Announcement

Collapse
No announcement yet.

Let's Encrypt always needs second try

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Hi John,

    you are on the right track with the IP. The second error is related to one of the alternate domains (mail.domain.com) pointing to another IP on some of our servers. That one is my mistake. IW Jenna found (and fixed) this for me.

    So when LE looks up the domains names, it encounters 2 IPs for the DNS entries and throws an error. But this error was happening today only. My original problem (Temporary failure in name resolution) still persists. But tracking that down will be hard, as it only happens once per account and then works on the scond try, so I can't point to an account where it happens and IW can troubleshoot.

    I will keep an eye out for this and see if it happens more often then before. If not, I will simply have to live with it. As I also wrote Jenna, it is more of a nuisance than a real problem anyway...
    Last edited by mdeinhardt; 05-23-2017, 10:09 AM.

    Comment


    • #17
      Hi Michael

      Many thanks, Iw guys rock

      Glad it's resolved but if you could update once you think you may have found the LE issue you originally posted over

      Please shout or post if you want anything testing or ideas

      Many thanks, going to try to enjoy our 1 day of summer here in uk haha

      John

      Comment


      • #18
        Hi John,

        yes, IW Jenna did find the issue behind the original problem. It was an outdated LE installation. It seems I installed LE on a few of our servers before there was an auto-update function built in, so those early versions never got updated. Jenna found this and also showed me how to upgrade.

        If anyone else is experiencing similar problems, first verify the general date of your installation via
        ls -la ~iworx/lib/letsencrypt/
        Some of my files were from January 2016.

        You can update LE via
        cd ~iworx/lib/letsencrypt/
        git pull
        On two installations this resulted in
        error: Your local changes to the following files would be overwritten by merge: letsencrypt-auto
        Please, commit your changes or stash them before you can merge.
        Aborting
        so I ran
        git stash
        and then
        git pull
        Thanks to Jenna all is fine now :)

        Comment


        • #19
          I have a similar but new issue, maybe someone can shed a light on this:

          I get this error when trying to create a new certificate:
          ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7f88886b4890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))An unexpected error occurred:ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7f88886b4890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))
          I updated the LE installation according to my post above, but the error remains. I then tried to do

          nslookup acme-v01.api.letsencrypt.org
          but get
          [root@srv04 letsencrypt]# nslookup acme-v01.api.letsencrypt.org
          ;; connection timed out; trying next origin
          ;; connection timed out; no servers could be reached
          nslookup works though, e.g.
          [root@srv04 letsencrypt]# nslookup letsencrypt.org
          Server: 127.0.0.1
          Address: 127.0.0.1#53

          Non-authoritative answer:
          Name: letsencrypt.org
          Address: 184.31.91.55
          I see elsewhere
          acme-v01.api.letsencrypt.org. CNAME IN 7200 106ms api.letsencrypt.org.edgekey.net.
          So why is the name resolution for acme-v01.api.letsencrypt.org not working? Because it's a CNAME? And is the failling name resolution the reason for my above error? Or am I misinterpreting this?

          Thanks in advance for any pointers or help.
          Michael
          Last edited by mdeinhardt; 12-19-2017, 07:37 AM. Reason: typos

          Comment


          • #20
            Hi Michael

            I hope your well and looking forward to Christmas

            Your correct I believe in that it is a dns failure to resolve

            I suspect it is most likely at LE DNS, either malfunctioning dns or perhaps even a ddos

            Is it working now

            If not, have you checked LE status page for known issues, although Iím on LE status notification email and there was an notification yesterday I think from memory, which was corrected

            Many thanks

            John

            Comment


            • #21
              Hi John,

              yeah, I'm fine and I am indeed looking forward to christmas - to get some internal administrative work done ;-) I work much more relaxed, knowing nobody will call :D

              And you, are the grandchildren visiting?

              I tried creating the LE cert again, but still get
              ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7fcd0a00e890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))An unexpected error occurred:ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7fcd0a00e890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))
              nslookup of acme-v01.api.letsencrypt.org works on my windows machine. And nslookup of acme-v01.api.letsencrypt.org works on the machine in question, if I use another DNS, e.g.
              [root@srv04 ~]# nslookup acme-v01.api.letsencrypt.org 8.8.8.8
              Server: 8.8.8.8
              Address: 8.8.8.8#53

              Non-authoritative answer:
              acme-v01.api.letsencrypt.org canonical name = api.letsencrypt.org.edgekey.net.
              api.letsencrypt.org.edgekey.net canonical name = e981.dscb.akamaiedge.net.
              Name: e981.dscb.akamaiedge.net
              Address: 23.77.231.123
              So only the local resover fails at it
              [root@srv04 ~]# nslookup acme-v01.api.letsencrypt.org
              ;; connection timed out; trying next origin
              ;; connection timed out; no servers could be reached
              but works at anything else
              [root@srv04 ~]# nslookup forums.interworx.com
              Server: 127.0.0.1
              Address: 127.0.0.1#53

              Non-authoritative answer:
              Name: forums.interworx.com
              Address: 173.249.157.163
              nslookup acme-v01.api.letsencrypt.org fails on some of our machines. Could there be some kind of host file or some redirect of this URL somewhere on those machines? I cannot think of any reason why only that URL fails and only on those machines.

              Comment


              • #22
                Hi Michael
                Sorry for the small delay. Under pressure to finish a lot of work before close of business Friday (most UK companies close then until the 3 Jan
                I think it is your resolver, as you have it set to localhost, and therefore just rounds in circles as it were
                If you try as follows
                SSH into server
                vi /etc/resolv.conf
                nameserver 8.8.8.8
                nameserver 8.8.4.4
                save
                As a test, here is mine
                I hope that helps a little
                Many thanks
                John
                nslookup acme-v01.api.letsencrypt.org
                Server: 8.8.8.8
                Address: 8.8.8.8#53
                Non-authoritative answer:
                acme-v01.api.letsencrypt.org canonical name = api.letsencrypt.org.edgekey.net.
                api.letsencrypt.org.edgekey.net canonical name = e981.dscb.akamaiedge.net.
                Name: e981.dscb.akamaiedge.net
                Address: 23.214.84.32

                Comment


                • #23
                  Hi John,

                  no worries, I am simply glad and thankful, that you always take the time to answer.

                  Using Google's NS would help, but this defeats the purpose of the local resolver, i.e. the name resolution of internal domains, especially those just created.

                  The 127.0.0.1 is iworx default, so it should work. And all this does not explain why the local resolver answers at letsencrypt.org but not at acme-v01.api.letsencrypt.org.

                  Cheers
                  Michael

                  Comment


                  • #24
                    So I was on the right track and you too, John. Nathan helped me and wrote "We've seen this before when only the local cache nameserver is in /etc/resolv.conf". He simply added an external name server to /etc/resolv.conf, same as you suggested John.

                    I had two knots in my head, the first being that I can simply leave the local resolver in there, i.e.

                    nameserver 8.8.8.8
                    nameserver 127.0.0.1

                    An the second knot was, I had it somehow fixed in my head never to edit /etc/resolv.conf directly, but naturally this is only the fact on servers that use DHCP. And now I also know why some machines work and some don't. Those working use DHCP and I prepend my own name servers via /etc/dhcp/dhclient-eth0.conf , which of course can't work on machines with static IPs.

                    So, note to myself and other's, who might need it:

                    If the server uses DHCP (i.e. BOOTPROTO=dhcp in /etc/sysconfig/network-scripts/ifcfg-eth0) you can add additional name servers via /etc/dhcp/dhclient-eth0.conf like this
                    prepend domain-name-servers 8.8.8.8;
                    prepend domain-name-servers 8.8.4.4;

                    prepend domain-name-servers 127.0.0.1;
                    Attention: They will be added to resolv.conf in reverse order after a reboot or after
                    service network restart
                    If the server uses a static IP (e.g. BOOTPROTO=none in /etc/sysconfig/network-scripts/ifcfg-eth0) you can add additional name servers directly via /etc/resolv.conf like Johnn described above

                    nameserver 8.8.8.8
                    nameserver 8.8.4.4
                    nameserver 127.0.0.1
                    Thanks all for your help and I wish you, your loved ones, the whole IW team and everybody who reads this in time a very merry Christmas and a happy new year!

                    Michael
                    Last edited by mdeinhardt; 12-21-2017, 10:48 AM.

                    Comment


                    • #25
                      Hi Michael
                      Wow, Kudos to you and IW
                      Glad its now resolved and I hope you have and your loved ones a merry christmas and a very happy new year
                      Many thanks
                      John

                      Comment

                      Working...
                      X