Cert renewing failing

cpa

Hi there,

I'm using cloudron 7.4.3 and I cannot renew my certs.

I'm using digitalocean. Given the logs, the issue does not seem to come from the API connection.

What's weird is this line, given that the challenges are actually matching.
Feb 23 16:02:27 box:dns/waitfordns isChangeSynced: _acme-challenge.domain.fun (TXT) was resolved to "JD5vLWoK0g0EkM5_OJV51UHXDzUUJFbpwIxVCfxWQQY" at NS ns2.digitalocean.com (173.245.59.41). Expecting JD5vLWoK0g0EkM5_OJV51UHXDzUUJFbpwIxVCfxWQQY. Match false

I get this:

Feb 23 16:02:26 box:cert/acme2 prepareDnsChallenge: update _acme-challenge with JD5vLWoK0g0EkM5_OJV51UHXDzUUJFbpwIxVCfxWQQY
Feb 23 16:02:26 box:dns upsertDNSRecord: location _acme-challenge on domain domain.fun of type TXT with values ["\"JD5vLWoK0g0EkM5_OJV51UHXDzUUJFbpwIxVCfxWQQY\""]
Feb 23 16:02:26 box:dns/digitalocean upsert: _acme-challenge for zone domain.fun of type TXT with values ["\"JD5vLWoK0g0EkM5_OJV51UHXDzUUJFbpwIxVCfxWQQY\""]
Feb 23 16:02:26 box:dns/digitalocean getInternal: getting dns records of domain.fun with _acme-challenge and type TXT
Feb 23 16:02:26 box:dns/digitalocean upsert: completed with recordIds:[null]
Feb 23 16:02:26 box:dns/waitfordns waitForDns: waiting for _acme-challenge.domain.fun to be JD5vLWoK0g0EkM5_OJV51UHXDzUUJFbpwIxVCfxWQQY in zone domain.fun
Feb 23 16:02:27 box:dns/waitfordns waitForDns: nameservers are ["ns2.digitalocean.com","ns3.digitalocean.com","ns1.digitalocean.com"]
Feb 23 16:02:27 box:dns/waitfordns isChangeSynced: _acme-challenge.domain.fun (TXT) was resolved to "JD5vLWoK0g0EkM5_OJV51UHXDzUUJFbpwIxVCfxWQQY" at NS ns2.digitalocean.com (173.245.59.41). Expecting JD5vLWoK0g0EkM5_OJV51UHXDzUUJFbpwIxVCfxWQQY. Match false
Feb 23 16:02:27 box:dns/waitfordns waitForDns: _acme-challenge.domain.fun at ns ns2.digitalocean.com: not done
Feb 23 16:02:27 box:dns/waitfordns Attempt 1 failed. Will retry: ETRYAGAIN
[later attempts fail the same way]

Any ideas?

girish

@cpa the issue is already fixed in 7.6. Any reason why you are still on an old version?

girish

https://git.cloudron.io/cloudron/box/-/commit/0dfadc59228978f82ae3aa2ba4be2b421e785e02 was the fix . You can always apply it locally in /home/yellowtent/box/src/dns/digitalocean.js . Then. systemctl restart box and renew all certs.

cpa

Thanks! I was able to renew certs. I'm backing up stuff and will be updating afterwards. It's a cloudron instance that pertains to my former team, but I'm the only one that has the technical knowledge to do admin stuff. You can guess how well that works
I have another instance (with a subscription) that runs very smoothly.

visuex

@girish said in Cert renewing failing:

Any reason why you are still on an old version?

because the Cloudron auto-update stopped at this version for some reason. I assume there is a bug somewhere because this is the exact same Cloudron version I am on with the same cert issue.

Edit: I performed the change manually for the digitalocean.js TXT and the cert renewed successfully. Still on 7.4.3 though. I will test that update soon.

Edit 2: every time I try to update inside of the my.cloudron-domain.tld it fails but I do not get any errors. It just shows the "Update Available" button on in endless loop of never updating. Could it be because of the version of Ubuntu it is running on?

girish

@visuex are you the same as @cpa ? What is the context of this comment? The original thread was about certs not renewing but in your comment you said it's renewing just fine. Can you open a new thread please if you have some problem?

netrocket

Hello!!

I have the same problem, but the certificate is still not updated....Although the DNS in Digitalocean entry is already written without quotation marks

My logs:

Aug 30 21:33:12 box:dns upsertDNSRecord: location _acme-challenge on domain domain.my of type TXT with values ["\"3hB9LTo81PLLIPQCwgC-rt14NcD-pIOLLYIVyZznfuk\""]
Aug 30 21:33:12 box:dns/digitalocean upsert: _acme-challenge for zone domain.my of type TXT with values ["\"3hB9LTo81PLLIPQCwgC-rt14NcD-pIOLLYIVyZznfuk\""]
Aug 30 21:33:12 box:dns/digitalocean getInternal: getting dns records of domain.my with _acme-challenge and type TXT
Aug 30 21:33:13 box:dns/digitalocean getInternal: null []
Aug 30 21:33:13 box:dns/digitalocean upsert: completed with recordIds:[1750905219]
Aug 30 21:33:13 box:dns/waitfordns waitForDns: hostname _acme-challenge.domain.my to be 3hB9LTo81PLLIPQCwgC-rt14NcD-pIOLLYIVyZznfuk in zone domain.my.

joseph

@netrocket which version of Cloudron are you on? This bug is long fixed

netrocket

@joseph v7.0.4 (Ubuntu 16.04.7 LTS) and we can't update Ubuntu (

nebulon

oh that is indeed quite old and 16.04 does not even receive security updates anymore. What is the reason that you cannot upgrade ubuntu itself?

joseph

See https://forum.cloudron.io/topic/11171/cert-renewing-failing/3 . You have to apply patch manually. However, I have to tell you that neither Cloudron 7.0.4 nor Ubuntu 16 are supported by now. These are very old software versions. I think Cloudron 7.04 was released almost 3 years ago.

netrocket

@joseph I changed the code in the digitalocean.js file, but the error stay. It turns out that the DNS record is being created without quotes, but the validation is still being done with quotes.

joseph

@netrocket strange, that is exactly what that line fixes. We have applied that patch to many servers by hand and it should work. Maybe you can write to us at support@cloudron.io ?

netrocket

I updated server to Ubuntu 18.04.
I'll try to do everything right )

Thanks for your help
if there are any questions - I will write to you

cpa

@girish said in Cert renewing failing:

@visuex are you the same as @cpa ?

Nope, not me!