.krack360.com \
--key-file       /etx/nginx/acmecerts/passbolt.krack360.com.key  \
--fullchain-file /etc/nginx/acmecerts/passbolt.krack360.com.cert \
--reloadcmd     "service nginx force-reload"

Make sure to note these locations and run the reconfigure for the passbolt package where you can point the app to these files.

Because you are doing manual, it won’t renew on its own. You will have to renew reissue manually which gives a new TXT string for dns.

3) To renew: acme.sh --renew -d passbolt.krack360. com

Upon renewal [Edit: of normally issued certs], if you have installed your cert files, it will push to that install location for you.

If you can get manual to work, that’s great. But getting the API setup to make it automated is what will be needed still. That requires adding a secret and key to your acme config, like the tutorial shows.

I would also delete the passbolt.krack360.com folder in the acme root folder before starting over with API.

I have an error to renew the certificate:


root@passbolt:~/.acme.sh# acme.sh --renew -d passbolt.krack360.com --yes-I-know-dns-manual-mode-enough-go-ahead-please
[jue 28 abr 2022 16:28:43 CEST] Renew: 'passbolt.krack360.com'
[jue 28 abr 2022 16:28:53 CEST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[jue 28 abr 2022 16:28:53 CEST] Can not init api for: https://acme.zerossl.com/v2/DV90.
[jue 28 abr 2022 16:28:53 CEST] Sleep 10 and retry.
[jue 28 abr 2022 16:29:14 CEST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[jue 28 abr 2022 16:29:14 CEST] Can not init api for: https://acme.zerossl.com/v2/DV90.
[jue 28 abr 2022 16:29:14 CEST] Sleep 10 and retry.
[jue 28 abr 2022 16:29:35 CEST] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6

So it will need to be reissued before 90 days down the road and cannot be renewed as a manually issued cert.

The point of manual is not a long term solution, of course.

Ok. Thank so much for so many answers, I appreciate It so much. But now my boss lets me do it through API. I will write here if I have problems. Thanks again

1 Like

Hi. I have have solved it with DNS API. Thank you so much

2 Likes