[BlueOnyx:27260] Re: Letsencrypt update failure

Neil Watson neil at waterend.net
Wed Sep 25 04:02:06 -05 2024 


Hi Michael,

Yes I was running firewalld on the server.

I've stopped it and tried again, and get exactly the same result.

Could it be a timeout setting on the LetEncrypt renewal that they've 
introduced whose default just doesn't work for me?

I'm also surprised that it only seems to try 4 out of what is suggested 
being 30 times to retrieve the verification file:

[Wed 25 Sep 09:31:03 BST 2024] Pending, The CA is processing your order, 
please just wait. (1/30)
[Wed 25 Sep 09:31:03 BST 2024] sleep 2 secs to verify again
[Wed 25 Sep 09:31:05 BST 2024] checking
[Wed 25 Sep 09:31:05 BST 2024] 
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'
[Wed 25 Sep 09:31:06 BST 2024] payload
[Wed 25 Sep 09:31:06 BST 2024] POST
[Wed 25 Sep 09:31:06 BST 2024] 
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'
[Wed 25 Sep 09:31:06 BST 2024] _CURL='curl --silent --dump-header 
/usr/sausalito/acme/data/http.header  -L  -g '
[Wed 25 Sep 09:31:06 BST 2024] _ret='0'
[Wed 25 Sep 09:31:06 BST 2024] code='200'
[Wed 25 Sep 09:31:06 BST 2024] Pending, The CA is processing your order, 
please just wait. (2/30)
[Wed 25 Sep 09:31:06 BST 2024] sleep 2 secs to verify again
[Wed 25 Sep 09:31:08 BST 2024] checking
[Wed 25 Sep 09:31:08 BST 2024] 
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'
[Wed 25 Sep 09:31:08 BST 2024] payload
[Wed 25 Sep 09:31:08 BST 2024] POST
[Wed 25 Sep 09:31:08 BST 2024] 
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'
[Wed 25 Sep 09:31:08 BST 2024] _CURL='curl --silent --dump-header 
/usr/sausalito/acme/data/http.header  -L  -g '
[Wed 25 Sep 09:31:09 BST 2024] _ret='0'
[Wed 25 Sep 09:31:09 BST 2024] code='200'
[Wed 25 Sep 09:31:09 BST 2024] Pending, The CA is processing your order, 
please just wait. (3/30)
[Wed 25 Sep 09:31:09 BST 2024] sleep 2 secs to verify again
[Wed 25 Sep 09:31:11 BST 2024] checking
[Wed 25 Sep 09:31:11 BST 2024] 
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'
[Wed 25 Sep 09:31:11 BST 2024] payload
[Wed 25 Sep 09:31:11 BST 2024] POST
[Wed 25 Sep 09:31:11 BST 2024] 
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'
[Wed 25 Sep 09:31:11 BST 2024] _CURL='curl --silent --dump-header 
/usr/sausalito/acme/data/http.header  -L  -g '
[Wed 25 Sep 09:31:11 BST 2024] _ret='0'
[Wed 25 Sep 09:31:11 BST 2024] code='200'
[Wed 25 Sep 09:31:11 BST 2024] Pending, The CA is processing your order, 
please just wait. (4/30)
[Wed 25 Sep 09:31:11 BST 2024] sleep 2 secs to verify again
[Wed 25 Sep 09:31:13 BST 2024] checking
[Wed 25 Sep 09:31:13 BST 2024] 
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'
[Wed 25 Sep 09:31:13 BST 2024] payload
[Wed 25 Sep 09:31:13 BST 2024] POST
[Wed 25 Sep 09:31:13 BST 2024] 
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'
[Wed 25 Sep 09:31:13 BST 2024] _CURL='curl --silent --dump-header 
/usr/sausalito/acme/data/http.header  -L  -g '
[Wed 25 Sep 09:31:14 BST 2024] _ret='0'
[Wed 25 Sep 09:31:14 BST 2024] code='200'
[Wed 25 Sep 09:31:14 BST 2024] www.<MYSITE>/:Verify error:<MYIP>: 
Fetching 
http://www.<MYSITE>/.well-known/acme-challenge/D6rvIsFhUi-ic-rr7qKKRWLG9xC_Lz0gYVj8qO2fHlM: 
Timeout during connect (likely firewall problem)
[Wed 25 Sep 09:31:14 BST 2024] Debug: get token url.
[Wed 25 Sep 09:31:14 BST 2024] GET
[Wed 25 Sep 09:31:14 BST 2024] 
url='http://www.<MYSITE>//.well-known/acme-challenge/D6rvIsFhUi-ic-rr7qKKRWLG9xC_Lz0gYVj8qO2fHlM'
[Wed 25 Sep 09:31:14 BST 2024] timeout=1
[Wed 25 Sep 09:31:14 BST 2024] _CURL='curl --silent --dump-header 
/usr/sausalito/acme/data/http.header  -L  -g  --connect-timeout 1'
[Wed 25 Sep 09:31:14 BST 2024] ret='0'

