Can't renew SSL certificate
-
When trying to renew Let's Encrypt certificates via Cloudron's Domains page, I press Renew All Certs, and no error message is printed in the the browser when the process seems complete, but when checking logs it seems the update has failed.
Sep 22 16:17:59 box:shell startMail (stderr): Sep 22 16:17:59 box:reverseproxy ensureCertificate: renewal of my.arj.rocks failed. using fallback certificates for arj.rocks Sep 22 16:17:59 box:tasks 791: {"percent":34,"message":"Renewing certs of nextcloud.arj.rocks"} Sep 22 16:17:59 box:reverseproxy ensureCertificate: nextcloud.arj.rocks certificate already exists at /home/yellowtent/boxdata/certs/_.arj.rocks.key Sep 22 16:17:59 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/_.arj.rocks.cert Certificate will expire 1 Sep 22 16:17:59 box:reverseproxy ensureCertificate: nextcloud.arj.rocks cert require renewal Sep 22 16:17:59 box:reverseproxy ensureCertificate: getting certificate for nextcloud.arj.rocks with options {"prod":true,"performHttpAuthorization":false,"wildcard":true,"email":"[redacted]@gmail.com"} Sep 22 16:17:59 box:cert/acme2 getCertificate: attempt 1 Sep 22 16:17:59 box:cert/acme2 getCertificate: start acme flow for nextcloud.arj.rocks from https://acme-v02.api.letsencrypt.org/directory Sep 22 16:17:59 box:cert/acme2 getCertificate: will get wildcard cert for *.arj.rocks Sep 22 16:17:59 box:cert/acme2 getCertificate: attempt 2 Sep 22 16:17:59 box:cert/acme2 getCertificate: start acme flow for nextcloud.arj.rocks from https://acme-v02.api.letsencrypt.org/directory Sep 22 16:17:59 box:cert/acme2 getCertificate: will get wildcard cert for *.arj.rocks Sep 22 16:17:59 box:cert/acme2 getCertificate: attempt 3 Sep 22 16:17:59 box:cert/acme2 getCertificate: start acme flow for nextcloud.arj.rocks from https://acme-v02.api.letsencrypt.org/directory Sep 22 16:17:59 box:cert/acme2 getCertificate: will get wildcard cert for *.arj.rocks Sep 22 16:17:59 box:reverseproxy ensureCertificate: error: Network error getting directory: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org acme-v02.api.letsencrypt.org:443 cert: nullI've checked my firewall settings and ports 443 and 80 are open. I also tried again after disabling the firewall, the error is replicated.
Any ideas what I need to do to renew certs?
Many thanks
-
@andrewj720 said in Can't renew SSL certificate:
Sep 22 16:17:59 box:reverseproxy ensureCertificate: error: Network error getting directory: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org acme-v02.api.letsencrypt.org:443 cert: null
It seems there is some DNS error. Do you have any special DNS setup? Does the following command work on your server?
host acme-v02.api.letsencrypt.org 127.0.0.1If not, you can try restarting unbound using
sudo systemctl restart unboundand try the command again. -
@andrewj720 said in Can't renew SSL certificate:
Sep 22 16:17:59 box:reverseproxy ensureCertificate: error: Network error getting directory: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org acme-v02.api.letsencrypt.org:443 cert: null
It seems there is some DNS error. Do you have any special DNS setup? Does the following command work on your server?
host acme-v02.api.letsencrypt.org 127.0.0.1If not, you can try restarting unbound using
sudo systemctl restart unboundand try the command again.@girish No success unfortunately. I get:
root@cloudron:~# host acme-v02.api.letsencrypt.org 127.0.0.1 ;; connection timed out; no servers could be reachedAnd the same after running
sudo systemctl restart unbound -
@andrewj720 Looks like DNS is not working on your server. You can also try
host cloudron.ioetc, I guess none of it working?Can you check if your cloud firewall allows outbound port 53 UDP ? I think there was a post on this forum some time ago that someone had it blocked in AWS security group by mistake, for example.
