Certificates not renewed when using custom ACME Endpoint

[steilerDev]

Bug description

For my internal network (where I cannot get letsencrypt certificates) I've set up a step-ca server exposing an ACME endpoint. This works flawlessly, until the certificates expire and the companion would need to refresh them. This does not happen automatically and I need to run the force_renew script manually (which works 100% of the time).

Maybe I am missing some parameter, but could not find anything in the docs. Looking for advice on how I'll be able to automate the cert refreshing.

Thanks!

acme-companion image version

Info: running acme-companion version v2.1.0-16-g027c3cf

nginx-proxy's Docker configuration

version: '2'
services:
  nginx-proxy:
    image: nginxproxy/nginx-proxy
    container_name: nginx-proxy
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    environment:
      DEFAULT_HOST: pihole.steilergroup.net
    volumes:
      - /var/run/docker.sock:/tmp/docker.sock:ro
      - /opt/steilerGroup-Docker/nginx-proxy/volumes/conf:/etc/nginx/conf.d
      - /opt/steilerGroup-Docker/nginx-proxy/volumes/vhost:/etc/nginx/vhost.d
      - /opt/steilerGroup-Docker/nginx-proxy/volumes/html:/usr/share/nginx/html
      - /opt/steilerGroup-Docker/nginx-proxy/volumes/dhparam:/etc/nginx/dhparam
      - /opt/steilerGroup-Docker/nginx-proxy/volumes/certs:/etc/nginx/certs
  nginx-acme:
    image: nginxproxy/acme-companion
    container_name: nginx-proxy-acme
    restart: unless-stopped
    environment:
      DEFAULT_EMAIL: [email protected]
      ACME_CA_URI: https://hs.steilergroup.net:9000/acme/acme/directory
      CA_BUNDLE: /opt/acme-certs/root_ca.crt
      NGINX_PROXY_CONTAINER: nginx-proxy
    volumes_from:
      - nginx-proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /opt/steilerGroup-Docker/step-ca/volumes/config/certs:/opt/acme-certs
      - /opt/steilerGroup-Docker/nginx-proxy/volumes/acme:/etc/acme.sh
networks:
  default:
    external:
      name: steilerGroup

Containers logs

The acme-companion logs (this is repeated hundreds of times)

Creating/renewal home.steilergroup.net certificates... (home.steilergroup.net)
[Sat Aug 14 14:33:59 UTC 2021] Domains not changed.
[Sat Aug 14 14:33:59 UTC 2021] Skip, Next renewal time is: Fri Sep 24 20:41:03 UTC 2021
[Sat Aug 14 14:33:59 UTC 2021] Add '--force' to force to renew.
Creating/renewal log.home.steilergroup.net certificates... (log.home.steilergroup.net)
[Sat Aug 14 14:33:59 UTC 2021] Domains not changed.
[Sat Aug 14 14:34:00 UTC 2021] Skip, Next renewal time is: Fri Sep 24 20:41:08 UTC 2021
[Sat Aug 14 14:34:00 UTC 2021] Add '--force' to force to renew.
Creating/renewal mail.steilergroup.net certificates... (mail.steilergroup.net)
[Sat Aug 14 14:34:00 UTC 2021] Domains not changed.
[Sat Aug 14 14:34:00 UTC 2021] Skip, Next renewal time is: Fri Sep 24 20:41:12 UTC 2021
[Sat Aug 14 14:34:00 UTC 2021] Add '--force' to force to renew.
Creating/renewal paperless.steilergroup.net certificates... (paperless.steilergroup.net)
[Sat Aug 14 14:34:00 UTC 2021] Domains not changed.
[Sat Aug 14 14:34:00 UTC 2021] Skip, Next renewal time is: Fri Sep 24 20:41:17 UTC 2021
[Sat Aug 14 14:34:00 UTC 2021] Add '--force' to force to renew.
Creating/renewal pihole.steilergroup.net certificates... (pihole.steilergroup.net)
[Sat Aug 14 14:34:01 UTC 2021] Domains not changed.
[Sat Aug 14 14:34:01 UTC 2021] Skip, Next renewal time is: Fri Sep 24 20:41:22 UTC 2021
[Sat Aug 14 14:34:01 UTC 2021] Add '--force' to force to renew.
Creating/renewal premiumizer.steilergroup.net certificates... (premiumizer.steilergroup.net)
[Sat Aug 14 14:34:01 UTC 2021] Domains not changed.
[Sat Aug 14 14:34:01 UTC 2021] Skip, Next renewal time is: Fri Sep 24 20:41:27 UTC 2021
[Sat Aug 14 14:34:01 UTC 2021] Add '--force' to force to renew.
Creating/renewal wiki.steilergroup.net certificates... (wiki.steilergroup.net)
[Sat Aug 14 14:34:02 UTC 2021] Domains not changed.
[Sat Aug 14 14:34:02 UTC 2021] Skip, Next renewal time is: Fri Sep 24 20:41:32 UTC 2021
[Sat Aug 14 14:34:02 UTC 2021] Add '--force' to force to renew.
Sleep for 3600s

