Issue with renewal of multiple certificates


#1

I run a daily cron across multiple servers to check cert expiry and automatic renewal. However, for some of my servers this is not working, and i can only assume some sort of rate limiting is in place. I have multiple domain names, but this only appears to be an issue with this one domain name. When the cert check is run in cron, the response is - Pending. Can someone help?

user@hk1:~/.acme.sh/hk1.zennodes.space$ sudo “/home/user/.acme.sh”/acme.sh --cron --home “/home/user/.acme.sh”
[Wed 14 Mar 10:07:33 UTC 2018] ===Starting cron===
[Wed 14 Mar 10:07:33 UTC 2018] Renew: ‘hk1.zennodes.space’
[Wed 14 Mar 10:07:33 UTC 2018] Standalone mode.
[Wed 14 Mar 10:07:33 UTC 2018] Single domain=‘hk1.zennodes.space’
[Wed 14 Mar 10:07:33 UTC 2018] Getting domain auth token for each domain
[Wed 14 Mar 10:07:33 UTC 2018] Getting webroot for domain=‘hk1.zennodes.space’
[Wed 14 Mar 10:07:33 UTC 2018] Getting new-authz for domain=‘hk1.zennodes.space’
[Wed 14 Mar 10:07:34 UTC 2018] The new-authz request is ok.
[Wed 14 Mar 10:07:34 UTC 2018] Verifying:hk1.zennodes.space
[Wed 14 Mar 10:07:34 UTC 2018] Standalone mode server
[Wed 14 Mar 10:07:39 UTC 2018] Pending
[Wed 14 Mar 10:07:41 UTC 2018] Pending
[Wed 14 Mar 10:07:43 UTC 2018] Pending
[Wed 14 Mar 10:07:46 UTC 2018] Pending
[Wed 14 Mar 10:07:48 UTC 2018] hk1.zennodes.space:Verify error:Fetching http://hk1.zennodes.space/.well-known/acme-challenge/553qhbqDSlzv9fh-sTNXrCEOl42u8ICznsKE6YLi7WY: Timeout
[Wed 14 Mar 10:07:48 UTC 2018] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed 14 Mar 10:07:48 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed 14 Mar 10:07:49 UTC 2018] Error renew hk1.zennodes.space.
[Wed 14 Mar 10:07:49 UTC 2018] ===End cron===

Please bear in mind that i have other domains that work in exactly the same way as this one (with around 20 certs per domain) and these appear to work fine.
I have also randomized the cron job, so all servers crons does not run at the same time.
Help…!! :slight_smile:


#2

Well, the issue is exactly as advertised. The server to which the domain points just times out - it doesn’t respond to connections on tcp/80.

If you have any firewalling or network access controls in place, they may be interfering with the renewal process.


#3

Are you sure this is the issue? All servers are set up with automation in exactly the same way. Why do the others work?

The servers do allow port 80 - i have a rule in ufw… BUT…nothing runs on port 80. And never did. This cannot be the issue…


#4
[Wed 14 Mar 10:26:00 UTC 2018] GET
[Wed 14 Mar 10:26:00 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/77nym1vaXti--rp_FdyOAg8IOUymeSQJ9WiSk94Khyo/3813185908'
[Wed 14 Mar 10:26:00 UTC 2018] timeout
[Wed 14 Mar 10:26:00 UTC 2018] _CURL='curl -L --silent --dump-header /home/user/.acme.sh/http.header '
[Wed 14 Mar 10:26:01 UTC 2018] ret='0'
[Wed 14 Mar 10:26:01 UTC 2018] Pending 

The timeout occurs when something on the acme servers are checked. Am i being rate limited? If so, why and how can i get around this??


#5

This is the response from the remote letsencrypt server

HTTP/1.1 100 Continue
Expires: Wed, 14 Mar 2018 10:26:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 132
Boulder-Requester: 25159346
Replay-Nonce: 2slQ69cnks86zV6mctt5SVYoraWhrg69BkQnm-JV4TU
Expires: Wed, 14 Mar 2018 10:26:10 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 14 Mar 2018 10:26:10 GMT
Connection: close

So it seems this domain is blacklisted or something? Anyone knows differently??


#6

So how did you setup Let’s Encrypt validation for the others?

If you use DNS validation, then you probably just forgot to tell acme.sh to use DNS validation for that individual domain. nevermind.

[Wed 14 Mar 10:07:34 UTC 2018] Standalone mode server

So, you are using standalone mode with acme.sh. That should be fine and not result in a timeout - acme.sh listens on port 80 for you, for the duration of the validation process.

“Timeout” does not indicate any sort of rate limit issue. It means what it says, that the validation server tried to connect but failed.

Are you able to temporarily spin up a web server on your server so we can see if it accessible via port 80?

e.g. maybe with

sudo sh -c 'mkdir -p /tmp/empty; cd /tmp/empty && python -m SimpleHTTPServer 80'

#7

OK. Looks like this could be an issue (firewall on the vps provider side). I am going to test this by allowing a rule for http on the VPS provider. Seems a bit odd though as I am renewing and not setting up for the first time. I will update the progress.


#8

Ok…the test was successful after opening the http port at the VPS provider. All servers are set up the same with configuration management software. I guess what caught me out is that they use different VPS providers, and some of them will have a firewall in by default - so traffic is denied unless you allow it.
Thanks for the help :slight_smile: :slight_smile:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.