Timeout on renew : "http-01","status":"pending" only on 2 subdmains


#1

Hello
I’m selhosted on a raspbian, and i use LE since the begin of 2017.
I have 5 subdomains and i can renew 3 of them without any problems.

problem solved :
Just a problem with my fail2ban jail (only somes IP was rejected by iptables).

sorry for the disturbance


#2

You’re not stopping your Apache server, are you?

When I try against your domains, I’m correctly getting 404 errors on the authorizations, rather than timeouts.

e.g. https://acme-staging-v02.api.letsencrypt.org/acme/order/5751349/252277

Seems to work fine. Your Apache server needs to be running while acme.sh runs.


#3

Yes, i’m running Apache when i run acme.sh
This is the same context when i renew the 3 other subdomains successfully.


#4

I don’t know if you’ve done so already, but have you tried again?

It may have been an intermittent network issue or even a CPU stall on the rpi due to busyness (Let’s Encrypt will only wait 10 seconds fora response). My own repeated attempts against even v1 production ACME server still do not give a timeout.


#5

i’m trying again, but i have the same result/error.

That’s a week i’m trying to renew those two certificates. :worried:


#6

with a --renew and a --debug 2:

/home/pi/acme.sh/acme.sh --renew -d stream.ubiklain.fr -w /var/www/xbmc-video-server/ --certpath /etc/letsencrypt/live/stream.ubiklain.fr/cert.pem --keypath /etc/letsencrypt/live/stream.ubiklain.fr/privkey.pem --fullchainpath /etc/letsencrypt/live/stream.ubiklain.fr/fullchain.pem --force --debug 2