Not sure if the nginx-proxy logs are of any use:

Custom dhparam.pem file found, generation skipped
forego      | starting dockergen.1 on port 5000
forego      | starting nginx.1 on port 5100
nginx.1     | 2021/08/27 13:22:28 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/home.steilergroup.net.crt"
nginx.1     | nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/home.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:28 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/log.home.steilergroup.net.crt"
nginx.1     | nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/log.home.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:28 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/paperless.steilergroup.net.crt"
nginx.1     | nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/paperless.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:28 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/pihole.steilergroup.net.crt"
nginx.1     | nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/pihole.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:28 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/premiumizer.steilergroup.net.crt"
nginx.1     | nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/premiumizer.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:28 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/wiki.steilergroup.net.crt"
nginx.1     | nginx: [warn] "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/wiki.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: using the "epoll" event method
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: nginx/1.21.1
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: built by gcc 8.3.0 (Debian 8.3.0-6)
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: OS: Linux 4.19.0-17-amd64
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: getrlimit(RLIMIT_NOFILE): 1048576:1048576
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker processes
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 31
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 32
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 33
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 34
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 35
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 36
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 37
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 38
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 39
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 40
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 41
nginx.1     | 2021/08/27 13:22:28 [notice] 26#26: start worker process 42
dockergen.1 | 2021/08/27 13:22:28 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
dockergen.1 | 2021/08/27 13:22:28 Watching docker events
dockergen.1 | 2021/08/27 13:22:28 Error inspecting container: e81eca84e34c96beab807877251f1b7e8d9d8c2608719e3e664ddb24f8924188: No such container: e81eca84e34c96beab807877251f1b7e8d9d8c2608719e3e664ddb24f8924188
dockergen.1 | 2021/08/27 13:22:28 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
dockergen.1 | 2021/08/27 13:22:29 Received event start for container e81eca84e34c
dockergen.1 | 2021/08/27 13:22:29 Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification 'nginx -s reload'
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 1 (SIGHUP) received from 77, reconfiguring
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: reconfiguring
nginx.1     | 2021/08/27 13:22:29 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/home.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:29 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/log.home.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:29 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/paperless.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:29 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/pihole.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:29 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/premiumizer.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:29 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/wiki.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: using the "epoll" event method
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker processes
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 78
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 79
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 80
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 81
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 82
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 83
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 84
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 85
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 86
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 87
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 88
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: start worker process 89
nginx.1     | 2021/08/27 13:22:29 [notice] 32#32: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 31#31: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 37#37: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 39#39: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 33#33: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 36#36: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 34#34: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 38#38: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 35#35: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 41#41: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 32#32: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 37#37: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 34#34: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 40#40: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 35#35: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 39#39: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 36#36: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 33#33: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 38#38: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 41#41: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 40#40: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 39#39: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 37#37: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 32#32: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 34#34: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 35#35: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 38#38: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 36#36: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 33#33: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 41#41: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 40#40: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 42#42: gracefully shutting down
nginx.1     | 2021/08/27 13:22:29 [notice] 42#42: exiting
nginx.1     | 2021/08/27 13:22:29 [notice] 42#42: exit
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 17 (SIGCHLD) received from 34
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 34 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 37 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 40 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 41 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 17 (SIGCHLD) received from 41
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 17 (SIGCHLD) received from 42
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 42 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 17 (SIGCHLD) received from 32
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 32 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 17 (SIGCHLD) received from 39
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 39 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 17 (SIGCHLD) received from 38
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 33 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 38 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 17 (SIGCHLD) received from 36
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 36 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 17 (SIGCHLD) received from 35
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: worker process 35 exited with code 0
nginx.1     | 2021/08/27 13:22:29 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 1 (SIGHUP) received from 116, reconfiguring
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: reconfiguring
nginx.1     | 2021/08/27 13:22:30 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/home.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:30 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/log.home.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:30 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/paperless.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:30 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/pihole.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:30 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/premiumizer.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:30 [warn] 26#26: "ssl_stapling" ignored, no OCSP responder URL in the certificate "/etc/nginx/certs/wiki.steilergroup.net.crt"
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: using the "epoll" event method
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker processes
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 117
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 118
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 119
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 120
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 121
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 122
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 123
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 124
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 125
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 126
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 127
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: start worker process 128
nginx.1     | 2021/08/27 13:22:30 [notice] 82#82: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 83#83: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 84#84: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 78#78: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 80#80: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 87#87: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 85#85: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 81#81: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 86#86: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 88#88: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 79#79: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 83#83: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 86#86: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 81#81: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 82#82: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 78#78: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 84#84: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 87#87: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 80#80: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 88#88: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 79#79: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 85#85: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 83#83: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 86#86: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 81#81: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 82#82: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 88#88: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 84#84: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 78#78: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 80#80: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 87#87: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 79#79: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 89#89: gracefully shutting down
nginx.1     | 2021/08/27 13:22:30 [notice] 89#89: exiting
nginx.1     | 2021/08/27 13:22:30 [notice] 85#85: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 89#89: exit
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 17 (SIGCHLD) received from 86
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 80 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 86 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 17 (SIGCHLD) received from 78
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 78 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 81 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 84 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 17 (SIGCHLD) received from 85
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 85 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 17 (SIGCHLD) received from 79
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 79 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 88 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 17 (SIGCHLD) received from 83
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 83 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 17 (SIGCHLD) received from 82
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 82 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 17 (SIGCHLD) received from 89
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 89 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 29 (SIGIO) received
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 17 (SIGCHLD) received from 87
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: worker process 87 exited with code 0
nginx.1     | 2021/08/27 13:22:30 [notice] 26#26: signal 29 (SIGIO) received

