Problem issuing / renewing certificates (acme.sh)

CyberCr33p · September 24, 2019, 8:09am

I use acme.sh to issue / renew certificates. Until yesterday everything worked fine.

Today I get this:

[Tue Sep 24 10:42:36 EEST 2019] Single domain='coderz.gr'
[Tue Sep 24 10:42:36 EEST 2019] Getting domain auth token for each domain
[Tue Sep 24 10:52:39 EEST 2019] It seems the CA server is busy now, let's wait and retry. Sleeping 1 seconds.
[Tue Sep 24 11:02:45 EEST 2019] It seems the CA server is busy now, let's wait and retry. Sleeping 1 seconds.

Maybe the issue is related to this?

_az · September 24, 2019, 8:11am

Please include (and any other posters):

acme.sh --version

CyberCr33p · September 24, 2019, 8:16am

acme.sh version is v2.8.2

Finally it worked but check the timestamps, it took 30 minutes.

[Tue Sep 24 10:42:36 EEST 2019] Single domain=‘coderz.gr’
[Tue Sep 24 10:42:36 EEST 2019] Getting domain auth token for each domain
[Tue Sep 24 10:52:39 EEST 2019] It seems the CA server is busy now, let’s wait and retry. Sleeping 1 seconds.
[Tue Sep 24 11:02:45 EEST 2019] It seems the CA server is busy now, let’s wait and retry. Sleeping 1 seconds.
[Tue Sep 24 11:12:49 EEST 2019] Getting webroot for domain=‘coderz.gr’
[Tue Sep 24 11:12:49 EEST 2019] coderz.gr is already verified, skip http-01.
[Tue Sep 24 11:12:49 EEST 2019] Verify finished, start to sign.
[Tue Sep 24 11:12:49 EEST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/58140176/1150563175
[Tue Sep 24 11:12:51 EEST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04a1f76a49273e0a0d589595e76a7aeba035
[Tue Sep 24 11:12:52 EEST 2019] Cert success.

_az · September 24, 2019, 8:18am

That’s not good.

“It seems the CA server is busy now” is acme.sh speak for “server rejected our nonce”.

However, v2.8.2 shouldn’t be having that problem …

mnordhoff · September 24, 2019, 8:20am

Speculation:

What if there isn’t actually a nonce issue? (Edit: In this case.)

What if there’s a networking issue like “attempting to connect over IPv6 fails but takes ten minutes to time out and retry over IPv4” and the nonce is failing legitimately?

_az · September 24, 2019, 8:23am

One way to answer that may be for users who are experiencing issues to modify acme.sh’s curl flags to include e.g. -4 or --http1.1 to test different hypotheses.

CyberCr33p · September 24, 2019, 9:13am

My servers don’t support IPv6 so they always connect using IPv4.

mnordhoff · September 24, 2019, 9:18am

What if you run this?

curl -X HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce

I'm wondering if you're suffering from the same issue as this other active thread:

Edit: I'm being speculative again. I'm not even sure if you're using curl or wget.

CyberCr33p · September 24, 2019, 9:20am

I also recompile curl with IPv6 support disabled to be sure.

I run:

curl -X HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce

I get this:

Warning: Setting custom HTTP method to HEAD with -X/–request may not work the
Warning: way you want. Consider using -I/–head instead.

and then it hangs.

mnordhoff · September 24, 2019, 9:21am

Can you leave it running? I’m curious if it’ll exit after 10 minutes, like seemed to be happening in your acme.sh logs.

Still, it would be better to confirm your acme.sh is even using curl before jumping to conclusions.

CyberCr33p · September 24, 2019, 9:25am

I will keep it running and tell you if it exits in 10 minutes.

I also get similar system calls like the other thread:

truss -p 77359
poll({ 3/POLLIN },1,928) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)
poll({ 3/POLLIN },1,1000) = 0 (0x0)
poll({ 3/POLLIN|POLLPRI|POLLRDNORM|POLLRDBAND },1,0) = 0 (0x0)

_az · September 24, 2019, 9:37am

Hey, is your curl built with HTTP/2 / nghttp2?

curl -V

I believe any version of curl that is built with nghttp2 should not experience this problem.

CyberCr33p · September 24, 2019, 9:38am

I confirm that it that my acme.sh uses curl.

Also it closes after 10 minutes as you said.

time curl -X HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce
Warning: Setting custom HTTP method to HEAD with -X/–request may not work the
Warning: way you want. Consider using -I/–head instead.
0.027u 0.000s 10:00.99 0.0% 42+70k 0+0io 0pf+0w

CyberCr33p · September 24, 2019, 9:39am

curl -V
curl 7.66.0 (amd64-portbld-freebsd12.0) libcurl/7.66.0 OpenSSL/1.1.1c zlib/1.2.11
Release-Date: 2019-09-11
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp smtp smtps telnet tftp
Features: alt-svc AsynchDNS HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL TLS-SRP UnixSockets

mnordhoff · September 24, 2019, 9:39am

It did for me too.

$ date; curl -X HEAD https://acme-v02.api.letsencrypt.org/acme/new-nonce; date
Tue Sep 24 09:19:52 UTC 2019
Warning: Setting custom HTTP method to HEAD with -X/--request may not work the 
Warning: way you want. Consider using -I/--head instead.
Tue Sep 24 09:29:52 UTC 2019

_az · September 24, 2019, 9:44am

The other person with this issue just reported that applying the tiny change from https://github.com/Neilpang/acme.sh/pull/2499 solved their problem - maybe give that a go?

CyberCr33p · September 24, 2019, 9:51am

I add the patch and it works. But I get this error too “Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 2”

[Tue Sep 24 12:48:54 EEST 2019] Single domain=‘coderz.gr’
[Tue Sep 24 12:48:54 EEST 2019] Getting domain auth token for each domain
[Tue Sep 24 12:48:54 EEST 2019] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 2
[Tue Sep 24 12:48:57 EEST 2019] Getting webroot for domain=‘coderz.gr’
[Tue Sep 24 12:48:58 EEST 2019] coderz.gr is already verified, skip http-01.
[Tue Sep 24 12:48:58 EEST 2019] Verify finished, start to sign.
[Tue Sep 24 12:48:58 EEST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/58140176/1150990267
[Tue Sep 24 12:48:59 EEST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/04e2587e2f3ffd6e7b7e589c9b0d16f78c16
[Tue Sep 24 12:49:00 EEST 2019] Cert success.

CyberCr33p · September 24, 2019, 9:58am

I close this thread to continue discussion in the other thread.

system · October 24, 2019, 9:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.