Announcement

Collapse
No announcement yet.

Let's Encrypt always needs second try

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • mdeinhardt
    started a topic Let's Encrypt always needs second try

    Let's Encrypt always needs second try

    Is anybody else experiencing this? Whenever I click "Generate all with Let's Encrypt" it generates an error on the first try, the gist of it being "Temporary failure in name resolution".
    Only on the second try the whole process goes through.

    Just want to confirm this is "normal" behaviour....

    Cheers, Michael

  • d2d4j
    replied
    Hi Michael
    Wow, Kudos to you and IW
    Glad its now resolved and I hope you have and your loved ones a merry christmas and a very happy new year
    Many thanks
    John

    Leave a comment:


  • mdeinhardt
    replied
    So I was on the right track and you too, John. Nathan helped me and wrote "We've seen this before when only the local cache nameserver is in /etc/resolv.conf". He simply added an external name server to /etc/resolv.conf, same as you suggested John.

    I had two knots in my head, the first being that I can simply leave the local resolver in there, i.e.

    nameserver 8.8.8.8
    nameserver 127.0.0.1

    An the second knot was, I had it somehow fixed in my head never to edit /etc/resolv.conf directly, but naturally this is only the fact on servers that use DHCP. And now I also know why some machines work and some don't. Those working use DHCP and I prepend my own name servers via /etc/dhcp/dhclient-eth0.conf , which of course can't work on machines with static IPs.

    So, note to myself and other's, who might need it:

    If the server uses DHCP (i.e. BOOTPROTO=dhcp in /etc/sysconfig/network-scripts/ifcfg-eth0) you can add additional name servers via /etc/dhcp/dhclient-eth0.conf like this
    prepend domain-name-servers 8.8.8.8;
    prepend domain-name-servers 8.8.4.4;

    prepend domain-name-servers 127.0.0.1;
    Attention: They will be added to resolv.conf in reverse order after a reboot or after
    service network restart
    If the server uses a static IP (e.g. BOOTPROTO=none in /etc/sysconfig/network-scripts/ifcfg-eth0) you can add additional name servers directly via /etc/resolv.conf like Johnn described above

    nameserver 8.8.8.8
    nameserver 8.8.4.4
    nameserver 127.0.0.1
    Thanks all for your help and I wish you, your loved ones, the whole IW team and everybody who reads this in time a very merry Christmas and a happy new year!

    Michael
    Last edited by mdeinhardt; 12-21-2017, 10:48 AM.

    Leave a comment:


  • mdeinhardt
    replied
    Hi John,

    no worries, I am simply glad and thankful, that you always take the time to answer.

    Using Google's NS would help, but this defeats the purpose of the local resolver, i.e. the name resolution of internal domains, especially those just created.

    The 127.0.0.1 is iworx default, so it should work. And all this does not explain why the local resolver answers at letsencrypt.org but not at acme-v01.api.letsencrypt.org.

    Cheers
    Michael

    Leave a comment:


  • d2d4j
    replied
    Hi Michael
    Sorry for the small delay. Under pressure to finish a lot of work before close of business Friday (most UK companies close then until the 3 Jan
    I think it is your resolver, as you have it set to localhost, and therefore just rounds in circles as it were
    If you try as follows
    SSH into server
    vi /etc/resolv.conf
    nameserver 8.8.8.8
    nameserver 8.8.4.4
    save
    As a test, here is mine
    I hope that helps a little
    Many thanks
    John
    nslookup acme-v01.api.letsencrypt.org
    Server: 8.8.8.8
    Address: 8.8.8.8#53
    Non-authoritative answer:
    acme-v01.api.letsencrypt.org canonical name = api.letsencrypt.org.edgekey.net.
    api.letsencrypt.org.edgekey.net canonical name = e981.dscb.akamaiedge.net.
    Name: e981.dscb.akamaiedge.net
    Address: 23.214.84.32

    Leave a comment:


  • mdeinhardt
    replied
    Hi John,

    yeah, I'm fine and I am indeed looking forward to christmas - to get some internal administrative work done ;-) I work much more relaxed, knowing nobody will call :D

    And you, are the grandchildren visiting?

