Renew not working


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ytc1.dyndns.org

I ran this command:
acme.sh --cron --home /var/www/acme/.acme.sh --debug

It produced this output:
/var/www/acme/.acme.sh/acme.sh --cron --home /var/www/acme/.acme.sh --debug

[Sunday, 11 November 2018 10:30:32 GMT] uri=‘https://acme-v01.api.letsencrypt.org/acme/challenge/zVu_xsgc7kU5uqR9zVX8smMKSTyvWWzd_ovg04mdfLc/9181551186
[Sunday, 11 November 2018 10:30:32 GMT] _currentRoot=‘apache’
[Sunday, 11 November 2018 10:30:32 GMT] wellknown_path=’/tmp/.acme’
[Sunday, 11 November 2018 10:30:32 GMT] writing token:EnWc9UX3RjrOQwEyzF_kWPTcw00ea4Ae1z3CllmuHq4 to /tmp/.acme/EnWc9UX3RjrOQwEyzF_kWPTcw00ea4Ae1z3CllmuHq4
[Sunday, 11 November 2018 10:30:32 GMT] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/zVu_xsgc7kU5uqR9zVX8smMKSTyvWWzd_ovg04mdfLc/9181551186
[Sunday, 11 November 2018 10:30:32 GMT] payload=’{“resource”: “challenge”, “keyAuthorization”: “EnWc9UX3RjrOQwEyzF_kWPTcw00ea4Ae1z3CllmuHq4.AUo46_xio-XG2FTGH6P3KWBQdP126xeFQlpNt14bBt4”}’
[Sunday, 11 November 2018 10:30:32 GMT] POST
[Sunday, 11 November 2018 10:30:32 GMT] _post_url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/zVu_xsgc7kU5uqR9zVX8smMKSTyvWWzd_ovg04mdfLc/9181551186
[Sunday, 11 November 2018 10:30:32 GMT] _WGET=‘wget -q --content-on-error ’
[Sunday, 11 November 2018 10:30:32 GMT] Using sed -i
[Sunday, 11 November 2018 10:30:32 GMT] _ret=‘0’
[Sunday, 11 November 2018 10:30:32 GMT] code=‘202’
[Sunday, 11 November 2018 10:30:32 GMT] sleep 2 secs to verify
[Sunday, 11 November 2018 10:30:34 GMT] checking
[Sunday, 11 November 2018 10:30:34 GMT] GET
[Sunday, 11 November 2018 10:30:34 GMT] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/zVu_xsgc7kU5uqR9zVX8smMKSTyvWWzd_ovg04mdfLc/9181551186
[Sunday, 11 November 2018 10:30:34 GMT] timeout=
[Sunday, 11 November 2018 10:30:34 GMT] _WGET=‘wget -q --content-on-error ’
[Sunday, 11 November 2018 10:30:35 GMT] ret=‘0’
[Sunday, 11 November 2018 10:30:35 GMT] ytc1-cloud.dyndns.org:Verify error:Invalid response from http://ytc1-cloud.dyndns.org/.well-known/acme-challenge/EnWc9UX3RjrOQwEyzF_kWPTcw00ea4Ae1z3CllmuHq4:
[Sunday, 11 November 2018 10:30:35 GMT] Debug: get token url.
[Sunday, 11 November 2018 10:30:35 GMT] GET
[Sunday, 11 November 2018 10:30:35 GMT] url=‘http://ytc1-cloud.dyndns.org/.well-known/acme-challenge/EnWc9UX3RjrOQwEyzF_kWPTcw00ea4Ae1z3CllmuHq4
[Sunday, 11 November 2018 10:30:35 GMT] timeout=1
[Sunday, 11 November 2018 10:30:35 GMT] _WGET=‘wget -q --content-on-error --timeout=1’
[Sunday, 11 November 2018 10:30:35 GMT] Please refer to https://www.gnu.org/software/wget/manual/html_node/Exit-Status.html for error code: 5
[Sunday, 11 November 2018 10:30:35 GMT] ret=‘5’
[Sunday, 11 November 2018 10:30:35 GMT] Skip for removelevel:
[Sunday, 11 November 2018 10:30:35 GMT] pid
[Sunday, 11 November 2018 10:30:35 GMT] Using config home:/var/www/acme/.acme.sh
[Sunday, 11 November 2018 10:30:35 GMT] ACME_DIRECTORY=‘https://acme-v01.api.letsencrypt.org/directory
[Sunday, 11 November 2018 10:30:35 GMT] httpdconfname=’/etc/apache2/2.4/httpd.conf’
[Sunday, 11 November 2018 10:30:35 GMT] httpdconf=’/etc/apache2/2.4/httpd.conf’
[Sunday, 11 November 2018 10:30:35 GMT] httpdconfname=‘httpd.conf’
[Sunday, 11 November 2018 10:30:35 GMT] Restored: /etc/apache2/2.4/httpd.conf.
[Sunday, 11 November 2018 10:30:35 GMT] Restored successfully.
[Sunday, 11 November 2018 10:30:35 GMT] No need to restore nginx, skip.
[Sunday, 11 November 2018 10:30:35 GMT] _clearupdns
[Sunday, 11 November 2018 10:30:35 GMT] skip dns.
[Sunday, 11 November 2018 10:30:35 GMT] _on_issue_err
[Sunday, 11 November 2018 10:30:35 GMT] Please check log file for more details: /var/www/acme/.acme.sh/acme.sh.log
[Sunday, 11 November 2018 10:30:35 GMT] url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/zVu_xsgc7kU5uqR9zVX8smMKSTyvWWzd_ovg04mdfLc/9181551186
[Sunday, 11 November 2018 10:30:35 GMT] payload=’{“resource”: “challenge”, “keyAuthorization”: “EnWc9UX3RjrOQwEyzF_kWPTcw00ea4Ae1z3CllmuHq4.AUo46_xio-XG2FTGH6P3KWBQdP126xeFQlpNt14bBt4”}’
[Sunday, 11 November 2018 10:30:35 GMT] POST
[Sunday, 11 November 2018 10:30:35 GMT] _post_url=‘https://acme-v01.api.letsencrypt.org/acme/challenge/zVu_xsgc7kU5uqR9zVX8smMKSTyvWWzd_ovg04mdfLc/9181551186
[Sunday, 11 November 2018 10:30:35 GMT] _WGET='wget -q --content-on-error ’
[Sunday, 11 November 2018 10:30:36 GMT] wget returns 8, the server returns a ‘Bad request’ response, lets process the response later.
[Sunday, 11 November 2018 10:30:36 GMT] Using sed -i
[Sunday, 11 November 2018 10:30:36 GMT] _ret=‘0’
[Sunday, 11 November 2018 10:30:36 GMT] code=‘400’
[Sunday, 11 November 2018 10:30:36 GMT] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2o 27 Mar 2018
apache:
Server version: Apache/2.4.33 (Unix)
Server built: Apr 17 2018 04:45:27
Server’s Module Magic Number: 20120211:76
Server loaded: APR 1.5.1, APR-UTIL 1.5.4
Compiled using: APR 1.5.1, APR-UTIL 1.5.4
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with…
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/usr/apache2/2.4"
-D SUEXEC_BIN="/usr/apache2/2.4/bin/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2/2.4/httpd.pid"
-D DEFAULT_SCOREBOARD=“logs/apache_runtime_status”
-D DEFAULT_ERRORLOG=“logs/error_log”
-D AP_TYPES_CONFIG_FILE="/etc/apache2/2.4/mime.types"
-D SERVER_CONFIG_FILE="/etc/apache2/2.4/httpd.conf"
nginx:
nginx doesn’t exists.
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
Usage:
socat [options]
options:
-V print version and feature information to stdout, and exit
-h|-? print a help text describing command line options and addresses
-hh like -h, plus a list of all common address option names
-hhh like -hh, plus a list of all available address option names
-d increase verbosity (use up to 4 times; 2 are recommended)
-D analyze file descriptors before loop
-ly[facility] log to syslog, using facility (default is daemon)
-lf log to file
-ls log to stderr (default if no other log)
-lm[facility] mixed log mode (stderr during initialization, then syslog)
-lp set the program name used for logging
-lu use microseconds for logging timestamps
-lh add hostname to log messages
-v verbose data traffic, text
-x verbose data traffic, hexadecimal
-b<size_t> set data buffer size (8192)
-s sloppy (continue on error)
-t wait seconds before closing second channel
-T total inactivity timeout in seconds
-u unidirectional mode (left to right)
-U unidirectional mode (right to left)
-g do not check option groups
-L try to obtain lock, or fail
-W try to obtain lock, or wait
-4 prefer IPv4 if version is not explicitly specified
-6 prefer IPv6 if version is not explicitly specified
bi-address:
pipe[,] groups=FD,FIFO
!!

