[Bitnami Apache Wordpress Google Cloud Platform] SSL auto renew is not working

[Owenhenderson]

Platform

Google Cloud Platform

bndiagnostic ID know more about bndiagnostic ID

SSL auto renew is not working

bndiagnostic output

No response

bndiagnostic was not useful. Could you please tell us why?

SSL auto renew is not working

Describe your issue as much as you can

Using SSH to create the initial SSL certificate using bncert-tool. However it appears that no file has been saved into .well-known which is required for the auto renew of the SSL. When checking file and directory permissions all seams ok giving result as drwxrwxr-x (775)
When trying to access https://SERVER-IP/.well-known it is blocked by "403 Forbidden You don't have permission to access this resource".
I have attempted to modify the bitnami.conf file through SSH but not changes suggested by chatgpt or gemini work.

[Owenhenderson]

owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache2/conf/bitnami$ sudo mkdir -p /opt/bitnami/apache/htdocs/.well-known/acme-challenge
echo "test" | sudo tee /opt/bitnami/apache/htdocs/.well-known/acme-challenge/test.txt
test
owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache2/conf/bitnami$ sudo mkdir -p /opt/bitnami/apache/htdocs/.well-known/acme-challenge
owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache2/conf/bitnami$ cd /opt/bitnami/apache/htdocs/.well-known/acme-challenge
owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache/htdocs/.well-known/acme-challenge$ ls
test.txt
owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache/htdocs/.well-known/acme-challenge$ sudo chmod -R 755 /opt/bitnami/apache/htdocs/.well-known
owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache/htdocs/.well-known/acme-challenge$ sudo chown -R bitnami:bitnami /opt/bitnami/apache/htdocs/.well-known
owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache/htdocs/.well-known/acme-challenge$ sudo /opt/bitnami/ctlscript.sh restart apache
owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache/htdocs/.well-known/acme-challenge$ sudo /opt/bitnami/ctlscript.sh status
apache already running
mariadb already running
php-fpm already running
owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache/htdocs/.well-known/acme-challenge$ ls -l /opt/bitnami/apache/htdocs/.well-known/acme-challenge/test.txt
-rwxr-xr-x 1 bitnami bitnami 5 Feb 4 06:36 /opt/bitnami/apache/htdocs/.well-known/acme-challenge/test.txt
owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache/htdocs/.well-known/acme-challenge$ sudo ls -l /opt/bitnami/apache/htdocs/.well-known/acme-challenge/
total 4
-rwxr-xr-x 1 bitnami bitnami 5 Feb 4 06:36 test.txt
owenhenderson@naturalvanilla-uk-vm:/opt/bitnami/apache/htdocs/.well-known/acme-challenge$ curl -I http://localhost/.well-known/acme-challenge/test.txt
HTTP/1.1 404 Not Found
Date: Tue, 04 Feb 2025 06:48:57 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

[gongomgra]

Hi @Owenhenderson

Thanks for using Bitnami and sorry for the delay. Can you provide us with more information on the issue you are facing? Is the bncert-tool failing with errors? Which version of the tool are you using? Default file system permissions and configuration should be fine for the SSL certificate to be properly generated.

[Owenhenderson]

Hi, thanks for getting back to me. No matter what we tried the auto renew would not work. We went through all available information in detail but with no success. The cronjob that was installed by the bncert-tool and was running but failed every time to renew the ssl certificate. We were unbale to determine the exact reason why but it seams that no file was being written to .well-known and we also could not access .well-known despite changing file permissions.

We did however manage to get the ssl to auto renew using the alternative approach of setting up a different cronjob and running this script:

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --tls --email="your email address" --domains="yourdomain" --domains="www.yourdomain" --path="/opt/bitnami/letsencrypt" run
sudo /opt/bitnami/ctlscript.sh start apache

As shown in the script the auto renew will only work by stopping Apache and then restarting.

[github-actions]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[gongomgra]

Hi @Owenhenderson,

I think I have understood your issue now. First of all, notice that the Let's Encrypt directory used to place the challenges is at /opt/bitnami/apps/letsencrypt/.well-known, not under /opt/bitnami/apache/htdocs. There are also two main differences between the renew command and the command in the manual approach guide:

• Renew command from bncert-tool uses the HTTP challenge, while manual approach uses TLS challenge.
• HTTP challenge do not require to restart Apache previously, just to reload its configuration once the certificate has been recreated.

Apart from that, the renewal process (any of them) places the required challenge in the directory and it clears it up once it has finished. Can you restore original filesystem permissions and give us more information about the error message you are getting from the Lego tool? You can run the renew command available in the crontab into your shell to get more information about the issues it is finding to renew the SSL certificates.

Additionally, can you run the bndiagnotic tool and share the generated code with us?