Possible Let's Encrypt bug
-
Hello everybody
The last 2 Cloudron installations on Azure VPS and Contabo VPS, have resulted in the same problem.
The Let's Encrypt Certificate failed to be issued.Here is the Contabo VPS log:
Oct 27 21:43:28box:taskworker Starting task 3. Logs are at /home/yellowtent/platformdata/logs/tasks/3.log Oct 27 21:43:28box:tasks update 3: {"percent":101,"message":"Ensuring certs of my.chat.newtonhealthcore.com"} Oct 27 21:43:28box:reverseproxy ensureCertificate: my.chat.newtonhealthcore.com needs acme cert Oct 27 21:43:28box:cert/acme2 getCertificate: for fqdn my.chat.newtonhealthcore.com and domain chat.newtonhealthcore.com Oct 27 21:43:28box:cert/acme2 Acme2: will get cert for fqdn: my.chat.newtonhealthcore.com cn: my.chat.newtonhealthcore.com certName: my.chat.newtonhealthcore.com wildcard: false http: true Oct 27 21:43:28box:cert/acme2 getCertificate: start acme flow for my.chat.newtonhealthcore.com from https://acme-v02.api.letsencrypt.org/directory Oct 27 21:43:31box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:43:51box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:44:11box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:44:11box:cert/acme2 Acme2: will get cert for fqdn: my.chat.newtonhealthcore.com cn: my.chat.newtonhealthcore.com certName: my.chat.newtonhealthcore.com wildcard: false http: true Oct 27 21:44:11box:cert/acme2 getCertificate: for fqdn my.chat.newtonhealthcore.com and domain chat.newtonhealthcore.com Oct 27 21:44:11box:cert/acme2 getCertificate: start acme flow for my.chat.newtonhealthcore.com from https://acme-v02.api.letsencrypt.org/directory Oct 27 21:44:11box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:44:31box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:44:51box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:44:51box:cert/acme2 Acme2: will get cert for fqdn: my.chat.newtonhealthcore.com cn: my.chat.newtonhealthcore.com certName: my.chat.newtonhealthcore.com wildcard: false http: true Oct 27 21:44:51box:cert/acme2 getCertificate: for fqdn my.chat.newtonhealthcore.com and domain chat.newtonhealthcore.com Oct 27 21:44:51box:cert/acme2 getCertificate: start acme flow for my.chat.newtonhealthcore.com from https://acme-v02.api.letsencrypt.org/directory Oct 27 21:44:51box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:45:11box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:45:31box:reverseproxy ensureCertificate: error: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:45:31box:tasks update 3: {"message":"Rebuilding app configs"} Oct 27 21:45:31box:reverseproxy writeDashboardConfig: writing admin config for chat.newtonhealthcore.com Oct 27 21:45:31box:reverseproxy writeCertificate: my.chat.newtonhealthcore.com will use fallback certs because acme is missing Oct 27 21:45:31box:shell reload spawn: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh nginx Oct 27 21:45:31box:mailserver checkCertificate: certificate has not changed Oct 27 21:45:31box:shell notifyCertChange spawn: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh box Oct 27 21:45:31box:tasks update 3: {"message":"Checking expired certs for removal"} Oct 27 21:45:31box:reverseproxy cleanupCerts: done Oct 27 21:45:31box:tasks setCompleted - 3: {"result":null,"error":null} Oct 27 21:45:31box:tasks update 3: {"percent":100,"result":null,"error":null} Oct 27 21:45:31box:taskworker Task took 122.95 secondsHave any of you found a solution for this?
-
Hello everybody
The last 2 Cloudron installations on Azure VPS and Contabo VPS, have resulted in the same problem.