single-address:
[,]
address-head:
create: groups=FD,REG,NAMED
exec: groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
fd: groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
gopen: groups=FD,FIFO,CHR,BLK,REG,SOCKET,NAMED,OPEN,TERMIOS,UNIX
interface: groups=FD,SOCKET
ip-datagram:: groups=FD,SOCKET,RANGE,IP4,IP6
ip-recv: groups=FD,SOCKET,RANGE,IP4,IP6
ip-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP4,IP6
ip-sendto:: groups=FD,SOCKET,IP4,IP6
ip4-datagram:: groups=FD,SOCKET,RANGE,IP4
ip4-recv: groups=FD,SOCKET,RANGE,IP4
ip4-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP4
ip4-sendto:: groups=FD,SOCKET,IP4
ip6-datagram:: groups=FD,SOCKET,RANGE,IP6
ip6-recv: groups=FD,SOCKET,RANGE,IP6
ip6-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP6
ip6-sendto:: groups=FD,SOCKET,IP6
open: groups=FD,FIFO,CHR,BLK,REG,NAMED,OPEN,TERMIOS
openssl:: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,OPENSSL
openssl-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP,OPENSSL
pipe: groups=FD,FIFO,NAMED,OPEN
proxy::: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,HTTP
pty groups=FD,NAMED,TERMIOS,PTY
readline groups=FD,READLINE,TERMIOS
sctp-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,SCTP
sctp-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,SCTP
sctp4-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,SCTP
sctp4-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,SCTP
sctp6-connect:: groups=FD,SOCKET,CHILD,RETRY,IP6,SCTP
sctp6-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,SCTP
socket-connect::: groups=FD,SOCKET,CHILD,RETRY
socket-datagram:::: groups=FD,SOCKET,RANGE
socket-listen::: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE
socket-recv:::: groups=FD,SOCKET,RANGE
socket-recvfrom:::: groups=FD,SOCKET,CHILD,RANGE
socket-sendto:::: groups=FD,SOCKET
socks4::: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
socks4a::: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
stderr groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
stdin groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
stdio groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
stdout groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
system: groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
tcp-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP
tcp-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP
tcp4-connect:: groups=FD,SOCKET,CHILD,RETRY,IP4,TCP
tcp4-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,TCP
tcp6-connect:: groups=FD,SOCKET,CHILD,RETRY,IP6,TCP
tcp6-listen: groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,TCP
udp-connect:: groups=FD,SOCKET,IP4,IP6,UDP
udp-datagram:: groups=FD,SOCKET,RANGE,IP4,IP6,UDP
udp-listen: groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP
udp-recv: groups=FD,SOCKET,RANGE,IP4,IP6,UDP
udp-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP
udp-sendto:: groups=FD,SOCKET,IP4,IP6,UDP
udp4-connect:: groups=FD,SOCKET,IP4,UDP
udp4-datagram:: groups=FD,SOCKET,RANGE,IP4,UDP
udp4-listen: groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP
udp4-recv: groups=FD,SOCKET,RANGE,IP4,UDP
udp4-recvfrom:: groups=FD,SOCKET,CHILD,RANGE,IP4,UDP
udp4-sendto:: groups=FD,SOCKET,IP4,UDP
udp6-connect:: groups=FD,SOCKET,IP6,UDP
udp6-datagram:: groups=FD,SOCKET,RANGE,IP6,UDP
udp6-listen: groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP
udp6-recv: groups=FD,SOCKET,RANGE,IP6,UDP
udp6-recvfrom: groups=FD,SOCKET,CHILD,RANGE,IP6,UDP
udp6-sendto:: groups=FD,SOCKET,IP6,UDP
unix-client: groups=FD,SOCKET,NAMED,RETRY,UNIX
unix-connect: groups=FD,SOCKET,NAMED,RETRY,UNIX
unix-listen: groups=FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
unix-recv: groups=FD,SOCKET,NAMED,RETRY,UNIX
unix-recvfrom: groups=FD,SOCKET,NAMED,CHILD,RETRY,UNIX
unix-sendto: groups=FD,SOCKET,NAMED,RETRY,UNIX
[Sunday, 11 November 2018 10:30:36 GMT] Return code: 1
[Sunday, 11 November 2018 10:30:36 GMT] Error renew ytc1-cloud.dyndns.org.
[Sunday, 11 November 2018 10:30:36 GMT] ===End cron===