[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] Lets find script dir.
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] _SCRIPT_='/home/pi/acme.sh/acme.sh'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] _script='/home/pi/acme.sh/acme.sh'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] _script_home='/home/pi/acme.sh'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] Using config home:/usr/local/share/acme.sh
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] LE_WORKING_DIR='/usr/local/share/acme.sh'
https://github.com/Neilpang/acme.sh
v2.7.4
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] Using config home:/usr/local/share/acme.sh
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] _ACME_SERVER_HOST='acme-v01.api.letsencrypt.org'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] DOMAIN_PATH='/usr/local/share/acme.sh/stream.ubiklain.fr'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] Renew: 'stream.ubiklain.fr'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] Using config home:/usr/local/share/acme.sh
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] _ACME_SERVER_HOST='acme-v01.api.letsencrypt.org'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[mercredi 4 avril 2018, 00:55:30 (UTC+0200)] Le_NextRenewTime
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _on_before_issue
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] '/var/www/xbmc-video-server/' does not contain 'no'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] Le_LocalAddress
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] Check for domain='stream.ubiklain.fr'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _currentRoot='/var/www/xbmc-video-server/'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] '/var/www/xbmc-video-server/' does not contain 'apache'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _saved_account_key_hash='WPbROQehKMFVmnRJaVhCI7jdxLO2ZhwvwojUiN34ztM='
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _saved_account_key_hash is not changed, skip register account.
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] Read key length:
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _createcsr
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] domain='stream.ubiklain.fr'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] domainlist
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] csrkey='/usr/local/share/acme.sh/stream.ubiklain.fr/stream.ubiklain.fr.key'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] csr='/usr/local/share/acme.sh/stream.ubiklain.fr/stream.ubiklain.fr.csr'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] csrconf='/usr/local/share/acme.sh/stream.ubiklain.fr/stream.ubiklain.fr.csr.conf'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] Single domain='stream.ubiklain.fr'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _is_idn_d='stream.ubiklain.fr'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _idn_temp
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _csr_cn='stream.ubiklain.fr'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] Getting domain auth token for each domain
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] ok, let's start to verify
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] Verifying:stream.ubiklain.fr
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] d='stream.ubiklain.fr'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] keyauthorization='wR5ioQO31sdEEWq_EmyuyTIzcRRUFzFzbK_Bg_3ByD8.qgVx5Dofn4GptpJZ8u3oOuigOGA69GmS1DbGpi6rtdM'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/Dh0rQxZ2awn1Cfg2OFoj8iPCvbOMRsKFWmU_JtlIb_A/4063741275'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _currentRoot='dns'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] tigger domain validation.
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _t_url='https://acme-v01.api.letsencrypt.org/acme/challenge/Dh0rQxZ2awn1Cfg2OFoj8iPCvbOMRsKFWmU_JtlIb_A/4063741275'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] _t_key_authz='wR5ioQO31sdEEWq_EmyuyTIzcRRUFzFzbK_Bg_3ByD8.qgVx5Dofn4GptpJZ8u3oOuigOGA69GmS1DbGpi6rtdM'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] url='https://acme-v01.api.letsencrypt.org/acme/challenge/Dh0rQxZ2awn1Cfg2OFoj8iPCvbOMRsKFWmU_JtlIb_A/4063741275'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] payload='{"resource": "challenge", "keyAuthorization": "wR5ioQO31sdEEWq_EmyuyTIzcRRUFzFzbK_Bg_3ByD8.qgVx5Dofn4GptpJZ8u3oOuigOGA69GmS1DbGpi6rtdM"}'
