Cannot renew mail certanymore

I’m running a docker mail server which got the certificates made with these commands:
export DV=/var/lib/mail/letsencrypt domain=home.werner.cologne;
sudo mkdir -p $DV/{log,etc};
sudo docker run --rm -ti -v $DV/log/:/var/log/letsencrypt/ -v DV/etc/:/etc/letsencrypt/ -p 80:80 -p 443:443 deliverous/certbot certonly --standalone -d mail.{domain},smtp.{domain},imap.{domain},${domain}

If the certificates expire I renew them with
export DV=/var/lib/mail/letsencrypt;
sudo mkdir -p $DV/{log,etc};
sudo docker run --rm -ti -v $DV/log/:/var/log/letsencrypt/ -v DV/etc/:/etc/letsencrypt/ -p 80:80 -p 443:443 deliverous/certbot certonly --standalone -d mail.{domain},smtp.{domain},imap.{domain},${domain}

That worked over some years without problems. But now all I get is the error below

My domain is: home.werner.cologne mail.home.werner.cologne smtp.home.werner.cologne imap.home.werner.cologne

I ran this command: export DV=/var/lib/mail/letsencrypt;
sudo docker run --rm -ti -v $DV/log/:/var/log/letsencrypt/ -v $DV/etc/:/etc/letsencrypt/ -p 80:80 -p 443:443 deliverous/certbot renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The file contains:
2020-08-04 13:05:13,196:DEBUG:certbot.main:certbot version: 0.28.0.dev0
2020-08-04 13:05:13,197:DEBUG:certbot.main:Arguments:
2020-08-04 13:05:13,197:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-08-04 13:05:13,216:DEBUG:certbot.log:Root logging level set at 20
2020-08-04 13:05:13,216:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-08-04 13:05:13,254:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f4802a88690> and installer <certbot.cli._Default object at 0x7f4802a88690>
2020-08-04 13:05:13,288:DEBUG:certbot.storage:Should renew, less than 30 days before certificate expiry 2020-08-01 12:56:44 UTC.
2020-08-04 13:05:13,288:INFO:certbot.renewal:Cert is due for renewal, auto-renewing…
2020-08-04 13:05:13,288:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2020-08-04 13:05:13,369:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f4802a6d490>
Prep: True
2020-08-04 13:05:13,370:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f4802a6d490> and installer None
2020-08-04 13:05:13,370:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2020-08-04 13:05:13,373:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None), uri=u’https://acme-v02.api.letsencrypt.org/acme/acct/39865432’, new_authzr_uri=None, terms_of_service=None), b52620b5ab0b319668fda5b6c69ca81d, Meta(creation_host=u’f40174f1bdf9’, creation_dt=datetime.datetime(2018, 8, 8, 16, 26, 53, tzinfo=)))>
2020-08-04 13:05:13,375:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2020-08-04 13:05:13,376:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2020-08-04 13:05:18,385:WARNING:certbot.renewal:Attempting to renew cert (mail.home.werner.cologne) from /etc/letsencrypt/renewal/mail.home.werner.cologne.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x7f4802a88210>: Failed to establish a new connection: [Errno -3] Try again’,)). Skipping.
2020-08-04 13:05:18,395:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/opt/certbot/src/certbot/renewal.py”, line 430, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/opt/certbot/src/certbot/main.py”, line 1165, in renew_cert
le_client = _init_le_client(config, auth, installer)
File “/opt/certbot/src/certbot/main.py”, line 611, in _init_le_client
return client.Client(config, acc, authenticator, installer, acme=acme)
File “/opt/certbot/src/certbot/client.py”, line 248, in init
acme = acme_from_config_key(config, self.account.key, self.account.regr)
File “/opt/certbot/src/certbot/client.py”, line 51, in acme_from_config_key
return acme_client.BackwardsCompatibleClientV2(net, key, config.server)
File “/opt/certbot/src/acme/acme/client.py”, line 761, in init
directory = messages.Directory.from_json(net.get(server).json())
File “/opt/certbot/src/acme/acme/client.py”, line 1095, in get
self._send_request(‘GET’, url, **kwargs), content_type=content_type)
File “/opt/certbot/src/acme/acme/client.py”, line 1044, in _send_request
response = self.session.request(method, url, *args, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 512, in request
resp = self.send(prep, **send_kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/sessions.py”, line 622, in send
r = adapter.send(request, **kwargs)
File “/usr/local/lib/python2.7/site-packages/requests/adapters.py”, line 513, in send
raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x7f4802a88210>: Failed to establish a new connection: [Errno -3] Try again’,))

2020-08-04 13:05:18,395:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-08-04 13:05:18,395:ERROR:certbot.renewal: /etc/letsencrypt/live/mail.home.werner.cologne/fullchain.pem (failure)
2020-08-04 13:05:18,396:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/local/bin/certbot”, line 11, in
load_entry_point(‘certbot’, ‘console_scripts’, ‘certbot’)()
File “/opt/certbot/src/certbot/main.py”, line 1339, in main
return config.func(config, plugins)
File “/opt/certbot/src/certbot/main.py”, line 1246, in renew
renewal.handle_renewal_request(config)


Processing /etc/letsencrypt/renewal/mail.home.werner.cologne.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Attempting to renew cert (mail.home.werner.cologne) from /etc/letsencrypt/renewal/mail.home.werner.cologne.conf produced an unexpected error: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x7f4802a88210>: Failed to establish a new connection: [Errno -3] Try again’,)). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.home.werner.cologne/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.home.werner.cologne/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

My web server is (include version):

The operating system my web server runs on is (include version): Linux on Docker

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.28.0.dev0
I meanwhile upgrade the docker image and is now using certbot 0.31.0.dev0, with same result

Hi @einnordlicht

read your output. Your program can’t connect Letsencrypt. May be a wrong dns configuration, may be a firewall or a network error.

Try to check traceroute acme-v02.api.letsencrypt.org from that process / running instance.

1 Like

Thanks Juergen. The Docker seems to work fine, I also checked with curl to be able to reach.

`curl -v https://acme-v02.api.letsencrypt.org/directory

  • Trying 172.65.32.248…
  • TCP_NODELAY set
  • Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
  • ALPN, offering h2
  • ALPN, offering http/1.1
  • successfully set certificate verify locations:
  • CAfile: /etc/ssl/certs/ca-certificates.crt
    CApath: /etc/ssl/certs
  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Client hello (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
  • ALPN, server accepted to use h2
  • Server certificate:
  • subject: CN=acme-v01.api.letsencrypt.org
  • start date: Jul 10 19:29:06 2020 GMT
  • expire date: Oct 8 19:29:06 2020 GMT
  • subjectAltName: host “acme-v02.api.letsencrypt.org” matched cert’s “acme-v02.api.letsencrypt.org
  • issuer: C=US; O=Let’s Encrypt; CN=Let’s Encrypt Authority X3
  • SSL certificate verify ok.
  • Using HTTP2, server supports multi-use
  • Connection state changed (HTTP/2 confirmed)
  • Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
  • Using Stream ID: 1 (easy handle 0x55a2fd9da580)

GET /directory HTTP/2
Host: acme-v02.api.letsencrypt.org
User-Agent: curl/7.58.0
Accept: /

Good hint. I replaced the primary entry in Dockerhost resolv.conf by a different DNS provider (the SOHO router). Now the certificate got renewed. So it seems to be indeed an DNS issue! Thanks for the rapid help and valuable hint.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.