Is anyone maintaining acme.sh?

[dnessett]

I have been using acme.sh for about 9 months. In the last week or so, certification renewal stopped working. I reported the problem by commenting on a post which another user made that appeared to be the same issue as I had (#4951). However, no one has responded (there seemed to be a BOT response, but nothing else) to the original poster or to my plus 1 comment. I then looked at the issues traffic and it seems that posts to it are being ignored. I say this because the last issues post that received any attention was (#4927) made on Dec 24, 2023. All subsequent posts have no response except for what appears to be a bot response specifying:

"Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you."

Am I right to suspect that acme.sh is no longer supported?

[Neilpang]

No, the issue you mentioned already has solutions in the comments. just change the CA to letsencrypt. there could be some temp errors from zerossl.

[dnessett]

Thanks for the reply.

Changing the CA to letsencrypt didn't work:

acme.sh --set-default-ca --server letsencrypt [Thu Jan 25 11:39:44 PM MST 2024] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory

acme.sh --renew -d mountolive.com [Thu Jan 25 11:45:58 PM MST 2024] The domain 'mountolive.com' seems to have a ECC cert already, lets use ecc cert. [Thu Jan 25 11:45:58 PM MST 2024] Renew: 'mountolive.com' [Thu Jan 25 11:45:58 PM MST 2024] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory [Thu Jan 25 11:45:59 PM MST 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory [Thu Jan 25 11:45:59 PM MST 2024] Single domain='mountolive.com' [Thu Jan 25 11:45:59 PM MST 2024] Getting domain auth token for each domain [Thu Jan 25 11:46:01 PM MST 2024] Getting webroot for domain='mountolive.com' [Thu Jan 25 11:46:01 PM MST 2024] Adding txt value: lJfiST9mH9s178baf7mpRHnlSyJn-U2MzVdBYR6PvNw for domain: _acme-challenge.mountolive.com [Thu Jan 25 11:46:01 PM MST 2024] You didn't specify a Cloudflare api key and email yet. [Thu Jan 25 11:46:01 PM MST 2024] You can get yours from here https://dash.cloudflare.com/profile. [Thu Jan 25 11:46:01 PM MST 2024] Error add txt for domain:_acme-challenge.mountolive.com [Thu Jan 25 11:46:01 PM MST 2024] Please add '--debug' or '--log' to check more details. [Thu Jan 25 11:46:01 PM MST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

I need to renew the wildcard cert *.mountolive.com. Renewing mountolive.com doesn't seem to do that. When I tried:

acme.sh --renew -d *.mountolive.com [Thu Jan 25 11:51:10 PM MST 2024] Renew: '*.mountolive.com' [Thu Jan 25 11:51:10 PM MST 2024] '*.mountolive.com' is not an issued domain, skip.

The displayed error occurs. I also tried accessing server.mountolive.com using https and got the privacy warning, suggesting the wildcard cert is not renewed.

By the way, the dns name mountolive.com and its wildcard *.mountolive.com is managed by IONOS, not Cloudflare.

[dnessett]

Some further information. After running:

acme.sh --set-default-ca --server letsencrypt

and

acme.sh --renew -d mountolive.com

I decoded mountolive.com.cer, which should have been updated to use letsencrypt. However, the cert was not renewed:

