Let's Encrypt fails to renew / verify certificate in UCS 4.4-2 errata-291: traceback error in logfile

Hi,

I run UCS 4 for our server quite a while with a properly working Let’s Encrypt certificate. It was monthly renewed without any issues. We regularly update the UCS server and now run UCS 4.4-2 errata-291. However, we realized that the certificate renewal that should have been performed on September 29, 2019 did not work.

The logfile /var/log/univention/letsencrypt.log reads:

So 29. Sep 16:45:23 CEST 2019
Refreshing certificate for following domains:
<hostname>
Parsing account key...
Parsing CSR...
Found domains: <hostname>
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying <hostname>...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 147, in get_crt
    authorization = _poll_until_not(auth_url, ["pending"], "Error checking challenge status for {0}".format(domain))
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 66, in _poll_until_not
    result, _, _ = _do_request(url, err_msg=err_msg)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error checking challenge status for <hostname>:
Url: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11293440
Data: None
Response Code: None
Response: <urlopen error [Errno 104] Connection reset by peer>
Setting letsencrypt/status

Does anybody have a hint as how to cope with this error?

Best regards,
Peter

Hi,

same here (no certificate renewal last night):

Refreshing certificate for following domains:
xxxx.de xxxx.ddns.net xxxx.myfritz.net
Parsing account key...
Parsing CSR...
Found domains: xxxx.de, xxxx.ddns.net, xxxx.myfritz.net
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying xxxx.ddns.net...
xxxx.ddns.net verified!
Verifying xxxx.myfritz.net...
xxxx.myfritz.net verified!
Verifying xxxx.de...
remote.xxxx.de verified!
Signing certificate...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 155, in get_crt
    _send_signed_request(order['finalize'], {"csr": _b64(csr_der)}, "Error finalizing order")
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 51, in _send_signed_request
    new_nonce = _do_request(directory['newNonce'])[2]['Replay-Nonce']
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error:
Url: https://acme-v02.api.letsencrypt.org/acme/new-nonce
Data: None
Response Code: None
Response: <urlopen error [Errno 104] Connection reset by peer>
Setting letsencrypt/status
Module: kopano-cfg
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//apache2
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//dovecot
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//postfix

I guess also this posting “LetsEncrypt certificate error” is related.

would be great if someone can have a look.

BR,
Thomas

Hi,

(re-)runing this script fixed it for me (certificates were renewed now):
root@server-name:/usr/share/univention-letsencrypt# ./refresh-cert-cron

… seems there was something wrong on letsencrypt-side last night?!

BR,
Thomas

1 Like