Let's Encrypt renew fail
-
All let's Encrypt certificate were working for several month. For 2 domains.
I didnt know why they stopped auto renew but I got an email for expiry. First email was sent on october 9th. So I came in cloudron today to manual renew.
Saw this in the logs :
So I hitted the Renew all cert button. I then got this errors in full log (where I replaced the domain name for fake ones).
Any idea what's wrong?
2024-10-30T19:09:17.196Z box:taskworker Starting task 2871. Logs are at /home/yellowtent/platformdata/logs/tasks/2871.log 2024-10-30T19:09:17.308Z box:tasks update 2871: {"percent":34,"message":"Ensuring certs of my.first-domain-to-renew.com"} 2024-10-30T19:09:17.354Z box:shell providerMatches execArgs: openssl ["x509","-noout","-subject","-issuer"] 2024-10-30T19:09:17.416Z box:shell getCertificateDates execArgs: openssl ["x509","-startdate","-enddate","-subject","-noout"] 2024-10-30T19:09:17.415Z box:reverseproxy providerMatches: subject=CN = *.first-domain-to-renew.com domain=*.first-domain-to-renew.com issuer=C = US, O = Let's Encrypt, CN = E6 wildcard=true/true prod=true/true issuerMismatch=false wildcardMismatch=false match=true 2024-10-30T19:09:17.437Z box:reverseproxy expiryDate: subject=CN = *.first-domain-to-renew.com notBefore=Aug 14 06:12:10 2024 GMT notAfter=Nov 12 06:12:09 2024 GMT daysLeft=12.460319016203703 2024-10-30T19:09:17.438Z box:reverseproxy needsRenewal: true. force: false 2024-10-30T19:09:17.438Z box:reverseproxy ensureCertificate: my.first-domain-to-renew.com acme cert exists but provider mismatch or needs renewal 2024-10-30T19:09:17.438Z box:reverseproxy ensureCertificate: my.first-domain-to-renew.com needs acme cert 2024-10-30T19:09:17.444Z box:cert/acme2 getCertificate: for fqdn my.first-domain-to-renew.com and domain first-domain-to-renew.com 2024-10-30T19:09:17.446Z box:cert/acme2 Acme2: will get cert for fqdn: my.first-domain-to-renew.com cn: *.first-domain-to-renew.com certName: _.first-domain-to-renew.com wildcard: true http: false 2024-10-30T19:09:17.446Z box:cert/acme2 getCertificate: start acme flow for *.first-domain-to-renew.com from https://acme-v02.api.letsencrypt.org/directory 2024-10-30T19:09:17.611Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:09:37.637Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:09:57.674Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:09:57.682Z box:cert/acme2 getCertificate: for fqdn my.first-domain-to-renew.com and domain first-domain-to-renew.com 2024-10-30T19:09:57.683Z box:cert/acme2 Acme2: will get cert for fqdn: my.first-domain-to-renew.com cn: *.first-domain-to-renew.com certName: _.first-domain-to-renew.com wildcard: true http: false 2024-10-30T19:09:57.683Z box:cert/acme2 getCertificate: start acme flow for *.first-domain-to-renew.com from https://acme-v02.api.letsencrypt.org/directory 2024-10-30T19:09:57.688Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:10:17.716Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:10:37.749Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:10:37.751Z box:cert/acme2 getCertificate: for fqdn my.first-domain-to-renew.com and domain first-domain-to-renew.com 2024-10-30T19:10:37.752Z box:cert/acme2 Acme2: will get cert for fqdn: my.first-domain-to-renew.com cn: *.first-domain-to-renew.com certName: _.first-domain-to-renew.com wildcard: true http: false 2024-10-30T19:10:37.752Z box:cert/acme2 getCertificate: start acme flow for *.first-domain-to-renew.com from https://acme-v02.api.letsencrypt.org/directory 2024-10-30T19:10:37.760Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:10:57.788Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:11:17.821Z box:reverseproxy ensureCertificate: error: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:11:17.835Z box:tasks update 2871: {"percent":67,"message":"Ensuring certs of second-domain-to-renew"} 