cat mountolive.com.cer -----BEGIN CERTIFICATE----- MIIEDzCCA5agAwIBAgIQTXGjggWwBddx34l+5OmXdDAKBggqhkjOPQQDAzBLMQsw CQYDVQQGEwJBVDEQMA4GA1UEChMHWmVyb1NTTDEqMCgGA1UEAxMhWmVyb1NTTCBF Q0MgRG9tYWluIFNlY3VyZSBTaXRlIENBMB4XDTIzMTAyMTAwMDAwMFoXDTI0MDEx OTIzNTk1OVowGTEXMBUGA1UEAxMObW91bnRvbGl2ZS5jb20wWTATBgcqhkjOPQIB BggqhkjOPQMBBwNCAASuWTqwiUQcGyHmXJy1w4lTKo3tRr2W/+mq3SxHEhZCrzBC v8vRaCAuXYgtWSEu2/L9qB5QJZLQ70UN5B5dd85Uo4ICjDCCAogwHwYDVR0jBBgw FoAUD2vmS845R672fpAeefAwkZLIX6MwHQYDVR0OBBYEFNdbHZvcbA8p/EX1xphB UUcnRu+YMA4GA1UdDwEB/wQEAwIHgDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQG CCsGAQUFBwMBBggrBgEFBQcDAjBJBgNVHSAEQjBAMDQGCysGAQQBsjEBAgJOMCUw IwYIKwYBBQUHAgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCB iAYIKwYBBQUHAQEEfDB6MEsGCCsGAQUFBzAChj9odHRwOi8vemVyb3NzbC5jcnQu c2VjdGlnby5jb20vWmVyb1NTTEVDQ0RvbWFpblNlY3VyZVNpdGVDQS5jcnQwKwYI KwYBBQUHMAGGH2h0dHA6Ly96ZXJvc3NsLm9jc3Auc2VjdGlnby5jb20wggEEBgor BgEEAdZ5AgQCBIH1BIHyAPAAdgB2/4g/Crb7lVHCYcz1h7o0tKTNuyncaEIKn+Zn TFo6dAAAAYtQ/N0PAAAEAwBHMEUCIQDPjHPAHixcqpQSjcVLMSiSZMYKtghuyhPm k7r2Hq5sKgIgRfWH+n78tbRaIU23JdZd4fNZkQDocy6qOGyncsnvb5wAdgDatr9r P7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYtQ/N1qAAAEAwBHMEUCIQCA Ht4DjgaVb/3ajQg4so7xNBfzV0eBL/1D6IhQLB2IdgIgIMfl/F1oKBdyF+BmHTqT ZVS/qJ7t75hESEh3IRj33ZQwKwYDVR0RBCQwIoIObW91bnRvbGl2ZS5jb22CECou bW91bnRvbGl2ZS5jb20wCgYIKoZIzj0EAwMDZwAwZAIwDn7UHmg3iCKoJyiHeZ9C IzIYMZHDnak3mJEOxtgmkNjBzfWfJ8GHIJM28GtTRpdZAjB+A8OCHIzq9BDav27M moarxrUipOck9GXCI5nIBqjcRxhfkP9MpFLdVQl+hJdxqU0= -----END CERTIFICATE-----

I used an online certificate parser to decode the certificate:

Certificate Information: Common Name: mountolive.com Subject Alternative Names: mountolive.com, *.mountolive.com Organization: Organization Unit: Locality: State: Country: Valid From: October 20, 2023 Valid To: January 19, 2024 Issuer: ZeroSSL ECC Domain Secure Site CA, ZeroSSL Serial Number: 4d71a38205b005d771df897ee4e99774

The Issuer remains ZeroSSL, which suggests that the:

acme.sh --set-default-ca --server letsencrypt

Did not work.

[Neilpang]

after you change the default ca, don't use '--renew', please use --issue to create a new cert.

[dnessett]

OK. I think I have solved the problem. I am documenting the solution here in case others encounter something similar.

Running acme.sh --issue -d mountolive.com did not work. I then tried: acme.sh --issue -d mountolive.com --dns dns_cf That also did not work, because (as I realized when looking at the command) this command specified cloudforce as the dns provider. However, the dns provider of the server machine is IONOS. So, I googled how to use acme.sh with IONOS. This is what I learned:

I had to set and export two shell environmental variables using a shell on the server machine:

export IONOS_PREFIX="<prefix value from previous IONOS API request"
export IONOS_SECRET="secret value from previous IONOS API request"

I honestly don't remember how I obtained these two values. I vaguely remember getting an API key from IONOS and using it according to instructions on the IONOS admin web site to get them.

Once I had these exported, I then ran the following command:

acme.sh --issue --dns dns_ionos -d *.mountolive.com --force

I used *.mountolive.com since I needed a wildcard cert for the machine.

This created the wildcard certificate and installed it and the corresponding private key in ~/.acme.sh/*.mountolive.com_ecc

We use apache2, so I then ensured that the virtual host associated with server was configured to use the wildcard certificate and private key stored in this directory (i.e., in /etc/apache2/sites-enabled/000-default.conf I made sure the virtual host had the following)'

SSLCertificateFile .../.acme.sh/*.mountolive.com_ecc/*.mountolive.com.cer SSLCertificateKeyFile .../.acme.sh/*.mountolive.com_ecc/*.mountolive.com.key

(note that the '...' replaces the name of the directory in which .acme.sh resides, which I have elided for privacy reasons).

I then restarted apache2 ('sudo apachectl restart' on Ubuntu) and things now work fine.