SSL cert not renewing

Hello, I’m having issues renewing my SSL certs, the certs have now expired.

I created it via ghost setup nginx ssl and when I try to renew via /etc/letsencrypt/acme.sh --force --home /etc/letsencrypt --renew-all

Im getting “Could not get nonce, let’s try again”. Im using ubuntu 18.04 on DigitalOcean.

Ghost CLI 1.12.0
Ghost 3.0.2

I have the same issue:

Version:

$ ghost -v
Ghost-CLI version: 1.13.1
Ghost version: 3.0.2 

Platform: Ubuntu 18.04

I have attempted:

$ ghost setup ssl
SSL has already been set up, skipping
ℹ Setting up SSL [skipped]

ghost setup ssl-renew brings no output.

Trying to update the same way the cronjob does:

sudo "/etc/letsencrypt"/acme.sh --cron --home "/etc/letsencrypt"
[Mon Nov 11 12:24:42 UTC 2019] ===Starting cron===
[Mon Nov 11 12:24:42 UTC 2019] Renew: 'xxxxxxxx'
[Mon Nov 11 12:24:42 UTC 2019] Single domain='xxxxxxxxxxxx'
[Mon Nov 11 12:24:42 UTC 2019] Getting domain auth token for each domain
[Mon Nov 11 12:24:42 UTC 2019] Getting webroot for domain='xxxxxx'
[Mon Nov 11 12:24:42 UTC 2019] Getting new-authz for domain='xxxxxxx'
[Mon Nov 11 12:24:43 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:24:47 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:24:50 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:24:54 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:24:57 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:01 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:06 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:10 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:13 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:17 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:20 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:24 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:28 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:31 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:35 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:38 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:42 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:46 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:49 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:53 UTC 2019] Could not get nonce, let's try again.
[Mon Nov 11 12:25:56 UTC 2019] The new-authz request is ok.
[Mon Nov 11 12:25:56 UTC 2019] Error, can not get domain token entry xxxxxxx
[Mon Nov 11 12:25:56 UTC 2019] Please add '--debug' or '--log' to check more details.
[Mon Nov 11 12:25:56 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Mon Nov 11 12:25:56 UTC 2019] Error renew xxxxxxxxxx.

Found the solution here:

I’m having similar problems - the auto-renew in cron looks good.

If I try ghost setup ssl-renew > log then log just contains:
[12:44:33] Checking for Ghost-CLI updates [started]
[12:44:33] Checking for Ghost-CLI update[s [completed]
[12:44:33] Ensuring correct ~/.config folder ownership [started]
[12:44:33] Ensuring correct ~/.config folder ownership [completed]

Manually renewing certs with
/etc/letsencrypt/acme.sh --home "/etc/letsencrypt" --renew-all --debug

results in (for each of my Ghost blogs)
[Mon 11 Nov 12:47:43 GMT 2019] di=‘/etc/letsencrypt/travels.two-drifters.co.uk/’

[Mon 11 Nov 12:47:43 GMT 2019] d=‘travels.two-drifters.co.uk’

[Mon 11 Nov 12:47:43 GMT 2019] Using config home:/etc/letsencrypt

[Mon 11 Nov 12:47:43 GMT 2019] DOMAIN_PATH=‘/etc/letsencrypt/travels.two-drifters.co.uk’

[Mon 11 Nov 12:47:43 GMT 2019] Renew: ‘travels.two-drifters.co.uk’

[Mon 11 Nov 12:47:43 GMT 2019] Using config home:/etc/letsencrypt

[Mon 11 Nov 12:47:43 GMT 2019] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory

[Mon 11 Nov 12:47:43 GMT 2019] _init api for server: https://acme-v01.api.letsencrypt.org/directory

[Mon 11 Nov 12:47:43 GMT 2019] ACME_KEY_CHANGE=‘https://acme-v01.api.letsencrypt.org/acme/key-change’

[Mon 11 Nov 12:47:43 GMT 2019] ACME_NEW_AUTHZ=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’