The Let's Encrypt Certificate failed to be issued.Here is the Contabo VPS log:
Oct 27 21:43:28box:taskworker Starting task 3. Logs are at /home/yellowtent/platformdata/logs/tasks/3.log Oct 27 21:43:28box:tasks update 3: {"percent":101,"message":"Ensuring certs of my.chat.newtonhealthcore.com"} Oct 27 21:43:28box:reverseproxy ensureCertificate: my.chat.newtonhealthcore.com needs acme cert Oct 27 21:43:28box:cert/acme2 getCertificate: for fqdn my.chat.newtonhealthcore.com and domain chat.newtonhealthcore.com Oct 27 21:43:28box:cert/acme2 Acme2: will get cert for fqdn: my.chat.newtonhealthcore.com cn: my.chat.newtonhealthcore.com certName: my.chat.newtonhealthcore.com wildcard: false http: true Oct 27 21:43:28box:cert/acme2 getCertificate: start acme flow for my.chat.newtonhealthcore.com from https://acme-v02.api.letsencrypt.org/directory Oct 27 21:43:31box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:43:51box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:44:11box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:44:11box:cert/acme2 Acme2: will get cert for fqdn: my.chat.newtonhealthcore.com cn: my.chat.newtonhealthcore.com certName: my.chat.newtonhealthcore.com wildcard: false http: true Oct 27 21:44:11box:cert/acme2 getCertificate: for fqdn my.chat.newtonhealthcore.com and domain chat.newtonhealthcore.com Oct 27 21:44:11box:cert/acme2 getCertificate: start acme flow for my.chat.newtonhealthcore.com from https://acme-v02.api.letsencrypt.org/directory Oct 27 21:44:11box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:44:31box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:44:51box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:44:51box:cert/acme2 Acme2: will get cert for fqdn: my.chat.newtonhealthcore.com cn: my.chat.newtonhealthcore.com certName: my.chat.newtonhealthcore.com wildcard: false http: true Oct 27 21:44:51box:cert/acme2 getCertificate: for fqdn my.chat.newtonhealthcore.com and domain chat.newtonhealthcore.com Oct 27 21:44:51box:cert/acme2 getCertificate: start acme flow for my.chat.newtonhealthcore.com from https://acme-v02.api.letsencrypt.org/directory Oct 27 21:44:51box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:45:11box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:45:31box:reverseproxy ensureCertificate: error: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443 Oct 27 21:45:31box:tasks update 3: {"message":"Rebuilding app configs"} Oct 27 21:45:31box:reverseproxy writeDashboardConfig: writing admin config for chat.newtonhealthcore.com Oct 27 21:45:31box:reverseproxy writeCertificate: my.chat.newtonhealthcore.com will use fallback certs because acme is missing Oct 27 21:45:31box:shell reload spawn: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh nginx Oct 27 21:45:31box:mailserver checkCertificate: certificate has not changed Oct 27 21:45:31box:shell notifyCertChange spawn: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh box Oct 27 21:45:31box:tasks update 3: {"message":"Checking expired certs for removal"} Oct 27 21:45:31box:reverseproxy cleanupCerts: done Oct 27 21:45:31box:tasks setCompleted - 3: {"result":null,"error":null} Oct 27 21:45:31box:tasks update 3: {"percent":100,"result":null,"error":null} Oct 27 21:45:31box:taskworker Task took 122.95 secondsHave any of you found a solution for this?
@creative567145 said in Possible Let's Encrypt bug:
Oct 27 21:43:31box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
This is actually the Let's Encrypt server address. Looks like your server is unable to connect via IPv6.
Try these commands on the server:
ping6 2604:a880:1:4a::2:7000curl -6 https://ipv6.api.cloudron.io/api/v1/helper/public_ip
-
@creative567145 said in Possible Let's Encrypt bug:
Oct 27 21:43:31box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
This is actually the Let's Encrypt server address. Looks like your server is unable to connect via IPv6.
