Failing to renew cert for a subdomain using acmetool

My domain is seek-together.space and I have a few subdomains on it,all of them seem to be doing well with Let’s Encrypt, but a few weeks ago one of them started having problems: diaspora.seek-together.space

I use acmetool to automatically renew my certs. There is a cron job that runs acmetool reconcile, which should automatically renew certs when needed, and I get notified by email from cron when it fails.

It produces this output:

20170715232935 [ERROR] acme.storageops: Target(diaspora.seek-together.space;https://acme-v01.api.letsencrypt.org/directory;0): failed to request certificate: Get https://acme-v01.api.letsencrypt.org/directory: dial tcp: lookup acme-v01.api.letsencrypt.org on 178.17.170.67:53: dial udp 178.17.170.67:53: i/o timeout

20170715232936 [ERROR] acme.storageops: error while processing targets: the following errors occurred: error satisfying Target(diaspora.seek-together.space;https://acme-v01.api.letsencrypt.org/directory;0): Get https://acme-v01.api.letsencrypt.org/directory: dial tcp: lookup acme-v01.api.letsencrypt.org on 178.17.170.67:53: dial udp 178.17.170.67:53: i/o timeout

20170715232936 [ERROR] acme.storageops: failed to reconcile: the following errors occurred: error satisfying Target(diaspora.seek-together.space;https://acme-v01.api.letsencrypt.org/directory;0): Get https://acme-v01.api.letsencrypt.org/directory: dial tcp: lookup acme-v01.api.letsencrypt.org on 178.17.170.67:53: dial udp 178.17.170.67:53: i/o timeout

20170715232936 [CRITICAL] acmetool: fatal: reconcile: the following errors occurred: error satisfying Target(diaspora.seek-together.space;https://acme-v01.api.letsencrypt.org/directory;0): Get https://acme-v01.api.letsencrypt.org/directory: dial tcp: lookup acme-v01.api.letsencrypt.org on 178.17.170.67:53: dial udp 178.17.170.67:53: i/o timeout

My web server is lighttpd and OS is Trisquel 7 GNU/Linux. I can log in as root.

All the other subdomains are fine, just that one subdomain is reported by acmetool status as “needs renewing” and I got an email that says the cert will expire in 9 days.

I checked my web server config, verified that the diaspora subdomain is configured in the same way as the other domains. I just can’t figure out why it acts like that. Any help highly appreciated

The problem appears to be DNS related.
I would try: “nslookup acme-v01.api.letsencrypt.org 178.17.170.67”

I get this:

Server: 178.17.170.67
Address: 178.17.170.67#53
Non-authoritative answer:
acme-v01.api.letsencrypt.org canonical name = api.letsencrypt.org.edgekey.net.
api.letsencrypt.org.edgekey.net canonical name = e981.dscb.akamaiedge.net.
e981.dscb.akamaiedge.net canonical name = e981.dscb.akamaiedge.net.0.1.cn.akamaiedge.net.
Name: e981.dscb.akamaiedge.net.0.1.cn.akamaiedge.net
Address: 104.86.244.16

hi @fr33domlover

Be careful making statements like the other domains are fine. I believe your core issue is connectivity to the API from your web server.

I also believe the reason why your other domains aren’t causing issues is because they are not yet due for renewal so the client is not trying to renew them (hence no errors)

image.png965×234 12.9 KB

On your web server try using wget to access https://acme-v01.api.letsencrypt.org/directory you should get and JSON response if that doesn’t work then you can troubleshoot network errrors

If it does work then you can narrow it down to the client having issues. I am not familiar with acmetools but you will probably be able to log an issue on their github

I would also suggest changing the topic to something that has acme tools and the fact it’s not able to reach Lets Encrypt API. This will allow others who are knowledgeable with acmetools or maybe the author themselves to spot the article easier (your current title is easy to skip)

Andrei

Thank you!

The wget works. I guess maybe it’s acmetool having an issue, I’ll ask.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.