V-update-letsencrypt-ssl not working

v-update-letsencrypt-ssl not working. No messages. Pauses a few seconds then returns prompt. Does not renew SSL. None of my domain SSL are updating.

/usr/local/hestia/data/users//web.conf

ENCRYPT_FAIL_COUNT=‘31’

============================================
# Let’s Debug

Test result for domain.com using http-01

All OK!

OK

No issues were found with domain.com. If you are having problems with creating an SSL certificate, please visit the Let’s Encrypt Community forums and post a question there.

Oracle Cloud, Ubuntu 20.04

Please help me diagnose this.

Could this be a problem?

ubuntu@hcp:~$ service bind9 status
× named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset:>
Active: failed (Result: exit-code) since Tue 2024-10-29 19:50:30 UTC; 8min>
Docs: man:named(8)
CPU: 28ms

Oct 29 19:50:30 hcp.domain.com systemd[1]: named.service: Control proces>
Oct 29 19:50:30 hcp.domain.com systemd[1]: named.service: Failed with re>
Oct 29 19:50:30 hcp.domain.com systemd[1]: Failed to start BIND Domain N>
Oct 29 19:50:30 hcp.domain.com systemd[1]: named.service: Scheduled rest>
Oct 29 19:50:30 hcp.domain.com systemd[1]: Stopped BIND Domain Name Serv>
Oct 29 19:50:30 hcp.domain.com systemd[1]: named.service: Start request >
Oct 29 19:50:30 hcp.domain.com systemd[1]: named.service: Failed with re>
Oct 29 19:50:30 hcp.domain.com systemd[1]: Failed to start BIND Domain N>
lines 1-14/14 (END)

How do I fix it?

That variable is LETSENCRYPT_FAIL_COUNT and the value is 31, that means it failed to renew the certificate 31 times and max allowed failures are 30 so it is ignoring the domain and it won’t be renewed.

It will be easier to help if you share the actual domain.

If your domains are using Hestia as DNS provider, and bind doesn’t start, yes, that could be the problem.

Regarding bind errors, you should show the entire lines to know what’s going on.

systemctl restart named
systemctl status named --no-pager -l

Also, letsencrypt logs are located here:

/var/log/hestia/LE-yourdomain.log

1 Like

I forgot to say that if you want to reset to 0 the variable LETSENCRYPT_FAIL_COUNT for all your web and mail domains, you can use this command line:

for i in $(grep -rlE "LETSENCRYPT_FAIL_COUNT='[1-9][0-9]?'" /usr/local/hestia/data/users/); do sed -i "s/LETSENCRYPT_FAIL_COUNT='[1-9][0-9]*'/LETSENCRYPT_FAIL_COUNT='0'/" "$i";done

But don’t reset the count until you fix the root cause or you’ll have issues reaching Let’s Encrypt rate limits.

1 Like

ubuntu@hcp:~$ sudo systemctl status named --no-pager -l
× named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2024-10-30 04:02:35 UTC; 2min 21s ago
Docs: man:named(8)
Process: 90641 ExecStart=/usr/sbin/named $OPTIONS (code=exited, status=1/FAILURE)
CPU: 17ms

Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: Failed to start BIND Domain Name Server.
Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: named.service: Scheduled restart job, restart counter is at 5.
Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: Stopped BIND Domain Name Server.
Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: named.service: Start request repeated too quickly.
Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: named.service: Failed with result ‘exit-code’.
Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: Failed to start BIND Domain Name Server.

===================================================================================

ubuntu@hcp:~$ sudo systemctl status named --no-pager -l
× named.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/named.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Wed 2024-10-30 04:02:35 UTC; 5min ago
Docs: man:named(8)
Process: 90641 ExecStart=/usr/sbin/named $OPTIONS (code=exited, status=1/FAILURE)
CPU: 17ms

Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: Failed to start BIND Domain Name Server.
Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: named.service: Scheduled restart job, restart counter is at 5.
Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: Stopped BIND Domain Name Server.
Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: named.service: Start request repeated too quickly.
Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: named.service: Failed with result ‘exit-code’.
Oct 30 04:02:35 hcp.irarabinowitz.com systemd[1]: Failed to start BIND Domain Name Server.

==========================================

Log don’t exist at that location. /var/log/hestia/LE-yourdomain.log

systemctl doesn’t show any relevant error so check the syslog.

sudo grep named /var/log/syslog

or use journalctl

sudo journalctl -u named -l --no-pager --output=short-iso --since=yesterday

But I see your domains are not using Hestia as DNS provider, you are using Namecheap’s DNS servers so that shouldn’t be a problem.

Also, the last time you issued or renewed a certificate was in February…

Reset the fail count and try again to issue or renew a certificate.

sudo su -
for i in $(grep -rlE "LETSENCRYPT_FAIL_COUNT='[1-9][0-9]?'" /usr/local/hestia/data/users/); do sed -i "s/LETSENCRYPT_FAIL_COUNT='[1-9][0-9]*'/LETSENCRYPT_FAIL_COUNT='0'/" "$i";done

sudo for i in $(grep -rlE “LETSENCRYPT_FAIL_COUNT=‘[1-9][0-9]?’” /usr/local/hestia/data/users/); do sed -i “s/LETSENCRYPT_FAIL_COUNT=‘[1-9][0-9]*’/LETSENCRYPT_FAIL_COUNT=‘0’/” “$i”;done
-bash: syntax error near unexpected token `do’

Without sudo I get

grep: /usr/local/hestia/data/users/: Permission denied

You should not use sudo in front of the for loop, use it exactly as I posted.

First:

sudo su -

And once you are root:

for i in $(grep -rlE "LETSENCRYPT_FAIL_COUNT='[1-9][0-9]?'" /usr/local/hestia/data/users/); do sed -i "s/LETSENCRYPT_FAIL_COUNT='[1-9][0-9]*'/LETSENCRYPT_FAIL_COUNT='0'/" "$i";done

I reset LETSENCRYPT_FAIL_COUNT. Now I got a new error

ubuntu@hcp:~$ sudo /usr/local/hestia/bin/v-update-letsencrypt-ssl
/usr/local/hestia/func/main.sh: line 99: [: dns failed to restart: integer expression expected
/usr/local/hestia/func/main.sh: line 160: exit: dns failed to restart: numeric argument required

Thank you for all of your help.

I think the DNS is handled by NameCheap

Ok, your certificates have been renewed, that’s good :wink:

Regarding the error, it is because of bind is not starting and to know what’s going on you should check the logs as I explained earlier.

Yes, it is.

I still have issues with domains. http://agencywoo.com/ is not secure.

But did you enable the use of SSL for that web domain? Because you already issued certificates for web domain staging.agencywoo.com and mail domain mail.agencywoo.com and webmail.agencywoo.com

I got it working. Thank you

2 Likes