-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Yet another "Failed to renew SSL" issue #1482
Comments
Yeah, unfortunately certbot does have a number of issues which we can't do anything about, except to switch to a different tool to generate certificates, which is planned for v3. Concerning some of the questions you asked:
The certbot output in the normal docker lock is usually very limited and does not provide much useful information. The letsencrypt logs contain much more information, which would be useful to find the source of the problem. See #1271 (comment) on how to access these logs. |
@chaptergy firstly, thanks a bunch for your detailed writeup, really appreciated.
How close are we to this? We're at 2.9.9, so must be close? :D
Thanks. I noted this one. Fixing it usually still leads to timeout.
Yeah, this makes sense. The https still works without error on browser side, but it's just all wrong in the Web UI.
I know this is a DNS issue, sometimes even on client side, but I've triple checked to make sure internet access is connected. Without cloudflare proxy, my external IP ports are all forwarded correctly and can associated domains be reached thanks to Nginx Proxy Manager. I've had cloudflare proxy turned on in production and it didn't have issues with DNS previously. I turned it off to troubleshoot this.
Here they are: letsencrypt.log
|
Unfortunately v3 is still a while away I think, there is no official timeline yet. Hm, but the logs also only contain the error that it fails to connect to acme-v02.api.letsencrypt.org, or rather it fails to resolve the domain. But you said you are able to ping it? So you have installed ping within the npm container and are able to ping the domain? Are you also able to run |
Hrmm, now that you mention doing this, I'm not even able to Because of that, couldn't even install ping Any ideas? I could ping just fine from the host machine. I've also recreated this container several times. Only thing that persisted was the volumes. |
It seems this is actually an issue with your installation of docker. As this could be caused by many things and has nothing to do with npm, I will close this issue. Depending on what OS you used, how you installed docker, etc, you should be able to find articles and questions with similar issues which will help you with your issue. Some links to get started: |
Hi there, I'm using the official docker image, version 2.9.7
I've looked for many other similar instances of SSL certbot not working correctly, but haven't come across a solution for my case yet. Please do point out the right issue # if I've missed them.
So, I've been using this for a while now, so am not new to the project, and I've always had problems with certbot renewing.
Ports are correctly forwarded externally so no issue there. I've also been using Cloudflare as an additional layer to anonymise my IP + DDoS protection. I use Cloudflare's DNS service and also DDNS (where I use another service to automatically update my external IP address to Cloudflare)
I think Cloudflare would have been the problem when renewing certs, so I have disabled them temporarily to test renewing, but it still fails with the following logs.
The only approach I haven't tested is deleting all the certs and recreating them, because I have so many! A feature to do this in bulk would be much appreciated, but that's beside the point :)
So, back to the logs, what is immediately obvious?
I'd thought that
Temporary failure in name resolution
meant it's not reachingacme-v02.api.letsencrypt.org
but this is not true, since I am able to ping it successfully from the machine hosting Nginx Proxy Manager.Any thoughts?
On other occcassions, I'd get internal errors or timeouts too. Can't make any further changes, so I would
docker-compose down
anddocker-compose up -d
again to "reset" the app.Generally, can't renew cert without error, and it is only by luck that it gets renewed successfully.
Most of the certs are shown as expired on the web UI, but https still works on the underlying reverse-proxied application
What can I do about this and what is a good practice to prevent this from happening?
The text was updated successfully, but these errors were encountered: