Dehydrated Cron Issues New Certificates and Rate Limit Reached


#1

It appears for some time the cron renewal has not been working, and I only found out when my site certificate timed out.

  1. Is the renewal server down? I’m getting

Processing candy.hoyle.me.uk with alternative names: www.hoyle.me.uk

  • Checking domain name(s) of existing cert… unchanged.
  • Checking expire date of existing cert…
  • Valid till Apr 30 05:26:00 2017 GMT Certificate will expire
    (Less than 30 days). Renewing!
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting challenge for candy.hoyle.me.uk
  • Requesting challenge for www.hoyle.me.uk
  • ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-authz (Status 500)

Details:

Error An error occurred while processing your request.

Reference #179.ae921602.1493577486.27917705

Shouldn’t I be getting email notifications that something has gone wrong before my site goes offline… luckily I only have 1 site on letsencrypt but if I was running at lot (esp. if they were commercial) it could be catastrophic.


#2

Yes, you should. You sure you’ve entered the correct e-mail address at account registration (done through the client you’re using) or have you checked your spam folder?

By the way, looking at the certificates for *hoyle.me.uk, it looks like you’ve renewed a few times already. Like… Every day since the beginning of April!!!

Seems to me your client is broken…


#3

Your server is the one generating the error, and your server is the one not producing the certificate… there’s not much the client can do at that point (which is your client anyway, it’s not like I coded one up myself).

The point remains - I should have been notified, and I wasn’t. I don’t care if it’s the server or the client that does it, but having sites go offline with no warning isn’t good.


#4

I am not affiliated with Let’s Encryp in any way.

But the fact there are 27 certificates issued for candy.hoyle.me.uk and www.hoyle.me.uk since April 1st says there’s nothing wrong with the issuing of certificates! See the link in my previous post so you can see for yourself.

Which client is it anyway? Because it doesn’t look like certbot, the officially supported client.

Edit:
The output looks like that of the dehydrated ACME client. That is a third party client, not an official one from Let’s Encrypt/EFF.

As I have said in my previous post (please click on the link…): there are MANY certificates issued for your hostnames, so from the perspective of Let’s Encrypt, the certificate is renewed and the system doesn’t need to warn you.

Also, I would suggest lowering the “accusing tone”, because you’re making assumptions which are not correct.

Obviously, the fact your client is getting certificates daily, but doesn’t do anything with them is not the answer to the Status 500 error above. But I would recommend identifying the “getting certs daily without doing anything with them” problem first.

I’m hoping commercial setups don’t rely on some lame expiration e-mail, but implement a error-proof system which warns the sysadmin itself.


#5

Hi there TonyHoyle!
Sorry to hear you’re running into this issue :frowning:
I work on Certbot, so I’m not 100% sure about how dehydrated should be handling it, but it seems the error you’re getting is with your connection to the let’s encrypt api
For Certbot what this means is that you’ve successfully passed the challenge, and then when you go to talk to the Let’s Encrypt CA to actually get your cert from it, you’re getting an error.
So Osiris might be right that you have successfully generated a cert every day (probably for 27 days since your cert entered the expiration window) but Let’s Encrypt hasn’t been able to get the cert onto your server.
It’s possible (and I don’t know where your server is or how it’s managed) that your firewall configuration has changed and now you can’t access the Let’s Encrypt server, even though you previously could.
I’d suggest trying one of two things and posting the results here:
Try to generate a new certificate for a new subdomain, and see if you can successfully get the certificate from the Let’s Encrypt CA
Traceroute or nmap that url and see what the output is - that should give you more of a sense of where the error is occurring.
I’m really sorry to hear that your cert expired on you :frowning2: also please feel free to join us in #letsencrypt on irc.freenode.net and we can try to provide more hands on help there once you’re ready to try to debug the issue.
My IRC screen name is ‘swartzcr’ or @cpu is ‘ccppuu’ and he can help as well.
Hope to get this resolved soon!


#6

hi @TonyHoyle

Client Selection is your responsibility and selecting a client that meets your requirements is something you should do.

Dehydrated (if this is the client you use) has a list of available commands

There is no command for email alerts so how would the client possibly do this?

There are a few steps you can do to fix this

A) Please let us know what the CRON Command you are using is
B) Have a look at the outputs folder and see if there is a valid certificate there there should be so you should be able to use it
C) If you would like to have a discussion on client options we can do :smiley:
D) Think about setting up extra parameters to your CRON jobs to email on failures etc

For example you have this cert which you should be able to configure

Andrei


#7

Email notifications of failure, with any client, would be a matter of how your cron daemon and cron jobs are configured. The Let’s Encrypt servers will warn you if you have certificates approaching expiration, but they didn’t do so because you’ve already renewed the certificate (several times, in fact).


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.