Certificate renewing failed

Hi,

Hi have trouble for renewing Let’s Encrypt certificate. Here is the output of the command sudo yunohost domain cert-renew --debug:

165  DEBUG loading actions map namespace 'yunohost'
232  DEBUG extra parameter classes loaded: ['ask', 'password', 'required', 'pattern']
234  DEBUG initializing base actions map parser for cli
238  DEBUG registering new callback action 'yunohost.utils.packages.ynh_packages_version' to ['-v', '--version']
486  DEBUG initialize authenticator 'ldap-anonymous' with: uri='ldap://localhost:389', base_dn='dc=yunohost,dc=org', user_rdn='None'
490  DEBUG lock has been acquired
841  INFO processing action [3431.1]: yunohost.domain.cert-renew with args={'no_checks': False, 'force': False, 'domain_list': [], 'auth': <moulinette.authenticators.ldap.Authenticator object at 0x7665a8d0>, 'staging': False, 'email': False}
2155 INFO Starting new HTTP connection (1): 80.201.150.87
2186 DEBUG "HEAD / HTTP/1.1" 302 0
2190 DEBUG Domain 'manuc66.nohost.me' IP address is resolved to 80.201.150.87, expect it to be 80.201.150.87 or in the 127.0.0.0/8 address block
2192 INFO Now attempting renewing of certificate for domain manuc66.nohost.me !
2452 INFO Starting new HTTP connection (1): 80.201.150.87
2469 DEBUG "HEAD / HTTP/1.1" 302 0
2472 DEBUG Domain 'manuc66.nohost.me' IP address is resolved to 80.201.150.87, expect it to be 80.201.150.87 or in the 127.0.0.0/8 address block
2473 DEBUG Making sure tmp folders exists...
2475 INFO Prepare key and certificate signing request (CSR) for manuc66.nohost.me...
16706 INFO Saving to /tmp/acme-challenge-private/manuc66.nohost.me.csr.
16708 INFO Now using ACME Tiny to sign the certificate...
16709 INFO Parsing account key...
16743 INFO Parsing CSR...
16772 INFO Registering account...
17555 INFO Already registered!
17556 INFO Verifying manuc66.nohost.me...
29291 ERROR manuc66.nohost.me challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'80.201.150.87', u'2a02:a03f:a5f:0:c30:3f69:b861:4598'], u'url': u'http://manuc66.nohost.me/.well-known/acme-challenge/pA9exYI6My89ChzqBQA7OIf5paiB5woR7oFvcU4ZEEg', u'hostname': u'manuc66.nohost.me', u'addressesTried': [], u'addressUsed': u'2a02:a03f:a5f:0:c30:3f69:b861:4598', u'port': u'80'}], u'keyAuthorization': u'pA9exYI6My89ChzqBQA7OIf5paiB5woR7oFvcU4ZEEg.5-vf9j2C_pmYxASIb7omHE0som41D0Fmu788z28ojhg', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/Y81bmdxMuuEGJ_xhQjlhiOemSC_BPI6XIDDyOWHs9R4/1703576335', u'token': u'pA9exYI6My89ChzqBQA7OIf5paiB5woR7oFvcU4ZEEg', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'Fetching http://manuc66.nohost.me/.well-known/acme-challenge/pA9exYI6My89ChzqBQA7OIf5paiB5woR7oFvcU4ZEEg: Timeout'}, u'type': u'http-01'}
29296 ERROR Certificate renewing for manuc66.nohost.me failed !
29298 ERROR Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/certificate.py", line 382, in certificate_renew
    _fetch_and_enable_new_certificate(domain, staging)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 564, in _fetch_and_enable_new_certificate
    'certmanager_cert_signing_failed'))
MoulinetteError: [Errno 22] Signing the new certificate failed

29302 ERROR [Errno 22] Signing the new certificate failed
29304 DEBUG action [3431.1] ended after 28.462s
29306 DEBUG lock has been released

Does someone have an idea to solve the issue ?

Thanks

Not sure, but to me it looks like it’s trying to renew the certificate through IPv6. Can you confirm that 2a02:a03f:a5f:0:c30:3f69:b861:4598 is the IPv6 of your server ? (And also 80.201.150.87 should be your ipv4)

You can check that by running the following commands on your server :

curl ip6.yunohost.org
curl ip.yunohost.org

I think you should either make sure your IPv6 setup is working, or disable IPv6 to fallback to IPv4 :s

Thanks, here are the command results:

$ curl ip.yunohost.org                                                                                                                                                               
80.201.150.87
$ curl ip6.yunohost.org                                                                                                                                                                                                     
2a02:a03f:a5f:0:c30:3f69:b861:4598

Do you know how to simply disable ipv6?

Apparently you should do something like :

sysctl -w net.ipv6.conf.all.disable_ipv6=1
sysctl -w net.ipv6.conf.default.disable_ipv6=1

And to re-enable :

sysctl -w net.ipv6.conf.all.disable_ipv6=0
sysctl -w net.ipv6.conf.default.disable_ipv6=0

It’s still the same:

$ curl ip6.yunohost.org
curl: (7) Couldn't connect to server
$ sudo yunohost domain cert-renew --debug
163  DEBUG loading actions map namespace 'yunohost'
230  DEBUG extra parameter classes loaded: ['ask', 'password', 'required', 'pattern']
231  DEBUG initializing base actions map parser for cli
234  DEBUG registering new callback action 'yunohost.utils.packages.ynh_packages_version' to ['-v', '--version']
515  DEBUG initialize authenticator 'ldap-anonymous' with: uri='ldap://localhost:389', base_dn='dc=yunohost,dc=org', user_rdn='None'
519  DEBUG lock has been acquired
863  INFO processing action [2312.1]: yunohost.domain.cert-renew with args={'no_checks': False, 'force': False, 'domain_list': [], 'auth': <moulinette.authenticators.ldap.Authenticator object at 0x7663d8d0>, 'staging': False, 'email': False}
2229 INFO Starting new HTTP connection (1): 80.201.150.87
2248 DEBUG "HEAD / HTTP/1.1" 302 0
2251 DEBUG Domain 'manuc66.nohost.me' IP address is resolved to 80.201.150.87, expect it to be 80.201.150.87 or in the 127.0.0.0/8 address block
2252 INFO Now attempting renewing of certificate for domain manuc66.nohost.me !
2519 INFO Starting new HTTP connection (1): 80.201.150.87
2539 DEBUG "HEAD / HTTP/1.1" 302 0
2541 DEBUG Domain 'manuc66.nohost.me' IP address is resolved to 80.201.150.87, expect it to be 80.201.150.87 or in the 127.0.0.0/8 address block
2542 DEBUG Making sure tmp folders exists...
2543 INFO Prepare key and certificate signing request (CSR) for manuc66.nohost.me...
12736 INFO Saving to /tmp/acme-challenge-private/manuc66.nohost.me.csr.
12737 INFO Now using ACME Tiny to sign the certificate...
12738 INFO Parsing account key...
12773 INFO Parsing CSR...
12800 INFO Registering account...
13743 INFO Already registered!
13745 INFO Verifying manuc66.nohost.me...
22804 ERROR manuc66.nohost.me challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'80.201.150.87', u'2a02:a03f:a5f:0:c30:3f69:b861:4598'], u'url': u'http://manuc66.nohost.me/.well-known/acme-challenge/66G62NH5DEutYwk7XNnNvUcRPnOGWtAMxoc08P_j_Wo', u'hostname': u'manuc66.nohost.me', u'addressesTried': [], u'addressUsed': u'2a02:a03f:a5f:0:c30:3f69:b861:4598', u'port': u'80'}], u'keyAuthorization': u'66G62NH5DEutYwk7XNnNvUcRPnOGWtAMxoc08P_j_Wo.5-vf9j2C_pmYxASIb7omHE0som41D0Fmu788z28ojhg', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/92mEUR2V1MUB-OI5lrmmZkLU2HKAgRxdWajAiqOJ2OQ/1704225321', u'token': u'66G62NH5DEutYwk7XNnNvUcRPnOGWtAMxoc08P_j_Wo', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'Fetching http://manuc66.nohost.me/.well-known/acme-challenge/66G62NH5DEutYwk7XNnNvUcRPnOGWtAMxoc08P_j_Wo: Timeout'}, u'type': u'http-01'}
22812 ERROR Certificate renewing for manuc66.nohost.me failed !
22814 ERROR Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/certificate.py", line 382, in certificate_renew
    _fetch_and_enable_new_certificate(domain, staging)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 564, in _fetch_and_enable_new_certificate
    'certmanager_cert_signing_failed'))
MoulinetteError: [Errno 22] Signing the new certificate failed

22815 ERROR [Errno 22] Signing the new certificate failed
22816 DEBUG action [2312.1] ended after 21.952s
22817 DEBUG lock has been released

Est-ce que tu peux faire un yunohost dyndns update et retenter ?

Voici ce que j’obtiens:

$ sudo yunohost dyndns update
Error: ip route cmd error : Not a valid ip route get line

Damn :confused: Well I think you should re-enable IPv6 then…

Maybe you can try to add the following in your /etc/hosts :

80.201.150.87 manuc66.nohost.me

(though it’s not gonna be dyamically updated…)

And retry again :stuck_out_tongue:

I will try to, but in between a made another attempt and I have now to wait an hours because of letsencrypt’s rate limiting policy…

Eh :confused: Sorry 'bout dat

@CaptainSqrt2 you don’t have to be sorry, it’s really kind to helps me !

:wink: :smile:

SUCCESS Successfully renewed Let's Encrypt certificate for domain manuc66.nohost.me!

Thank you very much!

I will remove the /etc/hosts entry since I’m behind a dynamic IP. Do you know if there is something wrong in my setup that pushed me to this issue ?

Well I’m guessing somehow your IPv6 is not working properly… But not sure why, I’m far from understanding how to properly set up IPv6. You probably need to configure some gateway or something on your server :confused:

With that said, It’d be nice that the Let’s Encrypt install automatically falls back to IPv4 if there’s something wrong about IPv6. Currently we do not do so much checks about IPv6 for instance.