[mercredi 4 avril 2018, 00:55:31 (UTC+0200)] RSA key
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] Get nonce. ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] GET
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] url='https://acme-v01.api.letsencrypt.org/directory'
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] timeout
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] _CURL='curl -L --silent --dump-header /usr/local/share/acme.sh/http.header  --trace-ascii /tmp/tmp.TbhFQB8d3R '
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] ret='0'
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] _headers='HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: bnWmI_nuNwILro8eNqETGXq6WdolJos1GD1B1cKWzlE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 03 Apr 2018 22:55:32 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 Apr 2018 22:55:32 GMT
Connection: keep-alive
'
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] _CACHED_NONCE='bnWmI_nuNwILro8eNqETGXq6WdolJos1GD1B1cKWzlE'
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] nonce='bnWmI_nuNwILro8eNqETGXq6WdolJos1GD1B1cKWzlE'
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] POST
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] url='https://acme-v01.api.letsencrypt.org/acme/challenge/Dh0rQxZ2awn1Cfg2OFoj8iPCvbOMRsKFWmU_JtlIb_A/4063741275'
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "8r7z2FcmWDwaujOmz4nCDX8e-9D2MpFeNBX2HBFdGsm9Tw8GqGByLyMYrah1QWasDpxqy17NvNsDG5gjZrgbjRrlPjv82rAPRqFjDRRH6haSLcHr8iVFUEbWsZ5BbIenW2OLVRfHSUOp7N6wzGGLEUPCjhYZAgY64OghmtkjZEde_KcigQkset0PgArLbAzlJdqQIhoyjileL4A94x3ZUAQAdeA86pGVM498Hj2_F3JQku8MV8KXkgIm-yUVxkKkbCStUw3jnaEJGRbeo1QE_iJUHUGteIU9IEaQgPpIUcO-Bnya30jA1tJ6dxxWELIxPrZGEhMvee2mXQuKdUwAWw"}}, "protected": "eyJub25jZSI6ICJibldtSV9udU53SUxybzhlTnFFVEdYcTZXZG9sSm9zMUdEMUIxY0tXemxFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvRGgwclF4WjJhd24xQ2ZnMk9Gb2o4aVBDdmJPTVJzS0ZXbVVfSnRsSWJfQS80MDYzNzQxMjc1IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiOHI3ejJGY21XRHdhdWpPbXo0bkNEWDhlLTlEMk1wRmVOQlgySEJGZEdzbTlUdzhHcUdCeUx5TVlyYWgxUVdhc0RweHF5MTdOdk5zREc1Z2pacmdialJybFBqdjgyckFQUnFGakRSUkg2aGFTTGNIcjhpVkZVRWJXc1o1QmJJZW5XMk9MVlJmSFNVT3A3TjZ3ekdHTEVVUENqaFlaQWdZNjRPZ2htdGtqWkVkZV9LY2lnUWtzZXQwUGdBckxiQXpsSmRxUUlob3lqaWxlTDRBOTR4M1pVQVFBZGVBODZwR1ZNNDk4SGoyX0YzSlFrdThNVjhLWGtnSW0teVVWeGtLa2JDU3RVdzNqbmFFSkdSYmVvMVFFX2lKVUhVR3RlSVU5SUVhUWdQcElVY08tQm55YTMwakExdEo2ZHh4V0VMSXhQclpHRWhNdmVlMm1YUXVLZFV3QVd3In19", "payload": "eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJ3UjVpb1FPMzFzZEVFV3FfRW15dXlUSXpjUlJVRnpGemJLX0JnXzNCeUQ4LnFnVng1RG9mbjRHcHRwSlo4dTNvT3VpZ09HQTY5R21TMURiR3BpNnJ0ZE0ifQ", "signature": "FQmliCMe-b0gztWbvAfn4TOlmuYYI4TmzNOxTXdxDFUpHWUwkJoVSq_8jKSs62UtVnhbGJDxIUoLynvvLAkZPoj_j0Hw1-x-ns-uZmv3L0ZqKPYx9TzcD_J5s_R7Si0FxZum-XedSsaQGJzkoDFQp5DTfYL7CThBdKt8HjoGjn4kvWJq97AtzmSu-3BYxgqa-Q3UBevJZf7ydH_Nr3ZEWSTBriAe5FYTmF7OkNJE3NMJK1uPNAzeeQWUkgU33y3rxSJ5-4wx_xLq00qV1b_0_q6H4PWdymatlM-hF20cjbywOCqqWgzwkoOokP61uIedLuHwsDfkHbLytOL8womETQ"}'
[mercredi 4 avril 2018, 00:55:32 (UTC+0200)] _CURL='curl -L --silent --dump-header /usr/local/share/acme.sh/http.header  --trace-ascii /tmp/tmp.8d7lCtYq25 '
[mercredi 4 avril 2018, 00:55:33 (UTC+0200)] _ret='0'
[mercredi 4 avril 2018, 00:55:33 (UTC+0200)] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization is not pending",
  "status": 400
}'
[mercredi 4 avril 2018, 00:55:33 (UTC+0200)] responseHeaders='HTTP/1.1 100 Continue
Expires: Tue, 03 Apr 2018 22:55:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 131
Boulder-Requester: 26523141
Replay-Nonce: GqzCx3oGfSFEXG_z14mm4RZzK1gprLzSl8u3G9OKe_s
Expires: Tue, 03 Apr 2018 22:55:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 Apr 2018 22:55:33 GMT
Connection: close
'
[mercredi 4 avril 2018, 00:55:33 (UTC+0200)] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: authorization is not pending","status": 400}'
[mercredi 4 avril 2018, 00:55:33 (UTC+0200)] code='400'
