Let's Encrypt fails to renew / verify certificate in UCS 4.4-2 errata-291: traceback error in logfile

herrep · September 29, 2019, 3:57pm

Hi,

I run UCS 4 for our server quite a while with a properly working Let’s Encrypt certificate. It was monthly renewed without any issues. We regularly update the UCS server and now run UCS 4.4-2 errata-291. However, we realized that the certificate renewal that should have been performed on September 29, 2019 did not work.

The logfile /var/log/univention/letsencrypt.log reads:

So 29. Sep 16:45:23 CEST 2019
Refreshing certificate for following domains:
<hostname>
Parsing account key...
Parsing CSR...
Found domains: <hostname>
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying <hostname>...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 147, in get_crt
    authorization = _poll_until_not(auth_url, ["pending"], "Error checking challenge status for {0}".format(domain))
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 66, in _poll_until_not
    result, _, _ = _do_request(url, err_msg=err_msg)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error checking challenge status for <hostname>:
Url: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/11293440
Data: None
Response Code: None
Response: <urlopen error [Errno 104] Connection reset by peer>
Setting letsencrypt/status

Does anybody have a hint as how to cope with this error?

Best regards,
Peter

tpfann · October 1, 2019, 6:02am

Hi,

same here (no certificate renewal last night):

Refreshing certificate for following domains:
xxxx.de xxxx.ddns.net xxxx.myfritz.net
Parsing account key...
Parsing CSR...
Found domains: xxxx.de, xxxx.ddns.net, xxxx.myfritz.net
Getting directory...
Directory found!
Registering account...
Already registered!
Creating new order...
Order created!
Verifying xxxx.ddns.net...
xxxx.ddns.net verified!
Verifying xxxx.myfritz.net...
xxxx.myfritz.net verified!
Verifying xxxx.de...
remote.xxxx.de verified!
Signing certificate...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 155, in get_crt
    _send_signed_request(order['finalize'], {"csr": _b64(csr_der)}, "Error finalizing order")
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 51, in _send_signed_request
    new_nonce = _do_request(directory['newNonce'])[2]['Replay-Nonce']
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error:
Url: https://acme-v02.api.letsencrypt.org/acme/new-nonce
Data: None
Response Code: None
Response: <urlopen error [Errno 104] Connection reset by peer>
Setting letsencrypt/status
Module: kopano-cfg
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//apache2
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//dovecot
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//postfix

I guess also this posting “LetsEncrypt certificate error” is related.

would be great if someone can have a look.

BR,
Thomas

tpfann · October 1, 2019, 3:57pm

Hi,

(re-)runing this script fixed it for me (certificates were renewed now):
root@server-name:/usr/share/univention-letsencrypt# ./refresh-cert-cron

… seems there was something wrong on letsencrypt-side last night?!

BR,
Thomas

adIngo · December 30, 2020, 9:52am

I do have the same error, but can not fix it with the script.
The certificate worked well but is now out of time.
Any sugestion?

Mornsgrans · December 30, 2020, 10:39am

Take a look into the logfile (see first posting above).

adIngo · January 9, 2021, 9:23am

Sorry for the late answer… I was out of office…

I ran /usr/share/univention-letsencrypt# ./refresh-cert-cron
This is the output was:

Sa 9. Jan 10:12:59 CET 2021
Refreshing certificate for following domains:
xxxxxxxxxxxxxxxx
Parsing account key…
Parsing CSR…
Found domains: xxxxxxxxxx
Getting directory…
Directory found!
Registering account…
Already registered!
Creating new order…
Order created!
Traceback (most recent call last):
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 197, in
main(sys.argv[1:])
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 125, in get_crt
authorization, _, _ = _do_request(auth_url, err_msg=“Error getting challenges”)
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 45, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting challenges:
Url: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/187901462
Data: None
Response Code: 405
Response: {
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Method not allowed”,
“status”: 405
}
Setting letsencrypt/status
Module: kopano-cfg

I also checked like your advice the linke to the first posting wich is rerfering to /etc/univention/letsencrypt/domain.csr
This file is filled with data like expected.
I don’t have any idea to solve the problem!

Mornsgrans · January 9, 2021, 10:51am

Maybe there is a problem with Univention Letsencrypt starting 1st of January.

In this thread several users have a problem with validating the certificates:
https://help.univention.com/t/system-diagnostic-suddenly-gives-me-found-invalid-certificate-etc-univention-letsencrypt-signed-chain-crt/16797/29

This may be caused by changes on Letsencrypt-side.

In my opinion, Univention should check for changes, because the Letsencrypt files in folder

/usr/share/univention-letsencrypt

are dated from Jan, 2019
(UCS 4.4-7)

Mornsgrans · January 14, 2021, 3:38pm

If I see it right, Letsencrypt has issued new root and intermediate certificates, but the Letsencrypt app of Univention still is on an old release.