Acme.sh --renew timeout


#1

I issued a cert before, but it is now expired, and I can’t renew it. I copied the log below.
Thanks for help!

My domain is: afoxcloud.tplinkdns.com

I ran this command: acme.sh --renew -d afoxcloud.tplinkdns.com -w
where is my root directory

It produced this output:

[Fri Jan 11 00:07:54 CET 2019] The new-authz request is ok.
[Fri Jan 11 00:07:54 CET 2019] entry=’“type”:“http-01”,“status”:“pending”,“uri”:“https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057",“token”:"81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E”’
[Fri Jan 11 00:07:54 CET 2019] token=‘81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E’
[Fri Jan 11 00:07:54 CET 2019] uri=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:07:54 CET 2019] keyauthorization=‘81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E.5I3-nnqkVw_JJjAtNl1sXt89dLft5eJPbC_rYfDZ_lI’
[Fri Jan 11 00:07:54 CET 2019] dvlist=‘afoxcloud.tplinkdns.com#81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E.5I3-nnqkVw_JJjAtNl1sXt89dLft5eJPbC_rYfDZ_lI#https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057#http-01#/usr/local/www/apache24/data/nextcloud
[Fri Jan 11 00:07:54 CET 2019] d
[Fri Jan 11 00:07:54 CET 2019] vlist=‘afoxcloud.tplinkdns.com#81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E.5I3-nnqkVw_JJjAtNl1sXt89dLft5eJPbC_rYfDZ_lI#https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057#http-01#/usr/local/www/apache24/data/nextcloud,’
[Fri Jan 11 00:07:54 CET 2019] d=‘afoxcloud.tplinkdns.com
[Fri Jan 11 00:07:54 CET 2019] ok, let’s start to verify
[Fri Jan 11 00:07:54 CET 2019] Verifying:afoxcloud.tplinkdns.com
[Fri Jan 11 00:07:54 CET 2019] d=‘afoxcloud.tplinkdns.com
[Fri Jan 11 00:07:54 CET 2019] keyauthorization=‘81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E.5I3-nnqkVw_JJjAtNl1sXt89dLft5eJPbC_rYfDZ_lI’
[Fri Jan 11 00:07:54 CET 2019] uri=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:07:54 CET 2019] _currentRoot=’/usr/local/www/apache24/data/nextcloud’
[Fri Jan 11 00:07:54 CET 2019] wellknown_path=’/usr/local/www/apache24/data/nextcloud/.well-known/acme-challenge’
[Fri Jan 11 00:07:54 CET 2019] writing token:81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E to /usr/local/www/apache24/data/nextcloud/.well-known/acme-challenge/81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E
[Fri Jan 11 00:07:54 CET 2019] Changing owner/group of .well-known to www:www
[Fri Jan 11 00:07:54 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:07:54 CET 2019] payload=’{“resource”: “challenge”, “keyAuthorization”: “81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E.5I3-nnqkVw_JJjAtNl1sXt89dLft5eJPbC_rYfDZ_lI”}’
[Fri Jan 11 00:07:54 CET 2019] POST
[Fri Jan 11 00:07:54 CET 2019] _post_url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:07:54 CET 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jan 11 00:07:55 CET 2019] _ret=‘0’
[Fri Jan 11 00:07:55 CET 2019] code=‘202’
[Fri Jan 11 00:07:55 CET 2019] sleep 2 secs to verify
[Fri Jan 11 00:07:57 CET 2019] checking
[Fri Jan 11 00:07:57 CET 2019] GET
[Fri Jan 11 00:07:57 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:07:57 CET 2019] timeout=
[Fri Jan 11 00:07:57 CET 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jan 11 00:07:57 CET 2019] ret=‘0’
[Fri Jan 11 00:07:57 CET 2019] Pending
[Fri Jan 11 00:07:57 CET 2019] sleep 2 secs to verify
[Fri Jan 11 00:07:59 CET 2019] checking
[Fri Jan 11 00:07:59 CET 2019] GET
[Fri Jan 11 00:07:59 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:07:59 CET 2019] timeout=
[Fri Jan 11 00:07:59 CET 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jan 11 00:07:59 CET 2019] ret=‘0’
[Fri Jan 11 00:07:59 CET 2019] Pending
[Fri Jan 11 00:07:59 CET 2019] sleep 2 secs to verify
[Fri Jan 11 00:08:01 CET 2019] checking
[Fri Jan 11 00:08:01 CET 2019] GET
[Fri Jan 11 00:08:01 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:08:01 CET 2019] timeout=
[Fri Jan 11 00:08:01 CET 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jan 11 00:08:02 CET 2019] ret=‘0’
[Fri Jan 11 00:08:02 CET 2019] Pending
[Fri Jan 11 00:08:02 CET 2019] sleep 2 secs to verify
[Fri Jan 11 00:08:04 CET 2019] checking
[Fri Jan 11 00:08:04 CET 2019] GET
[Fri Jan 11 00:08:04 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:08:04 CET 2019] timeout=
[Fri Jan 11 00:08:04 CET 2019] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jan 11 00:08:04 CET 2019] ret=‘0’
[Fri Jan 11 00:08:04 CET 2019] Pending
[Fri Jan 11 00:08:04 CET 2019] sleep 2 secs to verify
[Fri Jan 11 00:08:06 CET 2019] checking
[Fri Jan 11 00:08:06 CET 2019] GET
[Fri Jan 11 00:08:06 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:08:06 CET 2019] timeout=
[Fri Jan 11 00:08:06 CET 2019] _CURL=‘curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jan 11 00:08:06 CET 2019] ret=‘0’
[Fri Jan 11 00:08:06 CET 2019] afoxcloud.tplinkdns.com:Verify error:Fetching http://afoxcloud.tplinkdns.com/.well-known/acme-challenge/81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E: Timeout during connect (likely firewall problem)
[Fri Jan 11 00:08:06 CET 2019] pid
[Fri Jan 11 00:08:06 CET 2019] No need to restore nginx, skip.
[Fri Jan 11 00:08:06 CET 2019] _clearupdns
[Fri Jan 11 00:08:06 CET 2019] skip dns.
[Fri Jan 11 00:08:06 CET 2019] _on_issue_err
[Fri Jan 11 00:08:06 CET 2019] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Fri Jan 11 00:08:06 CET 2019] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:08:06 CET 2019] payload=’{“resource”: “challenge”, “keyAuthorization”: “81qJ0eGxq54-EuTStXSjuf0ap7IvFgGFuLCzSFT9G9E.5I3-nnqkVw_JJjAtNl1sXt89dLft5eJPbC_rYfDZ_lI”}’
[Fri Jan 11 00:08:06 CET 2019] POST
[Fri Jan 11 00:08:06 CET 2019] _post_url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/E49dXHfAqGNdxeCR8sWzSAClTX6MCeoFvRW7cqrYLeo/11318814057
[Fri Jan 11 00:08:06 CET 2019] _CURL='curl -L --silent --dump-header /root/.acme.sh/http.header -g ’
[Fri Jan 11 00:08:07 CET 2019] _ret=‘0’
[Fri Jan 11 00:08:07 CET 2019] code=‘400’