[mercredi 4 avril 2018, 00:55:33 (UTC+0200)] stream.ubiklain.fr:Challenge error: {"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: authorization is not pending","status": 400}
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] Skip for removelevel:
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] pid
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] No need to restore nginx, skip.
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] _clearupdns
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] skip dns.
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] _on_issue_err
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] Please check log file for more details: /usr/local/share/acme.sh/acme.sh.log
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] _chk_vlist='stream.ubiklain.fr#wR5ioQO31sdEEWq_EmyuyTIzcRRUFzFzbK_Bg_3ByD8.qgVx5Dofn4GptpJZ8u3oOuigOGA69GmS1DbGpi6rtdM#https://acme-v01.api.letsencrypt.org/acme/challenge/Dh0rQxZ2awn1Cfg2OFoj8iPCvbOMRsKFWmU_JtlIb_A/4063741275#dns-01#dns,'
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] start to deactivate authz
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] tigger domain validation.
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] _t_url='https://acme-v01.api.letsencrypt.org/acme/challenge/Dh0rQxZ2awn1Cfg2OFoj8iPCvbOMRsKFWmU_JtlIb_A/4063741275'
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] _t_key_authz='wR5ioQO31sdEEWq_EmyuyTIzcRRUFzFzbK_Bg_3ByD8.qgVx5Dofn4GptpJZ8u3oOuigOGA69GmS1DbGpi6rtdM'
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] url='https://acme-v01.api.letsencrypt.org/acme/challenge/Dh0rQxZ2awn1Cfg2OFoj8iPCvbOMRsKFWmU_JtlIb_A/4063741275'
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] payload='{"resource": "challenge", "keyAuthorization": "wR5ioQO31sdEEWq_EmyuyTIzcRRUFzFzbK_Bg_3ByD8.qgVx5Dofn4GptpJZ8u3oOuigOGA69GmS1DbGpi6rtdM"}'
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] Use cached jwk for file: /usr/local/share/acme.sh/ca/acme-v01.api.letsencrypt.org/account.key
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] Use _CACHED_NONCE='GqzCx3oGfSFEXG_z14mm4RZzK1gprLzSl8u3G9OKe_s'
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] nonce='GqzCx3oGfSFEXG_z14mm4RZzK1gprLzSl8u3G9OKe_s'
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] POST
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] url='https://acme-v01.api.letsencrypt.org/acme/challenge/Dh0rQxZ2awn1Cfg2OFoj8iPCvbOMRsKFWmU_JtlIb_A/4063741275'
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "8r7z2FcmWDwaujOmz4nCDX8e-9D2MpFeNBX2HBFdGsm9Tw8GqGByLyMYrah1QWasDpxqy17NvNsDG5gjZrgbjRrlPjv82rAPRqFjDRRH6haSLcHr8iVFUEbWsZ5BbIenW2OLVRfHSUOp7N6wzGGLEUPCjhYZAgY64OghmtkjZEde_KcigQkset0PgArLbAzlJdqQIhoyjileL4A94x3ZUAQAdeA86pGVM498Hj2_F3JQku8MV8KXkgIm-yUVxkKkbCStUw3jnaEJGRbeo1QE_iJUHUGteIU9IEaQgPpIUcO-Bnya30jA1tJ6dxxWELIxPrZGEhMvee2mXQuKdUwAWw"}}, "protected": "eyJub25jZSI6ICJHcXpDeDNvR2ZTRkVYR196MTRtbTRSWnpLMWdwckx6U2w4dTNHOU9LZV9zIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvRGgwclF4WjJhd24xQ2ZnMk9Gb2o4aVBDdmJPTVJzS0ZXbVVfSnRsSWJfQS80MDYzNzQxMjc1IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiOHI3ejJGY21XRHdhdWpPbXo0bkNEWDhlLTlEMk1wRmVOQlgySEJGZEdzbTlUdzhHcUdCeUx5TVlyYWgxUVdhc0RweHF5MTdOdk5zREc1Z2pacmdialJybFBqdjgyckFQUnFGakRSUkg2aGFTTGNIcjhpVkZVRWJXc1o1QmJJZW5XMk9MVlJmSFNVT3A3TjZ3ekdHTEVVUENqaFlaQWdZNjRPZ2htdGtqWkVkZV9LY2lnUWtzZXQwUGdBckxiQXpsSmRxUUlob3lqaWxlTDRBOTR4M1pVQVFBZGVBODZwR1ZNNDk4SGoyX0YzSlFrdThNVjhLWGtnSW0teVVWeGtLa2JDU3RVdzNqbmFFSkdSYmVvMVFFX2lKVUhVR3RlSVU5SUVhUWdQcElVY08tQm55YTMwakExdEo2ZHh4V0VMSXhQclpHRWhNdmVlMm1YUXVLZFV3QVd3In19", "payload": "eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJ3UjVpb1FPMzFzZEVFV3FfRW15dXlUSXpjUlJVRnpGemJLX0JnXzNCeUQ4LnFnVng1RG9mbjRHcHRwSlo4dTNvT3VpZ09HQTY5R21TMURiR3BpNnJ0ZE0ifQ", "signature": "celw4YORAx_prJmpYg6Ffl-7qlxKkX3AW6F2rqWlRlNMcFTGNgHZNoeE_1oIbPjLW8ecvK6Z-fYbqegrsT_fnf6GJNkEUYnlwtp-EUFicTaSCR6cUuX7t78quFX7hqY9ZZpe21N6MkqmO2JRyt4SayP0gDKpZHaiHKl-MbvtFgmZtoAolK5QJuYnhHB7IZgEv5b8lS3gVCZRXyfXmk-_aXDNQX-TjtpnAEu13bhzp0yIllUc8gcnWl0Ku5J_9f9HJGTE_6Qam-fad8BxxHyaRXHGQ-3aaQx_DL5WDKvdaWeParbqVGTf7mBL1N-5gsxdLtab-jgqo0FtnjkLXRNeOg"}'
[mercredi 4 avril 2018, 00:55:34 (UTC+0200)] _CURL='curl -L --silent --dump-header /usr/local/share/acme.sh/http.header  --trace-ascii /tmp/tmp.WItAmSlR7x '