[Mon 11 Nov 12:47:43 GMT 2019] ACME_NEW_ORDER=‘https://acme-v01.api.letsencrypt.org/acme/new-cert’

[Mon 11 Nov 12:47:43 GMT 2019] ACME_NEW_ACCOUNT=‘https://acme-v01.api.letsencrypt.org/acme/new-reg’

[Mon 11 Nov 12:47:43 GMT 2019] ACME_REVOKE_CERT=‘https://acme-v01.api.letsencrypt.org/acme/revoke-cert’

[Mon 11 Nov 12:47:43 GMT 2019] Le_NextRenewTime=‘1571355119’

[Mon 11 Nov 12:47:43 GMT 2019] _on_before_issue

[Mon 11 Nov 12:47:43 GMT 2019] Le_LocalAddress

[Mon 11 Nov 12:47:43 GMT 2019] Check for domain=‘travels.two-drifters.co.uk’

[Mon 11 Nov 12:47:43 GMT 2019] _currentRoot=‘/var/www/travels/system/nginx-root’

[Mon 11 Nov 12:47:43 GMT 2019] _saved_account_key_hash is not changed, skip register account.

[Mon 11 Nov 12:47:43 GMT 2019] Read key length:

[Mon 11 Nov 12:47:43 GMT 2019] _createcsr

[Mon 11 Nov 12:47:43 GMT 2019] Single domain=‘travels.two-drifters.co.uk’

[Mon 11 Nov 12:47:43 GMT 2019] Getting domain auth token for each domain

[Mon 11 Nov 12:47:43 GMT 2019] Getting webroot for domain=‘travels.two-drifters.co.uk’

[Mon 11 Nov 12:47:43 GMT 2019] _w=‘/var/www/travels/system/nginx-root’

[Mon 11 Nov 12:47:43 GMT 2019] _currentRoot=‘/var/www/travels/system/nginx-root’

[Mon 11 Nov 12:47:43 GMT 2019] Getting new-authz for domain=‘travels.two-drifters.co.uk’

[Mon 11 Nov 12:47:43 GMT 2019] _init api for server: https://acme-v01.api.letsencrypt.org/directory

[Mon 11 Nov 12:47:43 GMT 2019] ACME_KEY_CHANGE=‘https://acme-v01.api.letsencrypt.org/acme/key-change’

[Mon 11 Nov 12:47:43 GMT 2019] ACME_NEW_AUTHZ=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’

[Mon 11 Nov 12:47:43 GMT 2019] ACME_NEW_ORDER=‘https://acme-v01.api.letsencrypt.org/acme/new-cert’

[Mon 11 Nov 12:47:43 GMT 2019] ACME_NEW_ACCOUNT=‘https://acme-v01.api.letsencrypt.org/acme/new-reg’

[Mon 11 Nov 12:47:43 GMT 2019] ACME_REVOKE_CERT=‘https://acme-v01.api.letsencrypt.org/acme/revoke-cert’

[Mon 11 Nov 12:47:43 GMT 2019] Try new-authz for the 0 time.

[Mon 11 Nov 12:47:43 GMT 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’

[Mon 11 Nov 12:47:43 GMT 2019] payload=‘{“resource”: “new-authz”, “identifier”: {“type”: “dns”, “value”: “travels.two-drifters.co.uk”}}’

[Mon 11 Nov 12:47:44 GMT 2019] RSA key

[Mon 11 Nov 12:47:44 GMT 2019] GET

[Mon 11 Nov 12:47:44 GMT 2019] url=‘https://acme-v01.api.letsencrypt.org/directory’

[Mon 11 Nov 12:47:44 GMT 2019] timeout

[Mon 11 Nov 12:47:44 GMT 2019] _CURL='curl -L --silent --dump-header /etc/letsencrypt/http.header ’

[Mon 11 Nov 12:47:44 GMT 2019] ret=‘0’

[Mon 11 Nov 12:47:44 GMT 2019] POST

[Mon 11 Nov 12:47:44 GMT 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/new-authz’

[Mon 11 Nov 12:47:45 GMT 2019] _CURL='curl -L --silent --dump-header /etc/letsencrypt/http.header ’

[Mon 11 Nov 12:47:45 GMT 2019] _ret=‘0’

[Mon 11 Nov 12:47:45 GMT 2019] code=‘400’

[Mon 11 Nov 12:47:45 GMT 2019] The new-authz request is ok.

