Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved LetsEncrypt Failing

    Support
    certificates domains
    2
    5
    326
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      adrw last edited by girish

      My server hasn't been able to renew certificates for any subdomains for my primary one. All fail with the following error for over a week. I thought that by this time any rate limiting on LetsEncrypt side would have resolved so wondering if something else might be wrong.

      Failed to new certs of sub.domain.com: Failed to register user. Expecting 201, got 429 undefined. Renewal will be retried in 12 hours
      
      1 Reply Last reply Reply Quote 0
      • girish
        girish Staff last edited by

        There was recently an announcement about a change in Let's Encrypt - https://community.letsencrypt.org/t/acme-v1-v2-validating-challenges-from-multiple-network-vantage-points/112253 .

        429 error does mean too many certs/rate limit. Are you using wild card certs or normal domain certs? If you use Cloudron DNS integration you will be using wildcard certs and you shouldn't be hitting this limit.

        @adrw If you go to domains -> Renew all certs, can you send us the logs after it's done ? (support@cloudron.io)

        1 Reply Last reply Reply Quote 0
        • A
          adrw last edited by

          Thanks @girish , just emailed the logs! Very much appreciate your help!

          1 Reply Last reply Reply Quote 0
          • girish
            girish Staff last edited by girish

            The error seen from the logs is CAA record for *.domain.com prevents issuance. A CAA record is a special DNS record which authorizes CAs to issue certs for the domain.

            In your case, your top level domain.com has a CNAME record to xx.github.io which it turns has CAA records. Try this:

            $ host -t CAA domain.com
            domain.com is an alias for domain.github.io.
            domain.github.io has CAA record 0 issue "letsencrypt.org"
            domain.github.io has CAA record 0 issue "digicert.com"
            domain.github.io has CAA record 0 issuewild "digicert.com"
            

            So, issuing wildcard certs for letsencrypt is disabled. This is why it doesn't renew (maybe you didn't have this CNAME record when you setup cloudron).

            Finally, having a CNAME at the top level domain is not a good practice. It essentially aliases the full domain to something else. Which means that subdomain like foo.domain.com may not resolve properly. Please see - https://www.freecodecamp.org/news/why-cant-a-domain-s-root-be-a-cname-8cbab38e5f5c/. Maybe you can alias/CNAME www.domain.com instead to github.

            1 Reply Last reply Reply Quote 1
            • A
              adrw last edited by

              Thanks for the thorough reply @girish , I've updated my DNS accordingly and the certificates renewed! I'll figure something out with the Github Pages (or self host on Cloudron!)

              1 Reply Last reply Reply Quote 1
              • First post
                Last post
              Powered by NodeBB