Docker host

• OS: Debian 10
• Docker version: 20.10.7

[hufhend]

Just today I had trouble renewing the certificate as well. Unfortunately, I run the acme-companion update every day, so I exceeded the maximum number of new requests, I have to wait for the log week.

[buchdag]

@steilerDev is the renewal date given by acme.sh in the acme-companion logs correct or not ?

@hufhend this issue is about using acme-companion with a custom ACME CA, not with Let's Encrypt.

[steilerDev]

Where/When would the date be printed in the logs?

[buchdag]

Those lines in the nginxproxy/acme-companion container logs:

[Sat Aug 14 14:34:00 UTC 2021] Skip, Next renewal time is: Fri Sep 24 20:41:17 UTC 2021

[steilerDev]

@buchdag in that case: no the date reflected in the log is not correct (one example, but this is true for all domains):

Creating/renewal paperless.steilergroup.net certificates... (paperless.steilergroup.net)
[Fri Oct  1 08:44:33 UTC 2021] Domains not changed.
[Fri Oct  1 08:44:33 UTC 2021] Skip, Next renewal time is: Wed Nov 24 06:00:12 UTC 2021
[Fri Oct  1 08:44:33 UTC 2021] Add '--force' to force to renew.

As you see I set the default and max cert duration to 720hrs and it seems that the acme-companion is always a month off.

[steilerDev]

Running /app/cert_status gives me the following output, seeming to read the cert correctly but somehow telling me that the fullchain is expired....

/etc/nginx/certs/paperless.steilergroup.net/fullchain.pem: EXPIRED
Certificate was issued by steilerGroup-CA-v3 Intermediate CA
Certificate was valid until Oct 25 06:00:09 2021 GMT
Subject Name:
- paperless.steilergroup.net
Certificate is used by the following domain(s):
- paperless.steilergroup.net

[buchdag]

I'm starting to suspect that the default acme.sh minimum validity before renewal isn't properly handling certificate issued with a validity < 1 month. Could you try issuing certificates with a validity of let's say 840 hours (35 days) ?

We used to have environment variables to configure this but I had to ditch this feature when moving to acme.sh, if this is what is causing your issue I'll look into adapting it to acme.sh.

[steilerDev]

Changing it to 840 hours gave me the following:

• Cert is valid until 7. November 2021 at 09:01:40 Central European Standard Time
• Logs show Skip, Next renewal time is: Thu Dec 2 08:01:34 UTC 2021

Then I adjusted the time to 90 days (2160 hours), in order to match the default behaviour of letsencrypt:

• Cert is valid until 1. January 2022 at 09:10:22 Central European Standard Time
• Logs show Skip, Next renewal time is: Thu Dec 2 08:10:25 UTC 2021

This still does not match, is this expected? Otherwise I will only be able to report back in 3 months time

[chspnk]

Hey all,
Are there any news regarding this? I think I ran into the same issue and can't figure out why the certificates are not renewed :-(
Or are there any ideas how to fix or workaround this?
Thanks in advance!

[sushifor1]

It looks like acme.sh just defaults to a renewal period of 60 days. This matches the timestamps I'm seeing where the "Skip, Next renewal time" is 60 days out. It also appears to match @steilerDev's logs as well.

I think adding an environment variable back to configure the "--days" argument of acme.sh will allow us to resolve this issue.

[sushifor1]

It looks like someone already made the changes necessary to support the --days parameter for acme.sh and submitted PR #896 and is pending review.

@buchdag Let me know if I can help move this along in any way.