We are using the build-in Let’s Encrypt functionality to set the SSL certificate for the pritunl web UI. However, for security we are closing port 80 to the server once the certificate is in place. We open it again a few days before the expiration of the current cert but we’ve not seen pritunl automatically update the certificate.
What is the best way to get the pritunl service to get a new lets encrypt certificate if I cannot get to the web UI?
The next release will include the command sudo pritunl renew-ssl-cert to manually renew Lets Encrypt certificates.
Thanks!
Can you tell me why the current version isn’t automatically renewing it?
The server will automatically renew the certificate after 80 days. The top right logs will show any errors that occur on the renewal.
What we’ve been doing is closing off port 80 after the renewal and opening it again a day or two before the certificate expires. Twice in a row, pritunl has failed to update the certificate.
This can be avoided in the next release by using the command sudo pritunl renew-ssl-cert that will immediately trigger a certificate renewal.
Thanks, but that doesn’t help us now.
We ran into this same issue and were able to fix it by doing the following:
Hopefully the command to renew the cert comes out soon
Thanks! We’ve already switched to a permanent certificate but this is helpful in case we decide to switch back at some point
pritunl server is not automatically renewing the certificate after 80 days, and its showing below error on logs. But can be manually renewed with the command mentioned above.
I need this thing to be automated, can you check on the logs below,
[vpn.prod.***.io][2023-11-30 14:08:56,878][ERROR] Failed to get LetsEncrypt cert
Traceback (most recent call last):
File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/handlers/settings.py", line 905, in settings_put
acme.update_acme_cert()
File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/acme.py", line 67, in update_acme_cert
csr = utils.generate_csr(private_key, settings.app.acme_domain)
File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/utils/cert.py", line 72, in generate_csr
with open(private_key_path, 'w') as private_key_file:
IOError: [Errno 2] No such file or directory: u'/tmp/pritunl_893fcc63e28441e9b1b2d62061efd9b5/c9d4d64eed124993bde76030aa8e2863.key'
acme_domain = "vpn.prod.******.io"
[vpn.prod.*****.io][2023-11-30 14:09:06,101][ERROR] Failed to get LetsEncrypt cert
Traceback (most recent call last):
File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/handlers/settings.py", line 905, in settings_put
acme.update_acme_cert()
File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/acme.py", line 67, in update_acme_cert
csr = utils.generate_csr(private_key, settings.app.acme_domain)
File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/utils/cert.py", line 72, in generate_csr
with open(private_key_path, 'w') as private_key_file:
IOError: [Errno 2] No such file or directory: u'/tmp/pritunl_893fcc63e28441e9b1b2d62061efd9b5/9fa0d37ec2d6403a8379302bfd466cc4.key'
acme_domain = "vpn.prod.*****.io"
That is likely an SELinux error. What Linux distribution is used and what repository is used in /etc/yum.repos.d/pritunl.repo?
@zach
Repo used: https://repo.pritunl.com/stable/yum/amazonlinux/2/
Linux: Amazon Linux 2 Also SELinux is disabled.
It may have been an issue fixed in an update. The logs show a v1.29 Python 2 release, there have been a lot of updates since that release.