Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 1 reply
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 1734 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Issue has resolved itself] LetsEncrypt: An 'unexpected' certificate renewal failure (anybody else, or is it just me)?

Briain

Edit: The issue resolved itself overnight (see post after this).

Hi Folks

I hope everybody here is keeping well and not under too much stress in these uncertain times.

I've been using UTM for about 4 years, so my settings are by now quite 'matured' and thus these days, I don't often need change DNAT or firewall rules. I've also been using the LetsEncrypt feature since not long after it was added to UTM and up until now, it's been working flawlessly. This morning, I noted a certificate renewal failure e-mail in my inbox, so I undertook the following steps to see if I could manually renew it.

1. Checked nothing silly in my DNAT rules (all okay)

2. Toggled off country blocking (I'm in UK and USA wasn't blocked, so that shouldn't have mattered, but I disabled all country blocking just to be sure)

3. Toggled off the virtual web servers in the WAF (one was set with http->https redirection, so I was pondering whether that might be upsetting things)

I cannot think what else might be causing the below 'challenge is invalid' and 'timeout' problem (I am double-NAT, but the outer router has both ports 80 and 443 opened to the UTM; prior to toggling off the virtual web servers, I also tested that http://mydomain redirected to https:/mydomain and showed the web page from the real server, which is Apache running on a Raspberry Pi) so I was just wondering if anybody else is having any LE renewal problems (or new certificate generation problems; I did try generating a fresh certificate, but that yielded identical failure results in the log files). Or does anybody else have a cool idea about what I might try (I still believe it's likely my doing, but I have run out of ideas on what to next check).

Kind regards, 

Briain

2020:04:11-11:48:03 hadrian letsencrypt[14112]: I Renew certificate: handling CSR REF_CaCsrMyDomainNameLeCert for domain set [MyDomainName.uk,www.MyDomainName.uk]
2020:04:11-11:48:03 hadrian letsencrypt[14112]: I Renew certificate: running command: /var/storage/chroot-reverseproxy/usr/dehydrated/bin/dehydrated -x -f /var/storage/chroot-reverseproxy/usr/dehydrated/conf/config -c --accept-terms --domain MyDomainName.uk --domain www.MyDomainName.uk
2020:04:11-11:48:38 hadrian letsencrypt[14112]: I Renew certificate: command completed with exit code 256
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED: ERROR: Challenge is invalid! (returned: invalid) (result: {
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:   "type": "http-01",
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:   "status": "invalid",
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:   "error": {
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:     "type": "urn:ietf:params:acme:error:connection",
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:     "detail": "Fetching MyDomainName.uk/.../N6euNRl12BJYeF954aWAZg3BL4rgb4e9pgPwlnj11eA: Timeout during connect (likely firewall problem)",
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:     "status": 400
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:   },
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:   "url": "acme-v02.api.letsencrypt.org/.../TkIHWg",
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:   "token": "N6euNRl12BJYeF954aWAZg3BL4rgb4e9pgPwlnj11eA",
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:   "validationRecord": [
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:     {
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:       "url": "MyDomainName.uk/.../N6euNRl12BJYeF954aWAZg3BL4rgb4e9pgPwlnj11eA",
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:       "hostname": "MyDomainName.uk",
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:       "port": "80",
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:       "addressesResolved": [
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:         "111.222.333.444"
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:       ],
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:       "addressUsed": "111.222.333.444"
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:     }
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED:   ]
2020:04:11-11:48:38 hadrian letsencrypt[14112]: E Renew certificate: COMMAND_FAILED: })
2020:04:11-11:48:38 hadrian letsencrypt[14112]: I Renew certificate: sending notification WARN-603
2020:04:11-11:48:38 hadrian letsencrypt[14112]: [WARN-603] Let's Encrypt certificate renewal failed accessing Let's Encrypt service
2020:04:11-11:48:38 hadrian letsencrypt[14112]: I Renew certificate: execution completed (CSRs renewed: 0, failed: 1)

NB I was getting tempted to just purchase a really cheap certificate, but it would be better to understand what's causing the above failure. :-)



This thread was automatically locked due to age.
Unfiltered HTML