Unable to renew Letsencryp, did not match the challenge & limit issue

kittinson · December 30, 2021, 7:33am

Hello everyone!

One of mine subdomains , which is connected to server is expired and I am not planning to renew it, I think it could use an issue with renewal,, though I am not sure. Even I already removed that domain from the list.

The main domain spareleash.com.cn cannot renew. Please advice how it can be fixed. I checked all the threads but could not find the related answer. Big thanks!

My domain is:

spareleash.com.cn

I ran this command:
dokku letsencrypt:enable spareleash

It produced this output:

I ran this command:
**curl -iL http://spareleash.com.cn/.well-known/acme-**challenge/0KWcFQEUGnUmAE55Xdb1qAmZLp9HvBYV_5nsqV1Efhc.0goXOH9AzZyp0DoENiMn7lHEBaJxEvxo6qOj217QomQ

It produced this output:
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Thu, 30 Dec 2021 07:24:36 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://spareleash.com.cn:443/.well-known/acme-challenge/0KWcFQEUGnUmAE55Xdb1qAmZLp9HvBYV_5nsqV1Efhc.0goXOH9AzZyp0DoENiMn7lHEBaJxEvxo6qOj217QomQ
Strict-Transport-Security: max-age=15724800; includeSubdomains

curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

My web server is (include version):
Ubuntu 16.04 64-bit

The operating system my web server runs on is (include version):
rails

My hosting provider, if applicable, is:
aliyun

I can login to a root shell on my machine (yes or no, or I don't know):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
not using

kittinson · December 30, 2021, 8:07am

Then it showed me that :

Is there a way still to enable letsencrypt? or does it mean the server will be down for a week?

Osiris · December 30, 2021, 10:21am

My advice would be to file an issue with Dokku. There seems to be sooooo much wrong with that Dokku thing, I wouldn't dare to start debugging it here, sorry.

Why the (#*&$)# would Dokku register a new account every time it runs? That just doesn't make any sense and due to that idiotic behaviour, you're now rate limited and can't generate a new account at the moment. Dokku should only register one account (per system/per site/whatever) and save it for future use. Not try to register a new one every time Dokku tries to get a new cert.. That's just wasteful and as you can see now, leads to rate limits.

Also note that it's not possible to reset rate limits. The current rate limit you're hitting is a maximum of 10 accounts per IP address per 3 hours.

system · January 29, 2022, 10:22am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.