OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: nullinger on August 28, 2018, 04:40:18 pm

Title: LetsEncrypt Renewal failes due to DNS(?) error
Post by: nullinger on August 28, 2018, 04:40:18 pm
Hello,

i just got a reminder email from letsencrypt that the certificate used for my opnsense will expire in a few days. so, i checked the opnsense why the automatic renewal failed.

Code: [Select]
[Tue Aug 28 16:34:21 CEST 2018] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:21 CEST 2018] _ACME_SERVER_HOST='acme-v01.api.letsencrypt.org'
[Tue Aug 28 16:34:21 CEST 2018] DOMAIN_PATH='/var/etc/acme-client/home/yyy.xxxxxx.zz'
[Tue Aug 28 16:34:21 CEST 2018] '/var/etc/acme-client/challenges' does not contain 'dns'
[Tue Aug 28 16:34:21 CEST 2018] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug 28 16:34:21 CEST 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug 28 16:34:21 CEST 2018] GET
[Tue Aug 28 16:34:21 CEST 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:21 CEST 2018] timeout=
[Tue Aug 28 16:34:21 CEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Aug 28 16:34:39 CEST 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[Tue Aug 28 16:34:39 CEST 2018] ret='6'
[Tue Aug 28 16:34:39 CEST 2018] response
[Tue Aug 28 16:34:39 CEST 2018] Can not init api.
[Tue Aug 28 16:34:39 CEST 2018] Le_NextRenewTime='1534496697'
[Tue Aug 28 16:34:39 CEST 2018] _on_before_issue
[Tue Aug 28 16:34:39 CEST 2018] _chk_main_domain='yyy.xxxxxx.zz'
[Tue Aug 28 16:34:39 CEST 2018] _chk_alt_domains='thor.yyy.xxxxxx.zz'
[Tue Aug 28 16:34:39 CEST 2018] '/var/etc/acme-client/challenges' does not contain 'no'
[Tue Aug 28 16:34:39 CEST 2018] Le_LocalAddress
[Tue Aug 28 16:34:39 CEST 2018] d='yyy.xxxxxx.zz'
[Tue Aug 28 16:34:39 CEST 2018] Check for domain='yyy.xxxxxx.zz'
[Tue Aug 28 16:34:39 CEST 2018] _currentRoot='/var/etc/acme-client/challenges'
[Tue Aug 28 16:34:39 CEST 2018] d='thor.yyy.xxxxxx.zz'
[Tue Aug 28 16:34:39 CEST 2018] Check for domain='thor.yyy.xxxxxx.zz'
[Tue Aug 28 16:34:40 CEST 2018] _currentRoot='/var/etc/acme-client/challenges'
[Tue Aug 28 16:34:40 CEST 2018] d
[Tue Aug 28 16:34:40 CEST 2018] '/var/etc/acme-client/challenges' does not contain 'apache'
[Tue Aug 28 16:34:40 CEST 2018] config file is empty, can not read CA_KEY_HASH
[Tue Aug 28 16:34:40 CEST 2018] _saved_account_key_hash
[Tue Aug 28 16:34:40 CEST 2018] Using config home:/var/etc/acme-client/home
[Tue Aug 28 16:34:40 CEST 2018] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:40 CEST 2018] _ACME_SERVER_HOST='acme-v01.api.letsencrypt.org'
[Tue Aug 28 16:34:40 CEST 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug 28 16:34:40 CEST 2018] GET
[Tue Aug 28 16:34:40 CEST 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:40 CEST 2018] timeout=
[Tue Aug 28 16:34:40 CEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Aug 28 16:34:40 CEST 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[Tue Aug 28 16:34:40 CEST 2018] ret='6'
[Tue Aug 28 16:34:40 CEST 2018] response
[Tue Aug 28 16:34:40 CEST 2018] Can not init api.
[Tue Aug 28 16:34:40 CEST 2018] RSA key
[Tue Aug 28 16:34:40 CEST 2018] _URGLY_PRINTF='1'
[Tue Aug 28 16:34:40 CEST 2018] _URGLY_PRINTF='1'
[Tue Aug 28 16:34:41 CEST 2018] Registering account
[Tue Aug 28 16:34:41 CEST 2018] url
[Tue Aug 28 16:34:41 CEST 2018] payload='{"resource": "", "contact": ["mailto: my@email.tld"], "terms-of-service-agreed": true, "agreement": ""}'
[Tue Aug 28 16:34:41 CEST 2018] Use cached jwk for file: /var/etc/acme-client/accounts/59d40271aaf3c9.74162669/account.key
[Tue Aug 28 16:34:41 CEST 2018] Get nonce. ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:41 CEST 2018] GET
[Tue Aug 28 16:34:41 CEST 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:41 CEST 2018] timeout=
[Tue Aug 28 16:34:41 CEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header  -g '
[Tue Aug 28 16:34:41 CEST 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[Tue Aug 28 16:34:41 CEST 2018] ret='6'
[Tue Aug 28 16:34:41 CEST 2018] Can not connect to https://acme-v01.api.letsencrypt.org/directory to get nonce.
[Tue Aug 28 16:34:41 CEST 2018] Register account Error:
[Tue Aug 28 16:34:41 CEST 2018] _on_issue_err
[Tue Aug 28 16:34:41 CEST 2018] Please check log file for more details: /var/log/acme.sh.log
[Tue Aug 28 16:34:41 CEST 2018] _chk_vlist

curl error 6 would be "CURLE_COULDNT_RESOLVE_HOST - Couldn't resolve host. The given remote host was not resolved." But, DNS is working from local console and network, curl works, too.

Code: [Select]
root@opnsense:~ # nslookup acme-v01.api.letsencrypt.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
acme-v01.api.letsencrypt.org    canonical name = api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net      canonical name = e14990.dscx.akamaiedge.net.
Name:   e14990.dscx.akamaiedge.net
Address: 95.101.64.58
Name:   e14990.dscx.akamaiedge.net
Address: 2a02:26f0:12:392::3a8e
Name:   e14990.dscx.akamaiedge.net
Address: 2a02:26f0:12:384::3a8e

root@opnsense:~ # curl https://acme-v01.api.letsencrypt.org/directory
{
  "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "caaIdentities": [
      "letsencrypt.org"
    ],
    "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
  },
  "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",
  "xcqQXvXm2Sk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"

I tried everything i could think of, like rebooting the machine, updating acme.sh to the latest version, and so on...

Any ideas ?

Title: Re: LetsEncrypt Renewal failes due to DNS(?) error
Post by: nullinger on September 04, 2018, 10:53:29 am
bump...  ???
Title: Re: LetsEncrypt Renewal failes due to DNS(?) error
Post by: rkirkpat on November 03, 2018, 11:51:34 pm
Ran into this problem on one out of two routers, same error messages as the original poster. Noticed the working router had 8.8.8.8 for DNS, while the non-working router had the IP of an internal network DNS server (that is running a rather old version of a resolver). Added 8.8.8.8 (and 1.1.1.1) to the list of DNS servers on the non-working router, retried the certificate renewal, and it now it worked!

My guess is that some where between the acme and curl scripts, they are doing some sort of DNS query that not all DNS servers support. In my case, when the internal DNS server failed to provide the desired answer, it retried with 8.8.8.8 which worked, and all was happy. Hence, try different DNS servers, it worked for me.  :)