500 when running dehydrated under cron

Since a long time, my domains in all the hosts I handle (here I’m just picking one) reliably fails at automatic renewal when using dehydrated under cron. At the same time, it always work fine when run by hand.

I also noticed it doesn’t happen when using the API v1 endpoint.

I contacted the developer of dehydrated, checking if he had ever seen such an error, but he didn’t recognize it and suggested I ask support directly here.

Thank you in advance.

My domain is:

mentors.debian.net

I ran this command:

chronic dehydrated -c

It produced this output:

# INFO: Using main config file /etc/dehydrated/config
# INFO: Using additional config file /etc/dehydrated/conf.d/local_conf.sh
Processing mentors.debian.net
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Oct  4 23:00:19 2019 GMT Certificate will expire
(Less than 30 days). Renewing!
 + Signing domains...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for mentors.debian.net
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for mentors.debian.net authorization...
  + ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/240758281/7dPHGg (Status 500)

Details:
HTTP/1.1 100 Continue
Expires: Sun, 08 Sep 2019 00:00:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 500 Internal Server Error
Server: nginx
Content-Type: application/problem+json
Content-Length: 119
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0001AYMAOW9DT981iF-WbZXsWWoomiWANf6zTo9ZtU8Ir98
Expires: Sun, 08 Sep 2019 00:00:15 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sun, 08 Sep 2019 00:00:15 GMT
Connection: close

{
  "type": "urn:ietf:params:acme:error:serverInternal",
  "detail": "Problem getting authorization",
  "status": 500
}

My web server is (include version):

apache2 2.4.38

The operating system my web server runs on is (include version):

Debian 10

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

dehydrated 0.6.2-2+deb10u1 (but the latest 0.6.5-1 that doesn’t have any debian patch also shows the same behaviour).

Looks like an issue at the CA. Or at least, there is something wrong with the request when it’s generated via cron, but the true cause is downcast into “internal error” - not too helpful. @lestaff

In the meantime, you could try temporarily renaming your dehydrated account directory (accounts/<ID>/) to something else, and registering another account:

dehydrated register --accept-terms

This would have the effect of abandoning any bugged out orders/authorizations, perhaps allowing your renewal cron to succeed.

Looks like an issue at the CA. Or at least, there is something wrong with the request when it’s generated via cron, but the true cause is downcast into “internal error” - not too helpful. @lestaff

Is @lestaff valid? It doesn’t seem to resolve to a known user.

Thank you for your answer, I’ll try on a machine to register a new account and see if cron works there.

lestaff is a user group, but the bit about it not being highlighted has been reported before and seems to just be a visual glitch…