Auto-renewal fails (curl error 52: Empty reply from server, LetsEncrypt Plesk Extension)

My domain is: mtin.de

I ran this command:
plesk lets encrypt plugin, current version (2.4.0), auto renewal (same happens when I manually press renew in plesk)

It produced this output:
[2017-10-22 08:58:42] ERR [extension/letsencrypt] Failed to renew certificate of domain ‘mtin.de’: POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/gJBn[...] failed: cURL error 52: Empty reply from server (see http://curl.haxx.se/libcurl/c/libcurl-errors.html)

My web server is (include version):
Plesk Onyx
Version 17.5.3 Update #25
httpd-2.2.15-60.el6.centos.6.x86_64

The operating system my web server runs on is (include version):
centos 6.9

I can login to a root shell on my machine (yes or no, or I don’t know):
yep

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk

The certificates were running fine for quite a while, there have been some auto renewals according to https://crt.sh/?q=%mtin.de but out of the blue the auto renewal is not working anymore. I did not (knowingly) touch the server configuration so I am a bit lost how to debug this issue. I. have checked the LetsEncrypt Plesk plugin github page for issues but could not find any that are related. Any help greatly appreciated!

(the issue is not limited to this one domain, all domains hosted on this server are failing to renew now)

There is some sort of connectivity issue between you and the Let’s Encrypt API server, or possibly your curl is broken somehow.

In a shell on the affected server, try running:

curl https://acme-v01.api.letsencrypt.org/directory

That should return a list of URLs in JSON format corresponding to various services provided by the ACME server. Does that work, or do you get an error?

What if you run:

curl -X POST https://acme-v01.api.letsencrypt.org/acme/new-authz

That should return an error in JSON including “Parse error reading JWS”, since you didn’t send a valid request. Does it return that, or some other error?

[root@v41299 ~]# curl https://acme-v01.api.letsencrypt.org/directory
{
  "ACwgzjBZLkQ": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
}
[root@v41299 ~]# curl -X POST https://acme-v01.api.letsencrypt.org/acme/new-authz
{
  "type": "urn:acme:error:malformed",
  "detail": "Parse error reading JWS",
  "status": 400
}

seems ok to me, right? also checked when curl was last updated, is way before the trouble started so also unlikely? thanks a lot for jumping in on this!

[root@v41299 ~]# rpm -qa --last | grep curl
curl-7.19.7-53.el6_9.x86_64                   Fri 07 Apr 2017 04:27:07 AM PDT
libcurl-7.19.7-53.el6_9.x86_64                Fri 07 Apr 2017 04:25:17 AM PDT

Nothing seems to be wrong with your connectivity to the API server or your system curl. The issue seems to be specific to Plesk’s plugin.

The version of the plugin you have installed was released just 7 days ago, so it could have a bug. You could try downgrading it, if possible.

The plugin is developed by Plesk, so please contact Plesk Support or their forums to report if downgrading it fixes your problem or for further assistance:

good catch! the failed renewal emails started rolling in exactly the day after the plugin was auto-updated. A simple remove and reinstall of the extension apparently fixed it, I could now manually renew the certificates from plesk! thanks a lot!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.