[mercredi 4 avril 2018, 00:55:35 (UTC+0200)] _ret='0'
[mercredi 4 avril 2018, 00:55:35 (UTC+0200)] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Unable to update challenge :: authorization is not pending",
  "status": 400
}'
[mercredi 4 avril 2018, 00:55:35 (UTC+0200)] responseHeaders='HTTP/1.1 100 Continue
Expires: Tue, 03 Apr 2018 22:55:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 131
Boulder-Requester: 26523141
Replay-Nonce: 62UsJ-vqURGY4tsl_3XHwCfqCIyyHaVFnz9URJjU1bE
Expires: Tue, 03 Apr 2018 22:55:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 03 Apr 2018 22:55:35 GMT
Connection: close
'
[mercredi 4 avril 2018, 00:55:35 (UTC+0200)] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: authorization is not pending","status": 400}'
[mercredi 4 avril 2018, 00:55:35 (UTC+0200)] code='400'
[mercredi 4 avril 2018, 00:55:35 (UTC+0200)] '/var/www/xbmc-video-server/' does not contain 'dns'
[mercredi 4 avril 2018, 00:55:35 (UTC+0200)] Diagnosis versions: 
openssl:openssl
OpenSSL 1.0.1t  3 May 2016
apache:
apache doesn't exists.
nginx:
nginx doesn't exists.
socat:
socat by Gerhard Rieger - see www.dest-unreach.org
Usage:
socat [options] <bi-address> <bi-address>
   options:
      -V     print version and feature information to stdout, and exit
      -h|-?  print a help text describing command line options and addresses
      -hh    like -h, plus a list of all common address option names
      -hhh   like -hh, plus a list of all available address option names
      -d     increase verbosity (use up to 4 times; 2 are recommended)
      -D     analyze file descriptors before loop
      -ly[facility]  log to syslog, using facility (default is daemon)
      -lf<logfile>   log to file
      -ls            log to stderr (default if no other log)
      -lm[facility]  mixed log mode (stderr during initialization, then syslog)
      -lp<progname>  set the program name used for logging
      -lu            use microseconds for logging timestamps
      -lh            add hostname to log messages
      -v     verbose data traffic, text
      -x     verbose data traffic, hexadecimal
      -b<size_t>     set data buffer size (8192)
      -s     sloppy (continue on error)
      -t<timeout>    wait seconds before closing second channel
      -T<timeout>    total inactivity timeout in seconds
      -u     unidirectional mode (left to right)
      -U     unidirectional mode (right to left)
      -g     do not check option groups
      -L <lockfile>  try to obtain lock, or fail
      -W <lockfile>  try to obtain lock, or wait
      -4     prefer IPv4 if version is not explicitly specified
      -6     prefer IPv6 if version is not explicitly specified
   bi-address:
      pipe[,<opts>]     groups=FD,FIFO
      <single-address>!!<single-address>
      <single-address>
   single-address:
      <address-head>[,<opts>]
   address-head:
      abstract-client:<filename>        groups=FD,SOCKET,RETRY,UNIX
      abstract-connect:<filename>       groups=FD,SOCKET,RETRY,UNIX
      abstract-listen:<filename>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,UNIX
      abstract-recv:<filename>  groups=FD,SOCKET,RETRY,UNIX
      abstract-recvfrom:<filename>      groups=FD,SOCKET,CHILD,RETRY,UNIX
      abstract-sendto:<filename>        groups=FD,SOCKET,RETRY,UNIX
      create:<filename> groups=FD,REG,NAMED
      exec:<command-line>       groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
      fd:<num>  groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      gopen:<filename>  groups=FD,FIFO,CHR,BLK,REG,SOCKET,NAMED,OPEN,TERMIOS,UNIX
      interface:<interface>     groups=FD,SOCKET
      ip-datagram:<host>:<protocol>     groups=FD,SOCKET,RANGE,IP4,IP6
      ip-recv:<protocol>        groups=FD,SOCKET,RANGE,IP4,IP6
      ip-recvfrom:<protocol>    groups=FD,SOCKET,CHILD,RANGE,IP4,IP6
      ip-sendto:<host>:<protocol>       groups=FD,SOCKET,IP4,IP6
      ip4-datagram:<host>:<protocol>    groups=FD,SOCKET,RANGE,IP4
      ip4-recv:<protocol>       groups=FD,SOCKET,RANGE,IP4
      ip4-recvfrom:<protocol>   groups=FD,SOCKET,CHILD,RANGE,IP4
      ip4-sendto:<host>:<protocol>      groups=FD,SOCKET,IP4
      ip6-datagram:<host>:<protocol>    groups=FD,SOCKET,RANGE,IP6
      ip6-recv:<protocol>       groups=FD,SOCKET,RANGE,IP6