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): FreeBSD 11.2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

http://afoxcloud.tplinkdns.com/ times out for me too.

I can connect to https://afoxcloud.tplinkdns.com/ (getting the expired certificate).

Are you sure your firewall and port forwarding settings for port 80 are correct?

Maybe your ISP has started blocking port 80?


#3

Hi @Szloby

tplinkdns.com has terrible name servers.

Domain DNSSEC Nameserver
tplinkdns.com no U ns1.tplinkdns.com
U ns2.tplinkdns.com
com yes a.gtld-servers.net

com says, these nameservers are authoritative, but checking them direct there is no ip address.

So the ip address of your domain is only non-authoritative. And CAA queries fail.


#5

The authoritative glue records exists as:

nslookup -q=ns tplinkdns.com a.gtld-servers.net
tplinkdns.com nameserver = ns1.tplinkdns.com
tplinkdns.com nameserver = ns2.tplinkdns.com
ns1.tplinkdns.com internet address = 52.204.177.89
ns2.tplinkdns.com internet address = 54.87.217.253

But the authoritative nameservers fail to return themselves as authoritative for that domain:

nslookup -q=ns tplinkdns.com ns1.tplinkdns.com
Server: ns1.tplinkdns.com
Address: 52.204.177.89#53
*** Can’t find tplinkdns.com: No answer

nslookup -q=ns tplinkdns.com ns2.tplinkdns.com
Server: ns2.tplinkdns.com
Address: 54.87.217.253#53
*** Can’t find tplinkdns.com: No answer


#6

I solved the problem based on your replies.

  1. On my router somehow port forwarding for port 80 was turned off
  2. On my server in httpd.conf Listen was set to only 443

So, if I understand correctly I need port 80 to renew a cert, but for running the website I need 443.
HTTPS is just new to me, this is the first time I use a certificate for a website, and this was my first attempt to renew it.

Thanks for all of your replies!


#7

You still have DNS issues: http://dnsviz.net/d/afoxcloud.tplinkdns.com/dnssec/
[or whomever controls tplinkdns.com]


#8

Yes, you need port 80 to use http-01 - validation.

If you use dns-01 - validation, then you don’t need an open port / running webserver.

But if you have a website, you should always have a port 80 with correct redirects http -> https.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.