LetsEncrypt Problem

[briang]

Running Mail Gateway 9.1 (same problem happened on 9.0.7 which I upgraded to 9.1 due to this issue). Been running fine for several years - Letsencrypt always updated on time, no issues.

About a week ago, my LetsEncrypt cert expired and wasn't automatically renewed even though I made no changes to PMG.

I went in and forced a manual upgrade (using domain validation) and it worked. The next day, I noticed my cert had reverted to the older, expired one. I tried again, and renewal was successful but reverted back to the older cert after some time (less than a day). I tried again, and was denied by LetsEncrypt due to too many attempts (error 429) so my cert was stuck in an expired state presumably for a week until LetsEncrypt decided to allow me new certs.

To wait out LetsEncrypt's 7 day renewal denial window, I got a new cert from ZeroSSL and uploaded it just fine and it worked for two days.

This morning, however, PMG reverted to the older, expired cert and removed my custom ZeroSSL cert. I uploaded the new cert again and it works but I'm worried it will revert back soon and I'd like to try and figure out why it's doing that. I assume it has something to do with the auto-update function of ACME but I don't know how to fix it. I wonder why ACME won't update the cert properly automatically and reverts to the older one even though manual updating works. I also wonder why, with a new, non-LetsEncrypt SSL valid cert, does PMG/ACME overwrite it with an expired LetsEncrypt cert.

Please advise.

 

[Stoiko Ivanov]

Make sure you have disabled all ACME accounts and domains in the GUI (although I would not expect the ACME implementation in PMG to set an expired certificate either) - please check if you have any external piece of software running that does this - also check for cronjobs and systemd-timers on PMG itself.

I'd check the journal for the time between manually setting the ZeroSSL certificate and the time when it was changed to the expired certificate - that should show how that happened.

I hope this helps!

 

[briang]

Thanks for the reply. Still having issues. Logs show nothing except for errors related to error 429. The system will revert my valid certs to expired LetsEncrypt ones after some period of time. I don't have any cron jobs and the only systemd-timer I have related to LetsEnccrypt is the default certbot one. I have no external apps accessing the server. I did have Pulse running but turned that off as a troubleshooting step last week and this has happened two times since then.

I was able to renew them yesterday to new LetsEncrypt certs and they lasted less than a day before being reverted to the expired ones. I did nothing to force that. It just happened at some point overnight. I tried again today and error 429 resulted so I can't renew them until next week.

I've resorted to setting the two ZeroSSL certs to immutable which works for now but that won't work long term. I'm gonna wait a couple of weeks and try again once my LetsEncrypt 429 errors resolve themselves and I'm allowed to renew again.

If I can't figure it out, I'll probably rebuild the server from scratch. If I backup/restore the config, what do I lose? I'm assuming the Spam quarantines but I can probably live with that. Anything else I should know about?