My web server is (include version):
apache 2.4
The operating system my web server runs on is (include version):
Solaris 11.3
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Hi @YTC1

I don’t use acme.sh. But it looks that acme.sh creates a redirect rule and saves the validation file under

/tmp/.acme/EnWc9UX3RjrOQwEyzF_kWPTcw00ea4Ae1z3CllmuHq4

But you have a redirect http -> https, so Letsencrypt may not find this file.

So remove your redirect or remove it, if the GET starts with /.well-known/acme-challenge/.


#3

Hi Juergan,
I use acme because I run my stuff on Solaris 11 and it was the easiest way to get letsencrypt up and running.

The choice of /tmp/.acme/ is down to me, that can be changed in acme configs.
I have my OS security settings set to make my zone run as “immutable” and /etc/dirs are not writeable.
I’ll experiment and try with taking the security off (and resetting the path to standard).

If that works, then I will look to placing my apache dir under /var/www which is writeable


#4

Try with a simple test.txt file at:
http://ytc1-cloud.dyndns.org/.well-known/acme-challenge/test.txt
/tmp/.acme/test.txt


#5

Right, the basic issue is that I blocked port 80 to that zone on my router :-). I’d forgotten that letsencrypt uses that to link in.

No I will have to remember this in Feb, along with remembering to relocate apache to /var/www in the meantime :slight_smile: