Problem renewing SSL

Problem Description

I can’t get letsencrypt renewals on a server on my lan

Any Error Messages

Failed: Failed to open TCP connection to acme-v02.api.letsencrypt.org:443 (getaddrinfo: Name or service not known)
$ ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=58 time=16.5 ms

Environment

  • Sympl Version [10.0]:
  • Sympl Testing Version? [No]
  • Debian Version [Buster]:
  • Hardware Type? [/Pi]
  • Hosted On? [local lan]

This is behind a proxy that combines connections, running through OpenMPTCPRouter - which is probably where the problem is rooted, but what is the problem?

It used to work, but now it doesn’t

This sounds like it may be a DNS resolution issue or similar - what happens when you run wget -O - https://acme-v02.api.letsencrypt.org/directory?

It ought not be related (to facebook being down), but I saw quite a few DNS lookups failing at around 5pm.

Perhaps try again?

Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)… 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:443… connected.
HTTP request sent, awaiting response… 200 OK

then

Fetching a new certificate from LetsEncrypt.
!! Failed: Failed to open TCP connection to acme-v02.api.letsencrypt.org:443 (getaddrinfo: Name or service not known)

Yes, lots of stuff is broken, but I don’t think that’s it, because the same command works just fine from my other servers.

Still baffled!

If wget -O - https://acme-v02.api.letsencrypt.org/directory

produces this:

–2021-10-05 14:56:11-- https://acme-v02.api.letsencrypt.org/directory
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)… 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:443… connected.
HTTP request sent, awaiting response… 200 OK

Why does an update get

!! Failed: Failed to open TCP connection to acme-v02.api.letsencrypt.org:443 (getaddrinfo: Name or service not known)

It’s as if the request is somehow wrong.

Does the wget result include the usual directory info you see when you browse to it? It’s acting a bit like cloudflare don’t like your connection for some reason…

With a web browser on my laptop:
https://acme-v02.api.letsencrypt.org/directory gets me:

{
“95zRh_spveY”: “Adding random entries to the directory - API Announcements - Let's Encrypt Community Support”,
“keyChange”: “https://acme-v02.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
letsencrypt.org
],
“termsOfService”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org
},
“newAccount”: “https://acme-v02.api.letsencrypt.org/acme/new-acct”,
“newNonce”: “https://acme-v02.api.letsencrypt.org/acme/new-nonce”,
“newOrder”: “https://acme-v02.api.letsencrypt.org/acme/new-order”,
“revokeCert”: “https://acme-v02.api.letsencrypt.org/acme/revoke-cert
}

$ wget -O- https://acme-v02.api.letsencrypt.org/directory on the sympl server

gets me:

–2021-10-05 21:58:19-- https://acme-v02.api.letsencrypt.org/directory
Resolving acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)… 172.65.32.248, 2606:4700:60:0:f53d:5624:85c7:3a2c
Connecting to acme-v02.api.letsencrypt.org (acme-v02.api.letsencrypt.org)|172.65.32.248|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: 658 [application/json]
Saving to: ‘STDOUT’

Which looks more or less the same to me. But I don’t pretend to understand how Letsencrypt works.

Both are using the same internet connection, which goes via a VPN/Proxy on a server in London.

Okay, check the hosts file on the server for any LE entries and remove them, and check config/ssl/letsencrypt for a file called endpoint and remove it if it exists.

Finally, ensure the ca-certificates package is up to date on the server.

In /etc/hosts:

;; global options: +cmd^Lacme-v02.api.letsencrypt.org # sympl-ssl workaround
;; global options: +cmd^Lacme-v02.api.letsencrypt.org # sympl-ssl workaround
;; global options: +cmd^Lacme-v02.api.letsencrypt.org # sympl-ssl workaround

but I thought that the ;; was to disable them. But it didn’t! I prefixed those three lines with a # and the problem went away!

No file called /srv/whatever/config/ssl/letsencrypt/endpoint

ca-certificates is already the newest version (20200601~deb10u2).