Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

rhand's avatar
rhand
OP
3 years ago
Level 6

LE SSL Job Fails 9/10 times

Trying to renew Let's Encrypt SSL certificate for custom domain using https://github.com/smart48/le-ssl-laravel-package . Our package and one we never had issues with before until we now moved to new server, but optimized Nginx settings for main app server block.

I run the command:

php artisan ssl-controller:update-certificate site.com
Certificate updating requested.

Then Laravel Horizon Job shows

Imagewize\SslManager\Jobs\UpdateCertificate
Collapse
ID
9fb8d0ea-fd8b-4aa5-900f-23da8f008b05
Queue
ssl-manager
Pushed
2023-04-13 16:16:25
Completed
-
Data
Collapse
{
"domain":
"site.com",
"renew":
"false",
"queue":
"ssl-manager"
}

After 5 minutes it fails. Job gets300 seconds and 3 tries it seems.

Failure shows

Illuminate\Queue\MaxAttemptsExceededException: Imagewize\SslManager\Jobs\UpdateCertificate has been attempted too many times or run too long. The job may have previously timed out. in /home/ploi/site.com/releases/5/vendor/laravel/framework/src/Illuminate/Queue/Worker.php:746

Base conf did get added

cat ~/smart48.com/shared/storage/tls/sites.d/site.com.conf
server {
    listen 80;
    listen [::]:80;
    server_name site.com;

    location /.well-known/acme-challenge {
        default_type "text/plain";
        alias /home/ploi/app.com/shared/storage/tls/challenges/site.com;
    }

    # Reset connection
    location / {
        return 444;
    }
}

But post challenge not replaced by real complete Nginx configuration . Did not have the issue before. Also the cat /var/log/nginx/access.log |grep site shows nothing and looking for "GET /.well-known/acme-challenge/ also shows nothing.. Like the command did not trigger a ACME challenge renewal.

Anyone any ideas how to solve this?

0 likes
6 replies
LaryAI's avatar
LaryAI
AI
3 years ago
Level 58

It seems that the job is timing out after 5 minutes and 3 tries. You can try increasing the timeout and the number of tries in the configuration file of the package.

You can find the configuration file at config/ssl-manager.php. In this file, you can increase the timeout and tries values to a higher number.

For example, you can set the timeout to 600 (10 minutes) and the tries to 5.

return [
    // ...
    'jobs' => [
        'update_certificate' => [
            'timeout' => 600, // increase timeout to 10 minutes
            'tries' => 5, // increase number of tries to 5
        ],
    ],
];

After updating the configuration file, try running the command again and see if it works.

1 like
rhand's avatar
rhand
OP
3 years ago
Level 6

Tried php artisan ssl-controller:update-certificate domain.com renew=true but it failed.. renew was still flagged as false..

{
"domain":"domain.com",
"renew":"false",
"queue":"ssl-manager"
}

Odd.. but then I realized I needed

php artisan ssl-controller:update-certificate site.com true
Certificate updating now.
+ Starting ...
+ Order expires 2023-04-14T02:28:41Z
+ Adding web server configuration for imagewize.com
+ Starting challenges
+ Getting certificate info (this can take a while)

but that command hung. And we had

2023/04/13 13:28:39 [crit] 390952#390952: *210 SSL_do_handshake() 
failed (SSL: error:0A00006C:SSL routines::bad key share) while SSL handshaking, 
client: 65.49.20.68, server: 0.0.0.0:443
rhand's avatar
rhand
OP
3 years ago
Level 6

Mail on failure is also odd

{
    "notifiables": {
        "items": [
            {
                "routes": {
                    "mail": null
                }
            }
        ],
        "escapeWhenCastingToString": false
    },
    "notification": {
        "domain": "site.com",
        "id": "e1083e7c-f85c-446a-89fb-70ef49e54cdc"
    },
    "channels": [
        "mail"
    ]
}

It seems not to have been set properly.

rhand's avatar
rhand
OP
3 years ago
Level 6

Last run of php artisan ssl-controller:update-certificate site.com we had

[2023-04-15 03:21:58] production.ERROR: Get order info failed, the order url is: https://acme-v02.api.letsencrypt.org/acme/order/1048670227/174665053107, the code is: 404, the header is: HTTP/2 404
server: nginx
date: Sat, 15 Apr 2023 01:21:57 GMT
content-type: application/problem+json
content-length: 113
cache-control: public, max-age=0, no-cache
link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", the body is: Array
(
    [type] => urn:ietf:params:acme:error:malformed
    [detail] => No order for ID 174665053107
    [status] => 404
)
 {"exception":"[object] (stonemax\acme2\exceptions\OrderException(code: 0): Get order info failed, the order url is: https://acme-v02.api.letsencrypt.org/acme/order/1048670227/174665053107, the code is: 404, the header is: HTTP/2 404

server: nginx

date: Sat, 15 Apr 2023 01:21:57 GMT

content-type: application/problem+json

content-length: 113

cache-control: public, max-age=0, no-cache

link: <https://acme-v02.api.letsencrypt.org/directory>;rel=\"index\", the body is: Array
(
    [type] => urn:ietf:params:acme:error:malformed
    [detail] => No order for ID 174665053107
    [status] => 404
)

Will need to see how I can get the order renewed so did

php artisan ssl-controller:update-certificate site.com renew
Certificate updating requested.

but still

stonemax\acme2\exceptions\OrderException: Get order info failed, the order url is: https://acme-v02.api.letsencrypt.org/acme/order/1048670227/174665053107, the code is: 404, the header is: HTTP/2 404

in Horizon.

rhand's avatar
rhand
OP
3 years ago
Level 6

Working on a way to add a new order if order ID is missing. Reason for the ID to have gone missing at Let's Encrypt is not clear yet however.

/**
* If no order ID, create a new order
* @Exception stonemax\acme2\exceptions\OrderException: Get order info failed, 
* the order url is: https://acme-v02.api.letsencrypt.org/acme/order/x/y
* No order for ID x
*/
if (!$order->getOrderId()) {
    echo "+ Creating new order for " . $domain . "\r\n";
    $order = $client->createOrder(
        [
            CommonConstant::CHALLENGE_TYPE_HTTP => [$domain],
        ],
        CommonConstant::KEY_PAIR_TYPE_RSA
    );
}

// perhaps challenge needs to be removed as well as nginx configuration
//  $domainChallengeDirectory = "{$this->challengeDirectory}/{$domain}";
/* End for no order for ID x patch */
rhand's avatar
rhand
OP
3 years ago
Best Answer
Level 6

Updated the package. Also seems that the command I used to really renew the Lets Encrypt SSL certificate was php artisan ssl-controller:update-certificate domain.com now true so previous commands were not correct. We may update the package further in the future to make commands easier and output clearer.

Please or to participate in this conversation.