[Wed 25 Sep 09:31:14 BST 2024] Skip for removelevel:
[Wed 25 Sep 09:31:14 BST 2024] pid
[Wed 25 Sep 09:31:14 BST 2024] Using config 
home:/usr/sausalito/acme/data
[Wed 25 Sep 09:31:14 BST 2024] 
ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Wed 25 Sep 09:31:14 BST 2024] httpdconfname='conf/httpd.conf'
[Wed 25 Sep 09:31:14 BST 2024] httpdroot='/etc/httpd'
[Wed 25 Sep 09:31:14 BST 2024] httpdconf='/etc/httpd/conf/httpd.conf'
[Wed 25 Sep 09:31:14 BST 2024] httpdconfname='httpd.conf'
[Wed 25 Sep 09:31:15 BST 2024] Restored: /etc/httpd/conf/httpd.conf.
[Wed 25 Sep 09:31:15 BST 2024] Restored successfully.
[Wed 25 Sep 09:31:15 BST 2024] No need to restore nginx, skip.
[Wed 25 Sep 09:31:15 BST 2024] _clearupdns
[Wed 25 Sep 09:31:15 BST 2024] dns_entries
[Wed 25 Sep 09:31:15 BST 2024] skip dns.
[Wed 25 Sep 09:31:15 BST 2024] _on_issue_err
[Wed 25 Sep 09:31:15 BST 2024] Please check log file for more details: 
/var/log/letsencrypt/letsencrypt.log
[Wed 25 Sep 09:31:15 BST 2024] 
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'
[Wed 25 Sep 09:31:15 BST 2024] payload='{}'
[Wed 25 Sep 09:31:15 BST 2024] POST
[Wed 25 Sep 09:31:15 BST 2024] 
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023536/uPb9Rw'
[Wed 25 Sep 09:31:15 BST 2024] _CURL='curl --silent --dump-header 
/usr/sausalito/acme/data/http.header  -L  -g '
[Wed 25 Sep 09:31:15 BST 2024] _ret='0'
[Wed 25 Sep 09:31:15 BST 2024] code='400'
[Wed 25 Sep 09:31:16 BST 2024] 
url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023526/19mPsQ'
[Wed 25 Sep 09:31:16 BST 2024] payload='{}'
[Wed 25 Sep 09:31:16 BST 2024] POST
[Wed 25 Sep 09:31:16 BST 2024] 
_post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/408160023526/19mPsQ'
[Wed 25 Sep 09:31:16 BST 2024] _CURL='curl --silent --dump-header 
/usr/sausalito/acme/data/http.header  -L  -g '
[Wed 25 Sep 09:31:16 BST 2024] _ret='0'
[Wed 25 Sep 09:31:16 BST 2024] code='200'
[Wed 25 Sep 09:31:16 BST 2024] Diagnosis versions:
openssl:openssl
OpenSSL 1.1.1k  FIPS 25 Mar 2021
apache:
Server version: Apache/2.4.37 (AlmaLinux)
Server built:   Aug 12 2024 02:30:19
Server's Module Magic Number: 20120211:83
Server loaded:  APR 1.6.3, APR-UTIL 1.6.1
Compiled using: APR 1.6.3, APR-UTIL 1.6.1
Architecture:   64-bit
Server MPM:     prefork
   threaded:     no
     forked:     yes (variable process count)

....

Any more suggestions / ideas to debug it further?

Kind regards

Neil.

> Hi Neil,
> 
>> According to my httpd/access_log entry:
>> 
>> www.<mysite>.co.uk 192.168.2.41 - - [23/Sep/2024:16:54:50 +0100] "GET
>> /.well-known/acme-challenge/MZivJl3jVnXTJ3a3nWyH-MrAZnBeLFJombDo9Ganb8Q
>> HTTP/1.1" 301 307 "-" "BlueOnyx-ACME-Client"
>> www.<mysite>.co.uk 192.168.2.41 - - [23/Sep/2024:16:54:50 +0100] "GET
>> /.well-known/acme-challenge/MZivJl3jVnXTJ3a3nWyH-MrAZnBeLFJombDo9Ganb8Q
>> HTTP/1.1" 200 87 "-" "BlueOnyx-ACME-Client"
>> 
>> the server DID serve up the "page" (or thought it did) - with the 200 
>> status
> 
> Yeah, from the looks of it the verification file was indeed fetched.
> 
> However: The "likely firewall problem" is perhaps also true. I've seen
> it in the past. If you have APF (or Firewalld) enabled, try to disable
> them and then do another cert request.
> 
> If that then goes through, then please weed out your APF blacklist and
> removed old entries before you restart it.
> 
> --
> With best regards
> 
> Michael Stauber

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.blueonyx.it/pipermail/blueonyx/attachments/20240925/d4dbdcc0/attachment-0001.html>

More information about the Blueonyx mailing list