Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


UNSOLVED Can't renew SSL certificate



  • When trying to renew Let's Encrypt certificates via Cloudron's Domains page, I press Renew All Certs, and no error message is printed in the the browser when the process seems complete, but when checking logs it seems the update has failed.

    Sep 22 16:17:59 box:shell startMail (stderr):
    Sep 22 16:17:59 box:reverseproxy ensureCertificate: renewal of my.arj.rocks failed. using fallback certificates for arj.rocks
    Sep 22 16:17:59 box:tasks 791: {"percent":34,"message":"Renewing certs of nextcloud.arj.rocks"}
    Sep 22 16:17:59 box:reverseproxy ensureCertificate: nextcloud.arj.rocks certificate already exists at /home/yellowtent/boxdata/certs/_.arj.rocks.key
    Sep 22 16:17:59 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/_.arj.rocks.cert Certificate will expire 1
    Sep 22 16:17:59 box:reverseproxy ensureCertificate: nextcloud.arj.rocks cert require renewal
    Sep 22 16:17:59 box:reverseproxy ensureCertificate: getting certificate for nextcloud.arj.rocks with options {"prod":true,"performHttpAuthorization":false,"wildcard":true,"email":"[redacted]@gmail.com"}
    Sep 22 16:17:59 box:cert/acme2 getCertificate: attempt 1
    Sep 22 16:17:59 box:cert/acme2 getCertificate: start acme flow for nextcloud.arj.rocks from https://acme-v02.api.letsencrypt.org/directory
    Sep 22 16:17:59 box:cert/acme2 getCertificate: will get wildcard cert for *.arj.rocks
    Sep 22 16:17:59 box:cert/acme2 getCertificate: attempt 2
    Sep 22 16:17:59 box:cert/acme2 getCertificate: start acme flow for nextcloud.arj.rocks from https://acme-v02.api.letsencrypt.org/directory
    Sep 22 16:17:59 box:cert/acme2 getCertificate: will get wildcard cert for *.arj.rocks
    Sep 22 16:17:59 box:cert/acme2 getCertificate: attempt 3
    Sep 22 16:17:59 box:cert/acme2 getCertificate: start acme flow for nextcloud.arj.rocks from https://acme-v02.api.letsencrypt.org/directory
    Sep 22 16:17:59 box:cert/acme2 getCertificate: will get wildcard cert for *.arj.rocks
    Sep 22 16:17:59 box:reverseproxy ensureCertificate: error: Network error getting directory: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org acme-v02.api.letsencrypt.org:443 cert: null
    

    I've checked my firewall settings and ports 443 and 80 are open. I also tried again after disabling the firewall, the error is replicated.

    Any ideas what I need to do to renew certs?

    Many thanks


  • Staff

    @andrewj720 said in Can't renew SSL certificate:

    Sep 22 16:17:59 box:reverseproxy ensureCertificate: error: Network error getting directory: getaddrinfo EAI_AGAIN acme-v02.api.letsencrypt.org acme-v02.api.letsencrypt.org:443 cert: null

    It seems there is some DNS error. Do you have any special DNS setup? Does the following command work on your server?

    host acme-v02.api.letsencrypt.org 127.0.0.1
    

    If not, you can try restarting unbound using sudo systemctl restart unbound and try the command again.



  • @girish No success unfortunately. I get:

    root@cloudron:~# host acme-v02.api.letsencrypt.org 127.0.0.1
    ;; connection timed out; no servers could be reached
    
    

    And the same after running

    sudo systemctl restart unbound
    

  • Staff

    @andrewj720 Looks like DNS is not working on your server. You can also try host cloudron.io etc, I guess none of it working?

    Can you check if your cloud firewall allows outbound port 53 UDP ? I think there was a post on this forum some time ago that someone had it blocked in AWS security group by mistake, for example.