After restoring (import) a SiteWorx backup from CLI, Letsencrypt Certs dont work

(I cant even post it: Im trying to post the issue here, but its telling me that i cant include links in forum posts. Despit there arent any links in the post)

Hello–

I’m not sure what you mean by “I can’t even post it”—what are you trying to specifically post? A copy/paste of something? A screenshot?

Can you provide more information as to what you mean by “don’t work”? Let’s Encrypt certificates are not included in backups, so if you mean it is missing, that is expected, and it will need to be re-generated.

Otherwise, more specific information would be helpful. I understand if you tried to provide those details initially and it failed, though. I know there was just an update to the forums the other day, though, unfortunately, I’m not certain what that specific update entailed. :frowning:

Well the forum does not let me post the part of the log that contains the error. Says that “You cant post links”, despite there arent any links in the text. So i cant provide info from logs or the interworx shell command that i used.

Basically I restored a backup (import) from a file onto an account that already exists. Called import i believe. The script gave some warnings about letsencrypt certs but completed. However the certs don’t work now, neither I can generate them through Siteworx.

Unfortunately the dev who did the update to the forum is on vacation for the next few weeks, without internet service, so I’m unable to contact him to see what might be going on with copy/pasting. Sorry about that. That is a weird thing I’ve never seen come up, before.

I don’t know what you mean by “don’t work now”. Do you mean that the sites are being shown as insecure in the browser?

It would probably be easiest if you just submitted a ticket to support.interworx.com and I can take a look for you. You’ll be able to provide the log information there, as well. When you do, you will need to also provide the IP, port if anything other than 22, and enable Remote Assistance. That will allow me to access your server, securely, and I can see what might be going on. :slight_smile:

The forum seems to interpret non-link text as links. That’s why its not allowing me post i believe.

The site was not being shown in the browser since it was insecure (invalid cert).

After a day it seems to have refreshed its certificate and now it appears. (this was a dev site). However now I’m hesitant to do any imports since it looks like i wont be able to import the cert or renew it for a long time.

Was your domain listed in the logging at all? My guess is that the forum saw the domain and interpreted it as a “link”. I changed some permission settings so hopefully that may have helped. Try posting a bit of the logging again, if you have it still saved.

As it is, this all sounds like expected behavior with Let’s Encrypt.

I’m making an assumption that you have AutoSSL enabled for the Let’s Encrypt plugin (under NodeWorx > Plugins).

Because of the DNS requirements for Let’s Encrypt, we don’t include Let’s Encrypt certs in backups. So the next step would be to generate one via SiteWorx. I don’t know what specific errors you saw when you attempted to do so, so I am unable to tell you why, specifically, that did not work at the time. (which is why it is often helpful to just submit a support ticket in cases like this. That way we can take a look and it takes out some of the guesswork).

However, if you have AutoSSL enabled, what that does is, when the next daily cron runs, it checks all domains without an SSL cert to see if DNS resolves to the server. If it does, it creates a cert for that domain. So that would explain why, the next day, there was a valid cert again–AutoSSL did its thing and generated the cert for the domain for you.

AutoSSL can manually be run, as well, if you don’t want to wait for the next daily, with the following:

~iworx/cron/iworx.pex --run-one=Autossl

1 Like

Here is the original post i prepared:

I restored a previously made full backup of a site using the command line with the command:

~iworx/bin/import.pex --archive=/chroot/home/backup.tgz --control-panel=siteworx --ip-address=8.8.8.8 --force

The restore worked, but it gave some warnings about letsencrypt symlinks:

WARNING
WARNING Found unexpected symlinks in var dir.
WARNING Excluding: cbtest/var/test.codebard.com/ssl/test.codebard.com.priv.key → /etc/letsencrypt/live/test.codebard.com/privkey.pem
WARNING Excluding: cbtest/var/test.codebard.com/ssl/test.codebard.com.crt → /etc/letsencrypt/live/test.codebard.com/cert.pem
WARNING Excluding: cbtest/var/test.codebard.com/ssl/test.codebard.com.chain.crt → /etc/letsencrypt/live/test.codebard.com/chain.pem
WARNING Hit Ctrl-C now to cancel, or wait to continue.
WARNING

Now the SLL on the site does not work. And when i go to SiteWorx and manually try to refresh the SSL cert through Letsencrypt, it fails. And in SiteWorx letsencrypt logs, this error is listed:

raise errors.AuthorizationError(‘Some challenges have failed.’)
AuthorizationError: Some challenges have failed.
Some challenges have failed.
IMPORTANT NOTES:

  • The following errors were reported by the server:
    Domain: domain com
    Type: dns
    Detail: DNS problem: NXDOMAIN looking up A for
    www.test.codebard.com - check that a DNS record exists for this
    domain

How to get around this?

And, is there a way to restore Letsencrypt cert of a backup while restoring the backup from command line?

Hello–

It looks like the two symptoms you’re experiencing are unrelated. Regarding your first issue, as Jenna mentioned, LE certs don’t get automatically restored, so that behavior is expected.

Secondly, the error “Some challenges have failed.” means that Let’s Encrypt was unable to find the DNS information for one of your domains. Based on the output of the error, I checked the A record for www.test.codebard.com and it doesn’t appear to have an A record for it:

[brandon@fedora ~]$ dig a www.test.codebard.com +short
[brandon@fedora ~]$

No output generally means there is no A record for that domain. This leaves two options: either add an A record for www.test.codebard.com or be sure you are not selecting www.test.codebard.com in the ‘Subject Alternative Name’ section of the Let’s Encrypt generation form (it is selected by default).

Then you should be able to generate the cert without issue.

Please let me know if you have any additional questions.

Thank you,
Brandon

1 Like

Ok, I think adding the a record for www.test did it. I used the autogenerate command…

~iworx/cron/iworx.pex --run-one=Autossl

…after that.

Is there a version of that command to process only one domain?

No, there is no way to target that command to generate an LE cert for just one domain. The script it calls runs through all domains on the server checking if they have an SSL, and an SSL is not present for the domain, it checks if DNS resolves to the server. Then it creates the SSL cert if the DNS criteria is met. It’s not really meant to be used to pinpoint just specific domains.

Generating an SSL for just a specific domain requires doing so from SiteWorx (and all the others will still have SSL certs generated for them when the next daily cron runs that script anyhow).