After upgrading from 22.03 to 23.05 (on x86), acme failed to renew my certificates. What finally made it work was disabling uhttpd and opening port 80 to wan. I disabled uhttpd, because acmesh complained about port 80 being already bind. I opened port 80 to wan because acme returned a curl error about not being able to get something from the client (router).
Am I the only one with this problem? What could be the cause? Using the up to date scipt from acme.sh git didn't help. Also reinstalling luci-app-acme did nothing.
Sounds like acme.sh is set up for HTTP-01 challenges through the standalone server mode. This runs a web server on port 80, which must be accessible to WAN in order for the challenge to work. Since LuCI is also running on port 80, acme.sh fails to work.
Since it appears you haven't opened port 80 before, it sounds like you were using DNS-01 challenge in 22.03. Is that the case?
I selected standalone mode - which btw worked before the upgrade with the same configuration. I also gave webroot mode a try, but it failed and complained about something; I can't remember but probably about port 80 again, and also that the feature is deprecated. I never tried dns (01 challenge, is that what it's called?), since I'm not aware if my ddns service provides anything of the sort.
Here's my config:
config cert 'nextcloud'
option use_staging '0'
option keylength 'ec-256'
list domains ddns-domain
option update_uhttpd '0'
option validation_method 'standalone'
option days '90'
option enabled '1'
I also encountered a similar issue, except that I chose the validation_method as 'dns'. However, when I used the command "/etc/init.d/acme start" to renew my certificate, acme invoked incorrect parameters, resulting in the following error:
Invalid status, example.dynv6.net:Verify error detail:119.167.19.210:
Fetching http://example.dynv6.net/.well-known/acme-challenge/2fS67GhI6v6Zozeq7xl0A8JZoRMN7djEEDXxaDhDApE:
Timeout during connect (likely firewall problem)
The acme calls /usr/lib/acme/client/acme.sh --renew --home /etc/acme -d example.dynv6.net ,but the correct is: /usr/lib/acme/client/acme.sh --renew -d example.dynv6.net , and then the result is right:
root@FriendlyWrt:~# /usr/lib/acme/client/acme.sh --renew -d example.dynv6.net
[Sun Dec 10 21:32:02 CST 2023] The domain 'example.dynv6.net' seems to have a ECC cert already, lets use ecc cert.
[Sun Dec 10 21:32:02 CST 2023] Renew: 'example.dynv6.net'
[Sun Dec 10 21:32:02 CST 2023] Renew to Le_API=https://acme.zerossl.com/v2/DV90
[Sun Dec 10 21:32:02 CST 2023] Skip, Next renewal time is: 2024-02-07T07:19:08Z
[Sun Dec 10 21:32:02 CST 2023] Add '--force' to force to renew.
Here is my /etc/config/acme:
config acme
option account_email 'myemail@gmail.com'
option debug '0'
config cert 'dynv6_net'
option enabled '1'
option use_staging '0'
option keylength '2048'
list domains 'example.dynv6.net'
option update_uhttpd '0'
option validation_method 'dns'
option dns 'dns_dynv6'
list credentials 'DYNV6_TOKEN="-ocpM-tyYoRaqU74XzxdBgfQFowyR5"'