2024-10-30T19:11:17.847Z box:shell providerMatches execArgs: openssl ["x509","-noout","-subject","-issuer"] 2024-10-30T19:11:17.868Z box:reverseproxy providerMatches: subject=CN = second-domain-to-renew domain=second-domain-to-renew issuer=C = US, O = Let's Encrypt, CN = E6 wildcard=false/false prod=true/true issuerMismatch=false wildcardMismatch=false match=true 2024-10-30T19:11:17.868Z box:shell getCertificateDates execArgs: openssl ["x509","-startdate","-enddate","-subject","-noout"] 2024-10-30T19:11:17.880Z box:reverseproxy expiryDate: subject=CN = second-domain-to-renew notBefore=Jul 31 06:10:28 2024 GMT notAfter=Oct 29 06:10:27 2024 GMT daysLeft=-1.5422555555555555 2024-10-30T19:11:17.880Z box:reverseproxy needsRenewal: true. force: false 2024-10-30T19:11:17.880Z box:reverseproxy ensureCertificate: second-domain-to-renew acme cert exists but provider mismatch or needs renewal 2024-10-30T19:11:17.880Z box:reverseproxy ensureCertificate: second-domain-to-renew needs acme cert 2024-10-30T19:11:17.888Z box:cert/acme2 getCertificate: for fqdn second-domain-to-renew and domain second-domain-to-renew 2024-10-30T19:11:17.888Z box:cert/acme2 Acme2: will get cert for fqdn: second-domain-to-renew cn: second-domain-to-renew certName: second-domain-to-renew wildcard: false http: true 2024-10-30T19:11:17.888Z box:cert/acme2 getCertificate: start acme flow for second-domain-to-renew from https://acme-v02.api.letsencrypt.org/directory 2024-10-30T19:11:17.894Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:11:37.927Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:11:57.957Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:11:57.958Z box:cert/acme2 getCertificate: for fqdn second-domain-to-renew and domain second-domain-to-renew 2024-10-30T19:11:57.958Z box:cert/acme2 Acme2: will get cert for fqdn: second-domain-to-renew cn: second-domain-to-renew certName: second-domain-to-renew wildcard: false http: true 2024-10-30T19:11:57.958Z box:cert/acme2 getCertificate: start acme flow for second-domain-to-renew from https://acme-v02.api.letsencrypt.org/directory 2024-10-30T19:11:57.964Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:12:17.993Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:12:38.023Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:12:38.024Z box:cert/acme2 getCertificate: for fqdn second-domain-to-renew and domain second-domain-to-renew 2024-10-30T19:12:38.025Z box:cert/acme2 Acme2: will get cert for fqdn: second-domain-to-renew cn: second-domain-to-renew certName: second-domain-to-renew wildcard: false http: true 2024-10-30T19:12:38.025Z box:cert/acme2 getCertificate: start acme flow for second-domain-to-renew from https://acme-v02.api.letsencrypt.org/directory 2024-10-30T19:12:38.029Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:12:58.065Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:13:18.097Z box:reverseproxy ensureCertificate: error: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:13:18.105Z box:tasks update 2871: {"percent":100,"message":"Ensuring certs of www.second-domain-to-renew"} 2024-10-30T19:13:18.124Z box:shell providerMatches execArgs: openssl ["x509","-noout","-subject","-issuer"] 2024-10-30T19:13:18.154Z box:reverseproxy providerMatches: subject=CN = www.second-domain-to-renew domain=www.second-domain-to-renew issuer=C = US, O = Let's Encrypt, CN = E6 wildcard=false/false prod=true/true issuerMismatch=false wildcardMismatch=false match=true 2024-10-30T19:13:18.155Z box:shell getCertificateDates execArgs: openssl ["x509","-startdate","-enddate","-subject","-noout"] 2024-10-30T19:13:18.169Z box:reverseproxy expiryDate: subject=CN = www.second-domain-to-renew notBefore=Aug 14 06:12:34 2024 GMT notAfter=Nov 12 06:12:33 2024 GMT daysLeft=12.457810543981482 2024-10-30T19:13:18.169Z box:reverseproxy needsRenewal: true. force: false 2024-10-30T19:13:18.169Z box:reverseproxy ensureCertificate: www.second-domain-to-renew acme cert exists but provider mismatch or needs renewal 2024-10-30T19:13:18.169Z box:reverseproxy ensureCertificate: www.second-domain-to-renew needs acme cert 2024-10-30T19:13:18.174Z box:cert/acme2 getCertificate: for fqdn www.second-domain-to-renew and domain second-domain-to-renew 2024-10-30T19:13:18.174Z box:cert/acme2 Acme2: will get cert for fqdn: www.second-domain-to-renew cn: www.second-domain-to-renew certName: www.second-domain-to-renew wildcard: false http: true 2024-10-30T19:13:18.174Z box:cert/acme2 getCertificate: start acme flow for www.second-domain-to-renew from https://acme-v02.api.letsencrypt.org/directory 2024-10-30T19:13:18.181Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:13:38.221Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:13:58.259Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:13:58.262Z box:cert/acme2 getCertificate: for fqdn www.second-domain-to-renew and domain second-domain-to-renew 2024-10-30T19:13:58.263Z box:cert/acme2 Acme2: will get cert for fqdn: www.second-domain-to-renew cn: www.second-domain-to-renew certName: www.second-domain-to-renew wildcard: false http: true 2024-10-30T19:13:58.263Z box:cert/acme2 getCertificate: start acme flow for www.second-domain-to-renew from https://acme-v02.api.letsencrypt.org/directory 2024-10-30T19:13:58.269Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:14:18.304Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:14:38.327Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:14:38.328Z box:cert/acme2 getCertificate: for fqdn www.second-domain-to-renew and domain second-domain-to-renew 2024-10-30T19:14:38.329Z box:cert/acme2 Acme2: will get cert for fqdn: www.second-domain-to-renew cn: www.second-domain-to-renew certName: www.second-domain-to-renew wildcard: false http: true 2024-10-30T19:14:38.329Z box:cert/acme2 getCertificate: start acme flow for www.second-domain-to-renew from https://acme-v02.api.letsencrypt.org/directory 2024-10-30T19:14:38.333Z box:cert/acme2 Attempt 1 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:14:58.362Z box:cert/acme2 Attempt 2 failed. Will retry: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:15:18.391Z box:reverseproxy ensureCertificate: error: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org 2024-10-30T19:15:18.401Z box:tasks update 2871: {"message":"Rebuilding app configs"} 2024-10-30T19:15:18.433Z box:shell isOscpEnabled execArgs: openssl ["x509","-in","/home/yellowtent/platformdata/nginx/cert/second-domain-to-renew.cert","-noout","-ocsp_uri"] 2024-10-30T19:15:18.472Z box:reverseproxy writeAppLocationNginxConfig: writing config for "second-domain-to-renew" to /home/yellowtent/platformdata/nginx/applications/e71590ab-cf2c-43de-9160-61d78d11dde1/second-domain-to-renew.conf with options {"sourceDir":"/home/yellowtent/box","vhost":"second-domain-to-renew","hasIPv6":true,"ip":"172.18.17.116","port":80,"endpoint":"app","redirectTo":null,"certFilePath":"/home/yellowtent/platformdata/nginx/cert/second-domain-to-renew.cert","keyFilePath":"/home/yellowtent/platformdata/nginx/cert/second-domain-to-renew.key","robotsTxtQuoted":null,"cspQuoted":null,"hideHeaders":[],"proxyAuth":{"enabled":false,"id":"e71590ab-cf2c-43de-9160-61d78d11dde1","location":"/"},"upstreamUri":"","ocsp":true,"hstsPreload":false} 2024-10-30T19:15:18.484Z box:shell isOscpEnabled execArgs: openssl ["x509","-in","/home/yellowtent/platformdata/nginx/cert/www.second-domain-to-renew.cert","-noout","-ocsp_uri"] 2024-10-30T19:15:18.509Z box:reverseproxy writeAppLocationNginxConfig: writing config for "www.second-domain-to-renew" to /home/yellowtent/platformdata/nginx/applications/e71590ab-cf2c-43de-9160-61d78d11dde1/www.second-domain-to-renew.conf with options {"sourceDir":"/home/yellowtent/box","vhost":"www.second-domain-to-renew","hasIPv6":true,"ip":null,"port":null,"endpoint":"redirect","redirectTo":"second-domain-to-renew","certFilePath":"/home/yellowtent/platformdata/nginx/cert/www.second-domain-to-renew.cert","keyFilePath":"/home/yellowtent/platformdata/nginx/cert/www.second-domain-to-renew.key","robotsTxtQuoted":null,"cspQuoted":null,"hideHeaders":[],"proxyAuth":{"enabled":false,"id":"e71590ab-cf2c-43de-9160-61d78d11dde1","location":"/"},"upstreamUri":"","ocsp":true,"hstsPreload":false} 2024-10-30T19:15:18.510Z box:shell reload /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh nginx nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "e6.o.lencr.org" in the certificate "/home/yellowtent/platformdata/nginx/cert/_.first-domain-to-renew.com.cert" nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "e6.o.lencr.org" in the certificate "/home/yellowtent/platformdata/nginx/cert/_.first-domain-to-renew.com.cert" nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "e6.o.lencr.org" in the certificate "/home/yellowtent/platformdata/nginx/cert/second-domain-to-renew.cert" nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "e6.o.lencr.org" in the certificate "/home/yellowtent/platformdata/nginx/cert/www.second-domain-to-renew.cert" 2024-10-30T19:15:18.618Z box:reverseproxy writeDashboardConfig: writing dashboard config for first-domain-to-renew.com 2024-10-30T19:15:18.634Z box:shell isOscpEnabled execArgs: openssl ["x509","-in","/home/yellowtent/platformdata/nginx/cert/_.first-domain-to-renew.com.cert","-noout","-ocsp_uri"] 2024-10-30T19:15:18.651Z box:shell reload /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh nginx nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "e6.o.lencr.org" in the certificate "/home/yellowtent/platformdata/nginx/cert/_.first-domain-to-renew.com.cert" nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "e6.o.lencr.org" in the certificate "/home/yellowtent/platformdata/nginx/cert/_.first-domain-to-renew.com.cert" nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "e6.o.lencr.org" in the certificate "/home/yellowtent/platformdata/nginx/cert/second-domain-to-renew.cert" nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "e6.o.lencr.org" in the certificate "/home/yellowtent/platformdata/nginx/cert/www.second-domain-to-renew.cert" 2024-10-30T19:15:18.789Z box:mailserver checkCertificate: certificate has not changed 2024-10-30T19:15:18.789Z box:shell notifyCertChange /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh box 2024-10-30T19:15:18.964Z box:tasks update 2871: {"message":"Checking expired certs for removal"} 2024-10-30T19:15:18.979Z box:shell getCertificateDates execArgs: openssl ["x509","-startdate","-enddate","-subject","-noout"] 2024-10-30T19:15:18.998Z box:reverseproxy expiryDate: subject=CN = first-domain-to-renew.com notBefore=Mar 1 06:10:36 2024 GMT notAfter=May 30 06:10:35 2024 GMT daysLeft=-153.54495368055555 2024-10-30T19:15:18.998Z box:reverseproxy cleanupCerts: done 2024-10-30T19:15:18.999Z box:taskworker Task took 361.937 seconds 2024-10-30T19:15:18.999Z box:tasks setCompleted - 2871: {"result":null,"error":null} 2024-10-30T19:15:19.000Z box:tasks update 2871: {"percent":100,"result":null,"error":null}
-
Update:
second-domain-to-renew is configured with namecheap, wildcard config in cloudron. I also got this when i try to change the certificate type for it :
And my Namcheap configs look like this.Something must have changed in Cloudron. Since certificate was obtained with Cloudront / Lets enscrypt and was working fine before.
-
-
I now think it's all related to my main domain, which is with Porkbun, but can't sync with Porkbun because Cloudron is not using their new API.
https://forum.cloudron.io/topic/12634/porkbun-critical-api-hostname-update-to-do-in-cloudron/4
-
The porkbun issue is fixed in 8.1
-
-