[Mon 11 Nov 12:47:45 GMT 2019] new-authz error: {“type”:“urn:acme:error:badNonce”,“detail”:“JWS has no anti-replay nonce”,“status”: 400}

[Mon 11 Nov 12:47:45 GMT 2019] pid

[Mon 11 Nov 12:47:45 GMT 2019] No need to restore nginx, skip.

[Mon 11 Nov 12:47:45 GMT 2019] _clearupdns

[Mon 11 Nov 12:47:45 GMT 2019] skip dns.

[Mon 11 Nov 12:47:45 GMT 2019] _on_issue_err

[Mon 11 Nov 12:47:45 GMT 2019] Please add ‘–debug’ or ‘–log’ to check more details.

[Mon 11 Nov 12:47:45 GMT 2019] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

[Mon 11 Nov 12:47:45 GMT 2019] socat doesn’t exists.

[Mon 11 Nov 12:47:45 GMT 2019] Diagnosis versions:

openssl:openssl

OpenSSL 1.1.0k 28 May 2019

apache:

apache doesn’t exists.

nginx:

nginx version: nginx/1.10.3

built with OpenSSL 1.1.0f 25 May 2017 (running with OpenSSL 1.1.0k 28 May 2019)

TLS SNI support enabled

configure arguments: --with-cc-opt=‘-g -O2 -fdebug-prefix-map=/build/nginx-xpG2T2/nginx-1.10.3=. -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2’ --with-ld-opt=‘-Wl,-z,relro -Wl,-z,now’ --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_geoip_module=dynamic --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --add-dynamic-module=/build/nginx-xpG2T2/nginx-1.10.3/debian/modules/nginx-auth-pam --add-dynamic-module=/build/nginx-xpG2T2/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-dynamic-module=/build/nginx-xpG2T2/nginx-1.10.3/debian/modules/nginx-echo --add-dynamic-module=/build/nginx-xpG2T2/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-dynamic-module=/build/nginx-xpG2T2/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

socat:

[Mon 11 Nov 12:47:45 GMT 2019] Return code: 1

[Mon 11 Nov 12:47:45 GMT 2019] Error renew travels.two-drifters.co.uk.

acme.sh is v2.7.5

I tried updating one of my blogs to the latest Ghost - this needed ghost-cli updating of course then worked OK, but didn’t change the acme.sh version, nor fix any problems,

It was all working until at least Sept 2019 (as seen from /etc/letsencrypt/acme.sh --home “/etc/letsencrypt” --list)

One thing that may be a cause I that I changed ISPs around that time and my sites now have a different external IP address.

Any thoughts on how to fix. Plan B will be to backup sites, images and themes and then wipe and reinstall - I don’t really want to do this!!!

I was able to solve this issue with help from DigitalOcean support.

Thanks Graham - that has led to an almost complete solution. The -b option didn’t work for me but I did get a later version of acme.sh. Couldn’t run it from /root because it doesn’t like sudo and I didn’t want to sudo su to root so I simply copied it into /etc/letsencrypt after both saving the old one and changing owner.

Running it on my own Raspberry Pi host blogs it failed with a permissions error on the folder /var/www/website/system/nginx-root so I changed owners of this folders to the normal user (I need to sort out security implications). It then ran and reissued the certificates - hoorah!

However after each certificate renewal I get a reload error. Assuming this was an Nginx reload problem I simply manual restarted Nginx and all seems to be good. I may need to add another cron job to do an Nginx restart after each cert renewal - no big deal.

Thanks again for such a prompt response!
Brian