Can’t renew licenses due to ConnectionError (Resolved, thanks)

loskill.net · September 19, 2022, 7:33pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domains are:

loskill.net
matterloskill.ch
baristamuenchen.de
baristamuenchen.com
loskill.studio
loskill.ch

I ran this command:
sudo certbot --apache -d loskill.net -d www.loskill.net -d matterloskill.ch -d www.matterloskill.ch -d baristamuenchen.de -d www.baristamuenchen.de -d baristamuenchen.com -d www.baristamuenchen.com -d loskill.studio -d www.loskill.studio -d loskill.ch -d www.loskill.ch

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f3f3d2716f0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution'))

My web server is (include version):

Server version: Apache/2.4.52 (Ubuntu)
Server built:   2022-06-14T12:30:21

The operating system my web server runs on is (include version):

|Distributor ID:|Ubuntu|
|---|---|
|Description:|Ubuntu 22.04.1 LTS|
|Release:|22.04|
|Codename:|jammy|

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0

Osiris · September 19, 2022, 7:42pm

Please fix your DNS connectivity and try again.

Also, usually one would just run sudo certbot renew to renew a certificate (not called a "license") instead of using the full command used initially.

loskill.net · September 19, 2022, 8:01pm

Hi Osiris.
Thanks for the quick reply, sorry for mislabeling the process – I’m a n00b.

Here it looks as there are no issues: DNS Checker - DNS Check Propagation Tool
How and where could you produce the DNS error?

Edit: Sorry, now it produces errors on my side, too. Checking.
Edit2: Misread the Interface, seems to resolve fine to IP 207.154.215.7

Any hint where I can find/resolve the error?

MikeMcQ · September 19, 2022, 8:30pm

The error is for DNS on your server checking names outbound. Not checking the public DNS for your domain name.

These should work on your server (but do not seem to be):

nslookup acme-v02.api.letsencrypt.org
nslookup amazon.com

loskill.net · September 19, 2022, 8:36pm

Ah, I see.
Yes, indeed, lookup fails for
acme-v02.api.letsencrypt.org
as well as
amazon.com (or any other common domain)

Thank you Mike McQ
I’m googling for a solution, but if you know what to look for of the top of your head, I’m glad if you point me to a certain direction.

MikeMcQ · September 19, 2022, 8:41pm

There are expert DNS volunteers here. Sadly, I know just enough to point out the error.

These answers might help them:
Are you in a container? (like docker)
Any key system changes since your July30 cert?

loskill.net · September 19, 2022, 8:45pm

Yes, there was a key system change: new Ubuntu version.
Install crashed due to not enough memory. Could’ve corrupted something.

I’m asking in the DigitalOcean community first.
Obviously something’s broken in that part of the stack, don’t want to bother you guys here too much.

But really thank you for pointing out what’s wrong – in words I could understand.

rg305 · September 20, 2022, 5:11am

What are the DNS servers being used?
cat /etc/resolv.conf

loskill.net · September 20, 2022, 7:00am

cat /etc/resolv.conf shows:

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
# 127.0.0.53 is the systemd-resolved stub resolver.
# run "systemd-resolve --status" to see details about the actual nameservers.

nameserver 127.0.0.53
search DOMAINS

loskill.net · September 20, 2022, 7:01am

I did check the firewall as well.
ufw status verbose shows:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
22/tcp (OpenSSH)           ALLOW IN    Anywhere                  
80,443/tcp (Apache Full)   ALLOW IN    Anywhere                  
22/tcp (OpenSSH (v6))      ALLOW IN    Anywhere (v6)             
80,443/tcp (Apache Full (v6)) ALLOW IN    Anywhere (v6)

loskill.net · September 20, 2022, 7:09am

Running systemd-resolve --status doesn’t work, by the way.
Shows:

Command 'systemd-resolve' not found, but can be installed with:
sudo apt install systemd

Installing it then yields:

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
systemd is already the newest version (249.11-0ubuntu3.4).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

¯\(ツ)/¯

mcpherrinm · September 20, 2022, 7:35am

What about resolvectl status

loskill.net · September 20, 2022, 7:37am

resolvectl status yields:

Global
       Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: foreign
      DNS Domain: DOMAINS

Link 2 (eth0)
Current Scopes: none
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
    DNS Domain: DOMAINS

And found that systemd-analyze cat-config systemd/resolved.conf works. It shows:

**# /etc/systemd/resolved.conf**

# This file is part of systemd.

#

# systemd is free software; you can redistribute it and/or modify it under the

# terms of the GNU Lesser General Public License as published by the Free

# Software Foundation; either version 2.1 of the License, or (at your option)

# any later version.

#

# Entries in this file show the compile time defaults. Local configuration

# should be created by either modifying this file, or by creating "drop-ins" in

# the resolved.conf.d/ subdirectory. The latter is generally recommended.

# Defaults can be restored by simply deleting this file and all drop-ins.

#

# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.

#

# See resolved.conf(5) for details.

[Resolve]

# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:

# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com

# Google: 8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google

# Quad9: 9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net

#DNS=

#FallbackDNS=

#Domains=

#DNSSEC=no

#DNSOverTLS=no

#MulticastDNS=no

#LLMNR=no

#Cache=no-negative

#CacheFromLocalhost=no

#DNSStubListener=yes

#DNSStubListenerExtra=

#ReadEtcHosts=yes

#ResolveUnicastSingleLabel=no

loskill.net · September 20, 2022, 7:45am

So, uncommenting and entering Cloudfare DNS into /etc/systemd/resolved.conf did it.
Thanks for all your effort and replies!

system · October 20, 2022, 7:46am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.