Again problem with letsencrypt updating certificate

Heiko · April 1, 2021, 2:53am

After the update of the letsencrypt certificate of my well working UCS (4.4-7 errata945) with Kopano and NextCloud I got this mail:

Refreshing certificate for following domains:
server.mydomain.de
Parsing account key…
Parsing CSR…
Found domains: server.mydomain.de
Getting directory…
Directory found!
Registering account…
Already registered!
Creating new order…
Order created!
Verifying server.mydomain.de…
Traceback (most recent call last):
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 197, in
main(sys.argv[1:])
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, dir$
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 149, in get_crt
raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
ValueError: Challenge did not pass for server.mydomain.de: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’val$
Setting letsencrypt/status
Module: kopano-cfg
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//apache2
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//dovecot
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//postfix

What will be the solution?

Heiko

tpfann · April 1, 2021, 5:38am

see here: Let's Encrypt fails to renew / verify certificate in UCS 4.4-2 errata-291: traceback error in logfile

in short (allways works for me):
cd /usr/share/univention-letsencrypt
./refresh-cert-cron

Heiko · April 1, 2021, 7:04am

Thank you very much for this solution.

Happy Easter

Heiko

Thorger · April 1, 2021, 10:17am

I am also experiencing this certificate renewal problem. Today I had once again the issue, that the certificate was invalid.

That happens, if the automatic renewal process fails three times in a row. For me it seems, the monthly update by the cron-script is always failing, but I can’t figure out why.

A while ago, someone of the Univention staff told me, that it might be caused by the time, the script / renewal is executed. If the LE-server is very busy at this time, or something else causes a lag in communication, the renewal request runs into a timeout. Unfortunately, the script doesn’t try again to renew the certificate, if it fails. It will only run again after one month.

To work around this problem, it was suggested, to change the time the cronjob is executed. To do so, you can modify the file /etc/cron.d/univention-letsencrypt

Or much better: directly change the template in /etc/univention/templates/files/etc/cron.d
Otherwise your configuration might be overwritten by an update or a change to the UCR.

If you change “30 3 1 * *” to “44 4 1 * *”, the script will not longer run at 1st of month at 3:30 am, but at 4:44 am.

I also copied the line and added excution times for 2nd and 3rd of month. I think it shouldn’t matter how often you try to renew the certificates, one successful attempt will be enough, even if it is followed by failed attempts.

In three month I will report, if this workaround is working

Cheers Thorger

Heiko · April 1, 2021, 11:53am

A good explanation of the background. Problem recognized problem banned, hopefully.

Heiko

lebernd · April 6, 2021, 5:52am

I can give a first feedback -> This is working for me on a server where I have changed the cron-time.
Thank you @Thorger

Best, Bernd

Heiko · April 8, 2021, 4:45am

It is a good idea not to change the original univention template but to make a new cron job with an additional date or time so that the system diagnostic don‘t cry.