Issuing new certificate failed: dehydrated failure


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: portal.admm.co

I ran this command: with openresty issued

It produced this output:

2018/09/12 18:21:34 [error] 16#16: *1 [lua] file.lua:25: setup_worker(): auto-ssl: failed to set storage directory permissions: Executing command failed: chmod 700 /etc/resty-auto-ssl/storage/file: chmod: /etc/resty-auto-ssl/storage/file: Operation not permitted

, context: init_worker_by_lua*

2018/09/12 18:21:47 [error] 16#16: *11 [lua] hook.lua:15: server(): auto-ssl: failed to parse POST args: request body in temp file not supported, client: 127.0.0.1, server: , request: "POST /deploy-cert HTTP/1.1", host: "127.0.0.1:8999"

2018/09/12 18:21:47 [error] 16#16: *3 [lua] lets_encrypt.lua:41: issue_cert(): auto-ssl: dehydrated failed: env HOOK_SECRET=redacted HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/dehydrated --cron --accept-terms --no-lock --domain portal.admm.co --challenge http-01 --config /etc/resty-auto-ssl/letsencrypt/config --hook /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks status: 256 out: # INFO: Using main config file /etc/resty-auto-ssl/letsencrypt/config

+ Generating account key...

+ Registering account key with ACME server...

Processing portal.admm.co

 + Signing domains...

 + Creating new directory /etc/resty-auto-ssl/letsencrypt/certs/portal.admm.co ...

 + Creating chain cache directory /etc/resty-auto-ssl/letsencrypt/chains

 + Generating private key...

 + Generating signing request...

 + Requesting authorization for portal.admm.co...

 + 1 pending challenge(s)

 + Deploying challenge tokens...

 + Responding to challenge for portal.admm.co authorization...

 + Challenge is valid!

 + Requesting certificate...

 + Checking certificate...

 + Done!

 + Creating fullchain.pem...

 + Walking chain...

failed to get the expiry date

 err: date: invalid date 'Dec 11 17:22:20 2018 GMT'

curl: (22) The requested URL returned error: 500 Internal Server Error

hook request (deploy_cert) failed

, context: ssl_certificate_by_lua*, client: 42.72.0.184, server: 0.0.0.0:443

2018/09/12 18:21:47 [error] 16#16: *3 [lua] ssl_certificate.lua:97: issue_cert(): auto-ssl: issuing new certificate failed: dehydrated failure, context: ssl_certificate_by_lua*, client: 42.72.0.184, server: 0.0.0.0:443

2018/09/12 18:21:47 [error] 16#16: *3 [lua] ssl_certificate.lua:286: auto-ssl: could not get certificate for portal.admm.co - using fallback - failed to get or issue certificate, context: ssl_certificate_by_lua*, client: 42.72.0.184, server: 0.0.0.0:443

2018/09/12 18:21:48 [error] 16#16: *14 [lua] hook.lua:15: server(): auto-ssl: failed to parse POST args: request body in temp file not supported, client: 127.0.0.1, server: , request: "POST /deploy-cert HTTP/1.1", host: "127.0.0.1:8999"

2018/09/12 18:21:48 [error] 16#16: *6 [lua] lets_encrypt.lua:74: issue_cert(): auto-ssl: dehydrated manual hook.sh failed: env HOOK_SECRET=redacted HOOK_SERVER_PORT=8999 /usr/local/openresty/luajit/bin/resty-auto-ssl/letsencrypt_hooks deploy_cert portal.admm.co /etc/resty-auto-ssl/letsencrypt/certs/portal.admm.co/privkey.pem /etc/resty-auto-ssl/letsencrypt/certs/portal.admm.co/cert.pem /etc/resty-auto-ssl/letsencrypt/certs/portal.admm.co/fullchain.pem /etc/resty-auto-ssl/letsencrypt/certs/portal.admm.co/chain.pem 1536776508 status: 256 out: failed to get the expiry date

 err: date: invalid date 'Dec 11 17:22:20 2018 GMT'

My web server is (include version): openresty

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#2

Hi.

I redacted the HOOK_SECRET variable(s) from your post, if that’s okay. My understanding is that the OpenResty API endpoint it protects shouldn’t be publicly accessible anyway, and search engines have probably already archived this post, but still.

Credit to @jmorahan for pointing it out.

As for the reason you posted, I don’t know, sorry. :grimacing:


#3

chmod 700 /etc/resty-auto-ssl/storage/file: chmod: /etc/resty-auto-ssl/storage/file: Operation not permitted

This seems like it might be the root cause: You appear to have incorrect ownership or incorrect permission on some of the files associated with openresty. Or maybe openresty expects to run as root but is not running as root?


#4

yes it might be the root cause.
but my openresty is running as container, so it will be root user
but the worker running with nobody user, that’s wired and I don’t know how to change

user root; is not support on openresty container lol


#5

What do the openresty docs have to say about file ownership and permissions?


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.