16
18.7 Legacy Series / LetsEncrypt Renewal failes due to DNS(?) error
« on: August 28, 2018, 04:40:18 pm »
Hello,
i just got a reminder email from letsencrypt that the certificate used for my opnsense will expire in a few days. so, i checked the opnsense why the automatic renewal failed.
curl error 6 would be "CURLE_COULDNT_RESOLVE_HOST - Couldn't resolve host. The given remote host was not resolved." But, DNS is working from local console and network, curl works, too.
I tried everything i could think of, like rebooting the machine, updating acme.sh to the latest version, and so on...
Any ideas ?
i just got a reminder email from letsencrypt that the certificate used for my opnsense will expire in a few days. so, i checked the opnsense why the automatic renewal failed.
Code: [Select]
[Tue Aug 28 16:34:21 CEST 2018] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:21 CEST 2018] _ACME_SERVER_HOST='acme-v01.api.letsencrypt.org'
[Tue Aug 28 16:34:21 CEST 2018] DOMAIN_PATH='/var/etc/acme-client/home/yyy.xxxxxx.zz'
[Tue Aug 28 16:34:21 CEST 2018] '/var/etc/acme-client/challenges' does not contain 'dns'
[Tue Aug 28 16:34:21 CEST 2018] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug 28 16:34:21 CEST 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug 28 16:34:21 CEST 2018] GET
[Tue Aug 28 16:34:21 CEST 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:21 CEST 2018] timeout=
[Tue Aug 28 16:34:21 CEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Aug 28 16:34:39 CEST 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[Tue Aug 28 16:34:39 CEST 2018] ret='6'
[Tue Aug 28 16:34:39 CEST 2018] response
[Tue Aug 28 16:34:39 CEST 2018] Can not init api.
[Tue Aug 28 16:34:39 CEST 2018] Le_NextRenewTime='1534496697'
[Tue Aug 28 16:34:39 CEST 2018] _on_before_issue
[Tue Aug 28 16:34:39 CEST 2018] _chk_main_domain='yyy.xxxxxx.zz'
[Tue Aug 28 16:34:39 CEST 2018] _chk_alt_domains='thor.yyy.xxxxxx.zz'
[Tue Aug 28 16:34:39 CEST 2018] '/var/etc/acme-client/challenges' does not contain 'no'
[Tue Aug 28 16:34:39 CEST 2018] Le_LocalAddress
[Tue Aug 28 16:34:39 CEST 2018] d='yyy.xxxxxx.zz'
[Tue Aug 28 16:34:39 CEST 2018] Check for domain='yyy.xxxxxx.zz'
[Tue Aug 28 16:34:39 CEST 2018] _currentRoot='/var/etc/acme-client/challenges'
[Tue Aug 28 16:34:39 CEST 2018] d='thor.yyy.xxxxxx.zz'
[Tue Aug 28 16:34:39 CEST 2018] Check for domain='thor.yyy.xxxxxx.zz'
[Tue Aug 28 16:34:40 CEST 2018] _currentRoot='/var/etc/acme-client/challenges'
[Tue Aug 28 16:34:40 CEST 2018] d
[Tue Aug 28 16:34:40 CEST 2018] '/var/etc/acme-client/challenges' does not contain 'apache'
[Tue Aug 28 16:34:40 CEST 2018] config file is empty, can not read CA_KEY_HASH
[Tue Aug 28 16:34:40 CEST 2018] _saved_account_key_hash
[Tue Aug 28 16:34:40 CEST 2018] Using config home:/var/etc/acme-client/home
[Tue Aug 28 16:34:40 CEST 2018] ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:40 CEST 2018] _ACME_SERVER_HOST='acme-v01.api.letsencrypt.org'
[Tue Aug 28 16:34:40 CEST 2018] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug 28 16:34:40 CEST 2018] GET
[Tue Aug 28 16:34:40 CEST 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:40 CEST 2018] timeout=
[Tue Aug 28 16:34:40 CEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Aug 28 16:34:40 CEST 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[Tue Aug 28 16:34:40 CEST 2018] ret='6'
[Tue Aug 28 16:34:40 CEST 2018] response
[Tue Aug 28 16:34:40 CEST 2018] Can not init api.
[Tue Aug 28 16:34:40 CEST 2018] RSA key
[Tue Aug 28 16:34:40 CEST 2018] _URGLY_PRINTF='1'
[Tue Aug 28 16:34:40 CEST 2018] _URGLY_PRINTF='1'
[Tue Aug 28 16:34:41 CEST 2018] Registering account
[Tue Aug 28 16:34:41 CEST 2018] url
[Tue Aug 28 16:34:41 CEST 2018] payload='{"resource": "", "contact": ["mailto: my@email.tld"], "terms-of-service-agreed": true, "agreement": ""}'
[Tue Aug 28 16:34:41 CEST 2018] Use cached jwk for file: /var/etc/acme-client/accounts/59d40271aaf3c9.74162669/account.key
[Tue Aug 28 16:34:41 CEST 2018] Get nonce. ACME_DIRECTORY='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:41 CEST 2018] GET
[Tue Aug 28 16:34:41 CEST 2018] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug 28 16:34:41 CEST 2018] timeout=
[Tue Aug 28 16:34:41 CEST 2018] _CURL='curl -L --silent --dump-header /var/etc/acme-client/home/http.header -g '
[Tue Aug 28 16:34:41 CEST 2018] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 6
[Tue Aug 28 16:34:41 CEST 2018] ret='6'
[Tue Aug 28 16:34:41 CEST 2018] Can not connect to https://acme-v01.api.letsencrypt.org/directory to get nonce.
[Tue Aug 28 16:34:41 CEST 2018] Register account Error:
[Tue Aug 28 16:34:41 CEST 2018] _on_issue_err
[Tue Aug 28 16:34:41 CEST 2018] Please check log file for more details: /var/log/acme.sh.log
[Tue Aug 28 16:34:41 CEST 2018] _chk_vlist
curl error 6 would be "CURLE_COULDNT_RESOLVE_HOST - Couldn't resolve host. The given remote host was not resolved." But, DNS is working from local console and network, curl works, too.
Code: [Select]
root@opnsense:~ # nslookup acme-v01.api.letsencrypt.org
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
acme-v01.api.letsencrypt.org canonical name = api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net canonical name = e14990.dscx.akamaiedge.net.
Name: e14990.dscx.akamaiedge.net
Address: 95.101.64.58
Name: e14990.dscx.akamaiedge.net
Address: 2a02:26f0:12:392::3a8e
Name: e14990.dscx.akamaiedge.net
Address: 2a02:26f0:12:384::3a8e
root@opnsense:~ # curl https://acme-v01.api.letsencrypt.org/directory
{
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",
"xcqQXvXm2Sk": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417"
I tried everything i could think of, like rebooting the machine, updating acme.sh to the latest version, and so on...
Any ideas ?