      ip6-recvfrom:<protocol>   groups=FD,SOCKET,CHILD,RANGE,IP6
      ip6-sendto:<host>:<protocol>      groups=FD,SOCKET,IP6
      open:<filename>   groups=FD,FIFO,CHR,BLK,REG,NAMED,OPEN,TERMIOS
      openssl:<host>:<port>     groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,OPENSSL
      openssl-listen:<port>     groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP,OPENSSL
      pipe:<filename>   groups=FD,FIFO,NAMED,OPEN
      proxy:<proxy-server>:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,HTTP
      pty       groups=FD,NAMED,TERMIOS,PTY
      sctp-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,SCTP
      sctp-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,SCTP
      sctp4-connect:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP4,SCTP
      sctp4-listen:<port>       groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,SCTP
      sctp6-connect:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP6,SCTP
      sctp6-listen:<port>       groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,SCTP
      socket-connect:<domain>:<protocol>:<remote-address>       groups=FD,SOCKET,CHILD,RETRY
      socket-datagram:<domain>:<type>:<protocol>:<remote-address>       groups=FD,SOCKET,RANGE
      socket-listen:<domain>:<protocol>:<local-address> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE
      socket-recv:<domain>:<type>:<protocol>:<local-address>    groups=FD,SOCKET,RANGE
      socket-recvfrom:<domain>:<type>:<protocol>:<local-address>        groups=FD,SOCKET,CHILD,RANGE
      socket-sendto:<domain>:<type>:<protocol>:<remote-address> groups=FD,SOCKET
      socks4:<socks-server>:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
      socks4a:<socks-server>:<host>:<port>      groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
      stderr    groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdin     groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdio     groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdout    groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      system:<shell-command>    groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
      tcp-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP
      tcp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP
      tcp4-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,TCP
      tcp4-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,TCP
      tcp6-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP6,TCP
      tcp6-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,TCP
      tun[:<ip-addr>/<bits>]    groups=FD,CHR,NAMED,OPEN,INTERFACE
      udp-connect:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
      udp-datagram:<host>:<port>        groups=FD,SOCKET,RANGE,IP4,IP6,UDP
      udp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP
      udp-recv:<port>   groups=FD,SOCKET,RANGE,IP4,IP6,UDP
      udp-recvfrom:<port>       groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP
      udp-sendto:<host>:<port>  groups=FD,SOCKET,IP4,IP6,UDP
      udp4-connect:<host>:<port>        groups=FD,SOCKET,IP4,UDP
      udp4-datagram:<remote-address>:<port>     groups=FD,SOCKET,RANGE,IP4,UDP
      udp4-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP
      udp4-recv:<port>  groups=FD,SOCKET,RANGE,IP4,UDP
      udp4-recvfrom:<host>:<port>       groups=FD,SOCKET,CHILD,RANGE,IP4,UDP
      udp4-sendto:<host>:<port> groups=FD,SOCKET,IP4,UDP
      udp6-connect:<host>:<port>        groups=FD,SOCKET,IP6,UDP
      udp6-datagram:<host>:<port>       groups=FD,SOCKET,RANGE,IP6,UDP
      udp6-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP
      udp6-recv:<port>  groups=FD,SOCKET,RANGE,IP6,UDP
      udp6-recvfrom:<port>      groups=FD,SOCKET,CHILD,RANGE,IP6,UDP
      udp6-sendto:<host>:<port> groups=FD,SOCKET,IP6,UDP
      unix-client:<filename>    groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-connect:<filename>   groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-listen:<filename>    groups=FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
      unix-recv:<filename>      groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-recvfrom:<filename>  groups=FD,SOCKET,NAMED,CHILD,RETRY,UNIX
      unix-sendto:<filename>    groups=FD,SOCKET,NAMED,RETRY,UNIX

#7

This latest error looks like an acme.sh bug @Neilpang (or potentially an old Boulder bug?).


#8

OK thanks,
FYI, i have the same problem with certbot-auto


#9

Hi @ubiklain,

I’ve tested it a few times from different locations and I’m getting random timeouts too:

$ for i in {1..5};do echo "######## Test $i ########";curl -ikL -m 10 http://stream.ubiklain.fr/.well-known/acme-challenge/test ; echo -e "######## End test $i ########\n";done
######## Test 1 ########
HTTP/1.1 200 OK
Date: Tue, 03 Apr 2018 23:20:38 GMT
Server: Apache/2.4.10 (Raspbian)
Last-Modified: Sat, 24 Mar 2018 18:04:34 GMT
ETag: "6-5682c5f8caff6"
Accept-Ranges: bytes
Content-Length: 6

test

######## End test 1 ########

######## Test 2 ########
curl: (28) Connection timed out after 10000 milliseconds
######## End test 2 ########

######## Test 3 ########
HTTP/1.1 200 OK
Date: Tue, 03 Apr 2018 23:20:48 GMT
Server: Apache/2.4.10 (Raspbian)
Last-Modified: Sat, 24 Mar 2018 18:04:34 GMT
ETag: "6-5682c5f8caff6"
Accept-Ranges: bytes
Content-Length: 6

test

######## End test 3 ########

######## Test 4 ########
curl: (28) Connection timed out after 10000 milliseconds
######## End test 4 ########

######## Test 5 ########
HTTP/1.1 200 OK
Date: Tue, 03 Apr 2018 23:20:59 GMT
Server: Apache/2.4.10 (Raspbian)
Last-Modified: Sat, 24 Mar 2018 18:04:34 GMT
ETag: "6-5682c5f8caff6"
Accept-Ranges: bytes
Content-Length: 6

test

######## End test 5 ########

I don’t know whether it is your connection, a CPU issue or a faulty SD card… but the timeouts are real.

Keep trying.

Good luck,
sahsanu


#10

That’s very weird, because i’m trying again and again for a week and i have only the problem on this two domains.
If i run a --renew on another subdomain it’s work fine on first try.

My RPi is OK, my FileSystem is on a SSD and not on SD Card and my friends/family can access anytime without failure on my vhosts (without ssl for the two with certificate problem).

Thanks for your advices.


#11

upgrade to the latest acme.sh v2.7.9


#12

Thanks for your reply @Neilpang

I tried to upgrade :

./acme.sh --upgrade
[mercredi 4 avril 2018, 18:30:43 (UTC+0200)] Installing from online archive.
[mercredi 4 avril 2018, 18:30:43 (UTC+0200)] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[mercredi 4 avril 2018, 18:30:44 (UTC+0200)] Extracting master.tar.gz
[mercredi 4 avril 2018, 18:30:44 (UTC+0200)] Installing to /home/pi/.acme.sh
[mercredi 4 avril 2018, 18:30:45 (UTC+0200)] Installed to /home/pi/.acme.sh/acme.sh
[mercredi 4 avril 2018, 18:30:45 (UTC+0200)] Installing alias to '/home/pi/.bashrc'
[mercredi 4 avril 2018, 18:30:45 (UTC+0200)] OK, Close and reopen your terminal to start using acme.sh
[mercredi 4 avril 2018, 18:30:45 (UTC+0200)] Good, bash is found, so change the shebang to use bash as preferred.
[mercredi 4 avril 2018, 18:30:46 (UTC+0200)] OK
[mercredi 4 avril 2018, 18:30:46 (UTC+0200)] Install success!
[mercredi 4 avril 2018, 18:30:46 (UTC+0200)] Upgrade success!
pi@raspberrypi mer. avril 04 18:30:46 ~/acme.sh  
./acme.sh --version
https://github.com/Neilpang/acme.sh
v2.7.4

Still 2.7.4
So i manually pull origin from github :

git pull origin master

and i’m on 2.7.8 now :
./acme.sh --version
https://github.com/Neilpang/acme.sh
v2.7.8

Where can i find the 2.7.9 ? in another branch ?

With 2.7.8, i have the same problems, the 2 subdomains are timeout but i can access to the acme challenge :
http://stream.ubiklain.fr/.well-known/acme-challenge/2UoGGVjJOWZqaoOjr9Zy4nVG4NjCgRxoZp5Rk7MafZ4

Thank you


#13

please try again with the master now.

Thanks.


#14

it was iptables who banned some IP.
problem solved


#15

report issue on github, and paste the full log with --debug 2.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.