Certificate renewal error - Namecheap
-
Suddenly one out of my 5 domains getting a renewal error.
The certificate for webmail.domain.tld could not be renewed. The Cloudron will attempt to renew the certificate every 12 hours until the certificate expires (at which point it will switch to using the fallback certificate). See https://docs.cloudron.io/troubleshooting/#certificates to double check if your server is configured correctly to obtain certificates via Let's Encrypt. The error was: ------------------------------------- Failed to register user. Expecting 201, got 429 undefined
Dec 04 12:56:25 box:cert/acme2 getCertificate: attempt 3 Dec 04 12:56:25 box:cert/acme2 getCertificate: start acme flow for webmail.domain.tld from https://acme-v02.api.letsencrypt.org/directory Dec 04 12:56:25 box:cert/acme2 getCertificate: will get wildcard cert for *.domain.de Dec 04 12:56:25 box:cert/acme2 getCertificate: using existing acme account key Dec 04 12:56:25 box:cert/acme2 registerUser: registering user Dec 04 12:56:26 box:cert/acme2 sendSignedRequest: using nonce 0004LVNr4OzGxHIkkFRzKY-b9W8sMfQ9beRZzEJ7ZQ4-OAc for url https://acme-v02.api.letsencrypt.org/acme/new-acct Dec 04 12:56:26 box:cert/acme2 registerUser: user registered keyid: https://acme-v02.api.letsencrypt.org/acme/acct/80399250 Dec 04 12:56:26 box:cert/acme2 updateContact: registrationUri: https://acme-v02.api.letsencrypt.org/acme/acct/80399250 email: mail@domain.tld Dec 04 12:56:27 box:cert/acme2 sendSignedRequest: using nonce 0004M-vJSqTiVZjEzsHA8FnnYaM87Dd2_YkfyH42VD0n3eg for url https://acme-v02.api.letsencrypt.org/acme/acct/80399250 Dec 04 12:56:28 box:cert/acme2 updateContact: contact of user updated to mail@domain.tld Dec 04 12:56:28 box:cert/acme2 newOrder: *.domain.de Dec 04 12:56:28 box:cert/acme2 sendSignedRequest: using nonce 0004hkr5VnBmCZeu6tEzUs_OGX0SSIAfgPcliEBHwOWJkFA for url https://acme-v02.api.letsencrypt.org/acme/new-order Dec 04 12:56:28 box:reverseproxy ensureCertificate: error: Failed to register user. Expecting 201, got 429 undefined cert: null Dec 04 12:56:28 box:reverseproxy isExpiringSync: /home/yellowtent/boxdata/certs/_.domain.de.cert Certificate will not expire 0 Dec 04 12:56:28 box:reverseproxy ensureCertificate: continue using existing bundle since renewal failed
That is quite odd, all my domains run on namecheap, none are expire before 2021.
All other apps and cert renewal work as intended. -
Found the issue. Some LE certs have started using R3 as the intermediary cert - https://scotthelme.co.uk/lets-encrypts-new-root-and-intermediate-certificates/ . This cert has issuer text slightly different.
@BrutalBirdie You can make this one line change - https://git.cloudron.io/cloudron/box/-/commit/3e62f1913ab05750a343c197c519d38bf17d5b3b and then
systemctl restart box
-
Could this be a rate limit problem?
Checking https://crt.sh/?q=*.domain.tld
I can see the following
hiddenid 2020-12-03 2020-12-03 2021-03-03 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=R3 hiddenid 2020-12-03 2020-12-03 2021-03-03 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=R3 hiddenid 2020-12-03 2020-12-03 2021-03-03 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=R3 hiddenid 2020-12-03 2020-12-03 2021-03-03 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=R3 hiddenid 2020-12-03 2020-12-03 2021-03-03 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=R3 hiddenid 2020-12-03 2020-12-03 2021-03-03 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=R3 hiddenid 2020-12-02 2020-12-02 2021-03-02 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=R3 hiddenid 2020-12-02 2020-12-02 2021-03-02 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=R3 hiddenid 2020-12-02 2020-12-02 2021-03-02 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=R3 hiddenid 2020-12-02 2020-12-02 2021-03-02 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=R3 hiddenid 2020-10-03 2020-10-03 2021-01-01 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 hiddenid 2020-10-03 2020-10-03 2021-01-01 *.domain.tld *.domain.tld C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
6x yesterday and 4x on before that.
Looks fishy -
Indeed the response code indicates a rate-limit issue and also it should probably not request certs at such a high rate, especially those seem to be wildcard certs.
The cron job as such is only triggered once every 12 hours. Is there by any chance some other script running against your Cloudron api or did you hit manual certificate renewal a few times?
-
@brutalbirdie I think this is related to maybe Let's Encrypt being down. Sometimes when a deployment happens, it returns the 429 code. Can you try now? Same error?
-
@brutalbirdie Oh, I just hit the same issue as yours in my test Cloudron. Investigating.
-
Curiously, this only happens in my test installations and none of the production instances.
-
Found the issue. Some LE certs have started using R3 as the intermediary cert - https://scotthelme.co.uk/lets-encrypts-new-root-and-intermediate-certificates/ . This cert has issuer text slightly different.
@BrutalBirdie You can make this one line change - https://git.cloudron.io/cloudron/box/-/commit/3e62f1913ab05750a343c197c519d38bf17d5b3b and then
systemctl restart box