Renew certificate OCSP failure

The problem is still the same as in the beginning. This is my first certificate renewing. Something is telling me, I will not manage to finish it on time as the certificate is valid for little more than one day So I will walk through the chicken and egg problem again. Maybe it will show another error which I will be able to cope with...

$ certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: patera.name
    Serial Number: 4984870b10a1a87b4ef8a0bd8f5dbb33589
    Key Type: ECDSA
    Domains: jiri.patera.name jan.patera.name patera.name
    Expiry Date: 2023-07-13 09:00:21+00:00 (VALID: 1 day)
    Certificate Path: /etc/letsencrypt/live/patera.name/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/patera.name/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/patera.name.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Failed to renew certificate patera.name with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7f9b0c3400>: Failed to establish a new connection: [Errno -3] Try again'))
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/patera.name/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

See this search result but usually shows as:

socket.gaierror: [Errno -3] Temporary failure in name resolution

I am not sure why yours just says "Try again" but the error is likely a DNS resolver issue. I don't know why Certbot / python would fail but your curl requests succeed.

Is there anything unusual with the way Certbot is installed compared to how you run curl?

I am not expert enough in python for debugging such problems. Other volunteers may know better.

My only recommendation is to try using a different acme client and preferably one not based on python. Maybe acme.sh since it's popular and bash based and should run in same environ as your curl tests.

What shows?:
host acme-v02.api.letsencrypt.org

I will have a look at acme.sh and also go through results for socket.gaierror "Temporary failure in name resolution".

$ host acme-v02.api.letsencrypt.org

acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c

So finally after a lot of struggle and thanks to your support guys! I was able to renew the certificate a couple of hours before it expired

The problem was in the DNS resolution. I was new to this host environment and MikeMcQ's piece of advice about looking for temporary failure in name resolution and checking anything unusual with the way Certbot is installed on the host got me on the track to the solution.

I found that the "certbot renew" is actually executed through a script that uses the "docker compose" subsystem of the host. There was a problem with DNS resolution in the certbot docker container which I fixed by appending "dns: 8.8.8.8" to the appropriate section of the "docker-compose.yml" file like this:

  certbot:
    image: certbot/certbot
    depends_on:
      - nginx
    volumes:
      - ./certbot/etc/letsencrypt:/etc/letsencrypt:rw
      - ./certbot/var/www/certbot:/var/www/certbot:rw
      - ./certbot/var/log/letsencrypt:/var/log/letsencrypt:rw
    restart: no
    dns: 8.8.8.8

Then the renewal process finished promptly and without errors:

$ certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/patera.name.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for jiri.patera.name and 2 more domains
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/patera.name/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

$ certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: patera.name
    Serial Number: 39c5b8ac1f0ed78894e93fcf0b30e1d5c6a
    Key Type: ECDSA
    Domains: jiri.patera.name jan.patera.name patera.name
    Expiry Date: 2023-10-10 06:09:36+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/patera.name/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/patera.name/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

I have no idea why this problem did not occur during the certificate creation three months ago, though.

I appreciate all your effort! Thank you very much for saving my ass! I did not expect such extensive and fast support from the community here!

Clearly it had access to DNS [via its' default method] then and that was somehow blocked/broken.

I'm glad you were able to figure it out!
Cheers from Miami

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.