Problem issuing / renewing certificates (acme.sh)

I use acme.sh to issue / renew certificates. Until yesterday everything worked fine.

Today I get this:

[Tue Sep 24 10:42:36 EEST 2019] Single domain=‘coderz.gr’
[Tue Sep 24 10:42:36 EEST 2019] Getting domain auth token for each domain
[Tue Sep 24 10:52:39 EEST 2019] It seems the CA server is busy now, let’s wait and retry. Sleeping 1 seconds.
[Tue Sep 24 11:02:45 EEST 2019] It seems the CA server is busy now, let’s wait and retry. Sleeping 1 seconds.

Maybe the issue is related to this?

1 Like

Please include (and any other posters):

acme.sh --version

acme.sh version is v2.8.2

Finally it worked but check the timestamps, it took 30 minutes.

[Tue Sep 24 10:42:36 EEST 2019] Single domain=‘coderz.gr’
[Tue Sep 24 10:42:36 EEST 2019] Getting domain auth token for each domain
[Tue Sep 24 10:52:39 EEST 2019] It seems the CA server is busy now, let’s wait and retry. Sleeping 1 seconds.
[Tue Sep 24 11:02:45 EEST 2019] It seems the CA server is busy now, let’s wait and retry. Sleeping 1 seconds.
[Tue Sep 24 11:12:49 EEST 2019] Getting webroot for domain=‘coderz.gr’
[Tue Sep 24 11:12:49 EEST 2019] coderz.gr is already verified, skip http-01.
[Tue Sep 24 11:12:49 EEST 2019] Verify finished, start to sign.
[Tue Sep 24 11:12:49 EEST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/58140176/1150563175
[Tue Sep 24 11:12:51 EEST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04a1f76a49273e0a0d589595e76a7aeba035
[Tue Sep 24 11:12:52 EEST 2019] Cert success.

That’s not good.

“It seems the CA server is busy now” is acme.sh speak for “server rejected our nonce”.

However, v2.8.2 shouldn’t be having that problem …

Speculation:

What if there isn’t actually a nonce issue? (Edit: In this case.)

What if there’s a networking issue like “attempting to connect over IPv6 fails but takes ten minutes to time out and retry over IPv4” and the nonce is failing legitimately?

One way to answer that may be for users who are experiencing issues to modify acme.sh’s curl flags to include e.g. -4 or --http1.1 to test different hypotheses.

1 Like

My servers don’t support IPv6 so they always connect using IPv4.

What if you run this?

curl -X HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce

I’m wondering if you’re suffering from the same issue as this other active thread:

Edit: I’m being speculative again. I’m not even sure if you’re using curl or wget.

I also recompile curl with IPv6 support disabled to be sure.

I run:

curl -X HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce

I get this:

Warning: Setting custom HTTP method to HEAD with -X/–request may not work the
Warning: way you want. Consider using -I/–head instead.

and then it hangs.

Can you leave it running? I’m curious if it’ll exit after 10 minutes, like seemed to be happening in your acme.sh logs.

Still, it would be better to confirm your acme.sh is even using curl before jumping to conclusions.

I will keep it running and tell you if it exits in 10 minutes.

I also get similar system calls like the other thread:

truss -p 77359
poll({ 3/POLLIN },1,928) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)

Hey, is your curl built with HTTP/2 / nghttp2?

curl -V

I believe any version of curl that is built with nghttp2 should not experience this problem.

I confirm that it that my acme.sh uses curl.

Also it closes after 10 minutes as you said.

time curl -X HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce
Warning: Setting custom HTTP method to HEAD with -X/–request may not work the
Warning: way you want. Consider using -I/–head instead.
0.027u 0.000s 10:00.99 0.0% 42+70k 0+0io 0pf+0w

curl -V
curl 7.66.0 (amd64-portbld-freebsd12.0) libcurl/7.66.0 OpenSSL/1.1.1c zlib/1.2.11
Release-Date: 2019-09-11
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: alt-svc AsynchDNS HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

:smiley: It did for me too.

$ date; curl -X HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce; date
Tue Sep 24 09:19:52 UTC 2019
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the 
Warning: way you want. Consider using -I/--head instead.
Tue Sep 24 09:29:52 UTC 2019

The other person with this issue just reported that applying the tiny change from https://github.com/Neilpang/acme.sh/pull/2499 solved their problem - maybe give that a go?

1 Like

I add the patch and it works. But I get this error too “Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 2”

[Tue Sep 24 12:48:54 EEST 2019] Single domain=‘coderz.gr’
[Tue Sep 24 12:48:54 EEST 2019] Getting domain auth token for each domain
[Tue Sep 24 12:48:54 EEST 2019] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 2
[Tue Sep 24 12:48:57 EEST 2019] Getting webroot for domain=‘coderz.gr’
[Tue Sep 24 12:48:58 EEST 2019] coderz.gr is already verified, skip http-01.
[Tue Sep 24 12:48:58 EEST 2019] Verify finished, start to sign.
[Tue Sep 24 12:48:58 EEST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/58140176/1150990267
[Tue Sep 24 12:48:59 EEST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04e2587e2f3ffd6e7b7e589c9b0d16f78c16
[Tue Sep 24 12:49:00 EEST 2019] Cert success.

I close this thread to continue discussion in the other thread.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.