Try these commands on the server:
ping6 2604:a880:1:4a::2:7000curl -6 https://ipv6.api.cloudron.io/api/v1/helper/public_ip
@girish Thank you Girish very much for your fast and direct response
From this command:
ping6 2604:a880:1:4a::2:7000
This was the result:From fd43:4f4e:5943:50::a icmp_seq=5 Destination unreachable: No route.
And from this command:
curl -6 https://ipv6.api.cloudron.io/api/v1/helper/public_ip
This was the result:curl: (7) Failed to connect to ipv6.api.cloudron.io port 443 after 1219 ms: Network is unreachableYour assistance with this problem will be greatly appreciated
-
When I enter in the terminal this:
enable_ipv6This is the result:
** (generate:57510): WARNING **: 13:03:50.397: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others. ** (generate:57510): WARNING **: 13:03:50.398: `gateway6` has been deprecated, use default routes instead. See the 'Default routes' section of the documentation for more details. ** (generate:57515): WARNING **: 13:03:50.541: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others. ** (generate:57515): WARNING **: 13:03:50.542: `gateway6` has been deprecated, use default routes instead. See the 'Default routes' section of the documentation for more details. WARNING:root:Cannot call Open vSwitch: ovsdb-server.service is not running. ** (process:57513): WARNING **: 13:03:50.959: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others. ** (process:57513): WARNING **: 13:03:50.960: `gateway6` has been deprecated, use default routes instead. See the 'Default routes' section of the documentation for more details. ** (process:57513): WARNING **: 13:03:51.254: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others. ** (process:57513): WARNING **: 13:03:51.255: `gateway6` has been deprecated, use default routes instead. See the 'Default routes' section of the documentation for more details. ** (process:57513): WARNING **: 13:03:51.255: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others. ** (process:57513): WARNING **: 13:03:51.255: `gateway6` has been deprecated, use default routes instead. See the 'Default routes' section of the documentation for more details. -
When I enter in the terminal this:
enable_ipv6This is the result:
** (generate:57510): WARNING **: 13:03:50.397: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others. ** (generate:57510): WARNING **: 13:03:50.398: `gateway6` has been deprecated, use default routes instead. See the 'Default routes' section of the documentation for more details. ** (generate:57515): WARNING **: 13:03:50.541: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others. ** (generate:57515): WARNING **: 13:03:50.542: `gateway6` has been deprecated, use default routes instead. See the 'Default routes' section of the documentation for more details. WARNING:root:Cannot call Open vSwitch: ovsdb-server.service is not running. ** (process:57513): WARNING **: 13:03:50.959: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others. ** (process:57513): WARNING **: 13:03:50.960: `gateway6` has been deprecated, use default routes instead. See the 'Default routes' section of the documentation for more details. ** (process:57513): WARNING **: 13:03:51.254: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others. ** (process:57513): WARNING **: 13:03:51.255: `gateway6` has been deprecated, use default routes instead. See the 'Default routes' section of the documentation for more details. ** (process:57513): WARNING **: 13:03:51.255: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others. ** (process:57513): WARNING **: 13:03:51.255: `gateway6` has been deprecated, use default routes instead. See the 'Default routes' section of the documentation for more details.@creative567145 I think the enable_ipv6 command is something provider specific. But as you can see, IPv6 is not working on your server. I think you should reach out to your VPS provider. Another option is to disable IPv6 entirely.
Something like:
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0 sudo sysctl -w net.ipv6.conf.default.disable_ipv6=0 sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=0 -
@creative567145 I think the enable_ipv6 command is something provider specific. But as you can see, IPv6 is not working on your server. I think you should reach out to your VPS provider. Another option is to disable IPv6 entirely.
Something like:
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0 sudo sysctl -w net.ipv6.conf.default.disable_ipv6=0 sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=0@girish Thank you. Your solution did the trick.
But we needed the ipv6 to be functional.
So what we did to make it work was > reinstall Ubuntu 22.04 LTS OS and didn't install unbound in advance. All is good now. -
G girish has marked this topic as solved on