Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum

    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Certificate renewal error - Namecheap

    Support
    certificates namecheap letsencrypt
    3
    9
    456
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BrutalBirdie
      BrutalBirdie Staff last edited by girish

      Suddenly one out of my 5 domains getting a renewal error.

      The certificate for webmail.domain.tld could not be renewed.
      
      The Cloudron will attempt to renew the certificate every 12 hours
      until the certificate expires (at which point it will switch to
      using the fallback certificate).
      
      See https://docs.cloudron.io/troubleshooting/#certificates to
      double check if your server is configured correctly to obtain certificates
      via Let's Encrypt.
      
      The error was:
      
      -------------------------------------
      
      Failed to register user. Expecting 201, got 429 undefined
      
      Dec 04 12:56:25 box:cert/acme2 getCertificate: attempt 3
      Dec 04 12:56:25 box:cert/acme2 getCertificate: start acme flow for webmail.domain.tld from https://acme-v02.api.letsencrypt.org/directory
      Dec 04 12:56:25 box:cert/acme2 getCertificate: will get wildcard cert for *.domain.de
      Dec 04 12:56:25 box:cert/acme2 getCertificate: using existing acme account key
      Dec 04 12:56:25 box:cert/acme2 registerUser: registering user
      Dec 04 12:56:26 box:cert/acme2 sendSignedRequest: using nonce 0004LVNr4OzGxHIkkFRzKY-b9W8sMfQ9beRZzEJ7ZQ4-OAc for url https://acme-v02.api.letsencrypt.org/acme/new-acct
      Dec 04 12:56:26 box:cert/acme2 registerUser: user registered keyid: https://acme-v02.api.letsencrypt.org/acme/acct/80399250
      Dec 04 12:56:26 box:cert/acme2 updateContact: registrationUri: https://acme-v02.api.letsencrypt.org/acme/acct/80399250 email: mail@domain.tld
      Dec 04 12:56:27 box:cert/acme2 sendSignedRequest: using nonce 0004M-vJSqTiVZjEzsHA8FnnYaM87Dd2_YkfyH42VD0n3eg for url https://acme-v02.api.letsencrypt.org/acme/acct/80399250
      Dec 04 12:56:28 box:cert/acme2 updateContact: contact of user updated to mail@domain.tld
      Dec 04 12:56:28 box:cert/acme2 newOrder: *.domain.de
      Dec 04 12:56:28 box:cert/acme2 sendSignedRequest: using nonce 0004hkr5VnBmCZeu6tEzUs_OGX0SSIAfgPcliEBHwOWJkFA for url https://acme-v02.api.letsencrypt.org/acme/new-order
      Dec 04 12:56:28 box:reverseproxy ensureCertificate: error: Failed to register user. Expecting 201, got 429 undefined cert: null
      Dec 04 12:56:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/_.domain.de.cert Certificate will not expire 0
      Dec 04 12:56:28 box:reverseproxy ensureCertificate: continue using existing bundle since renewal failed
      

      That is quite odd, all my domains run on namecheap, none are expire before 2021.
      All other apps and cert renewal work as intended.

      Like my work? Consider donating a beer 🍻 Cheers!

      1 Reply Last reply Reply Quote 1
      • girish
        girish Staff last edited by

        Found the issue. Some LE certs have started using R3 as the intermediary cert - https://scotthelme.co.uk/lets-encrypts-new-root-and-intermediate-certificates/ . This cert has issuer text slightly different.

        @BrutalBirdie You can make this one line change - https://git.cloudron.io/cloudron/box/-/commit/3e62f1913ab05750a343c197c519d38bf17d5b3b and then systemctl restart box

        BrutalBirdie 1 Reply Last reply Reply Quote 4
        • BrutalBirdie
          BrutalBirdie Staff last edited by BrutalBirdie

          Could this be a rate limit problem?

          Checking https://crt.sh/?q=*.domain.tld

          I can see the following

          hiddenid	2020-12-03	2020-12-03	2021-03-03	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=R3
          hiddenid	2020-12-03	2020-12-03	2021-03-03	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=R3
          hiddenid	2020-12-03	2020-12-03	2021-03-03	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=R3
          hiddenid	2020-12-03	2020-12-03	2021-03-03	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=R3
          hiddenid	2020-12-03	2020-12-03	2021-03-03	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=R3
          hiddenid	2020-12-03	2020-12-03	2021-03-03	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=R3
          hiddenid	2020-12-02	2020-12-02	2021-03-02	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=R3
          hiddenid	2020-12-02	2020-12-02	2021-03-02	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=R3
          hiddenid	2020-12-02	2020-12-02	2021-03-02	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=R3
          hiddenid	2020-12-02	2020-12-02	2021-03-02	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=R3
          hiddenid	2020-10-03	2020-10-03	2021-01-01	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
          hiddenid	2020-10-03	2020-10-03	2021-01-01	*.domain.tld	*.domain.tld	C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
          

          6x yesterday and 4x on before that.
          Looks fishy 🐟

          Like my work? Consider donating a beer 🍻 Cheers!

          1 Reply Last reply Reply Quote 0
          • nebulon
            nebulon Staff last edited by

            Indeed the response code indicates a rate-limit issue and also it should probably not request certs at such a high rate, especially those seem to be wildcard certs.

            The cron job as such is only triggered once every 12 hours. Is there by any chance some other script running against your Cloudron api or did you hit manual certificate renewal a few times?

            BrutalBirdie 1 Reply Last reply Reply Quote 0
            • BrutalBirdie
              BrutalBirdie Staff @nebulon last edited by BrutalBirdie

              @nebulon I hit manual today, I think 3x times.
              And no other tools run against the API that could have triggered that.
              But today date is 04.12.2020 all that happend on the 03.12.2020

              Like my work? Consider donating a beer 🍻 Cheers!

              girish 2 Replies Last reply Reply Quote 0
              • girish
                girish Staff @BrutalBirdie last edited by

                @brutalbirdie I think this is related to maybe Let's Encrypt being down. Sometimes when a deployment happens, it returns the 429 code. Can you try now? Same error?

                1 Reply Last reply Reply Quote 0
                • girish
                  girish Staff @BrutalBirdie last edited by

                  @brutalbirdie Oh, I just hit the same issue as yours in my test Cloudron. Investigating.

                  6d401ff4-4e30-48e7-b9d9-40fa425fab4d-image.png

                  1 Reply Last reply Reply Quote 0
                  • girish
                    girish Staff last edited by

                    Curiously, this only happens in my test installations and none of the production instances.

                    1 Reply Last reply Reply Quote 0
                    • girish
                      girish Staff last edited by

                      Found the issue. Some LE certs have started using R3 as the intermediary cert - https://scotthelme.co.uk/lets-encrypts-new-root-and-intermediate-certificates/ . This cert has issuer text slightly different.

                      @BrutalBirdie You can make this one line change - https://git.cloudron.io/cloudron/box/-/commit/3e62f1913ab05750a343c197c519d38bf17d5b3b and then systemctl restart box

                      BrutalBirdie 1 Reply Last reply Reply Quote 4
                      • BrutalBirdie
                        BrutalBirdie Staff @girish last edited by

                        @girish feeling lazy, will wait for the official update 🙂

                        Like my work? Consider donating a beer 🍻 Cheers!

                        1 Reply Last reply Reply Quote 2
                        • First post
                          Last post
                        Powered by NodeBB