    I tried creating the LE cert again, but still get
    ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7fcd0a00e890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))An unexpected error occurred:ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7fcd0a00e890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))
    nslookup of acme-v01.api.letsencrypt.org works on my windows machine. And nslookup of acme-v01.api.letsencrypt.org works on the machine in question, if I use another DNS, e.g.
    [root@srv04 ~]# nslookup acme-v01.api.letsencrypt.org 8.8.8.8
    Server: 8.8.8.8
    Address: 8.8.8.8#53

    Non-authoritative answer:
    acme-v01.api.letsencrypt.org canonical name = api.letsencrypt.org.edgekey.net.
    api.letsencrypt.org.edgekey.net canonical name = e981.dscb.akamaiedge.net.
    Name: e981.dscb.akamaiedge.net
    Address: 23.77.231.123
    So only the local resover fails at it
    [root@srv04 ~]# nslookup acme-v01.api.letsencrypt.org
    ;; connection timed out; trying next origin
    ;; connection timed out; no servers could be reached
    but works at anything else
    [root@srv04 ~]# nslookup forums.interworx.com
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: forums.interworx.com
    Address: 173.249.157.163
    nslookup acme-v01.api.letsencrypt.org fails on some of our machines. Could there be some kind of host file or some redirect of this URL somewhere on those machines? I cannot think of any reason why only that URL fails and only on those machines.

    Leave a comment:


  • d2d4j
    replied
    Hi Michael

    I hope your well and looking forward to Christmas

    Your correct I believe in that it is a dns failure to resolve

    I suspect it is most likely at LE DNS, either malfunctioning dns or perhaps even a ddos

    Is it working now

    If not, have you checked LE status page for known issues, although Im on LE status notification email and there was an notification yesterday I think from memory, which was corrected

    Many thanks

    John

    Leave a comment:


  • mdeinhardt
    replied
    I have a similar but new issue, maybe someone can shed a light on this:

    I get this error when trying to create a new certificate:
    ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7f88886b4890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))An unexpected error occurred:ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7f88886b4890>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))
    I updated the LE installation according to my post above, but the error remains. I then tried to do

    nslookup acme-v01.api.letsencrypt.org
    but get
    [root@srv04 letsencrypt]# nslookup acme-v01.api.letsencrypt.org
    ;; connection timed out; trying next origin
    ;; connection timed out; no servers could be reached
    nslookup works though, e.g.
    [root@srv04 letsencrypt]# nslookup letsencrypt.org
    Server: 127.0.0.1
    Address: 127.0.0.1#53

    Non-authoritative answer:
    Name: letsencrypt.org
    Address: 184.31.91.55
    I see elsewhere
    acme-v01.api.letsencrypt.org. CNAME IN 7200 106ms api.letsencrypt.org.edgekey.net.
    So why is the name resolution for acme-v01.api.letsencrypt.org not working? Because it's a CNAME? And is the failling name resolution the reason for my above error? Or am I misinterpreting this?

    Thanks in advance for any pointers or help.
    Michael
    Last edited by mdeinhardt; 12-19-2017, 07:37 AM. Reason: typos

    Leave a comment:


  • mdeinhardt
    replied
    Hi John,

    yes, IW Jenna did find the issue behind the original problem. It was an outdated LE installation. It seems I installed LE on a few of our servers before there was an auto-update function built in, so those early versions never got updated. Jenna found this and also showed me how to upgrade.

    If anyone else is experiencing similar problems, first verify the general date of your installation via
    ls -la ~iworx/lib/letsencrypt/
    Some of my files were from January 2016.

    You can update LE via
    cd ~iworx/lib/letsencrypt/
    git pull
    On two installations this resulted in
    error: Your local changes to the following files would be overwritten by merge: letsencrypt-auto
    Please, commit your changes or stash them before you can merge.
    Aborting
    so I ran
    git stash
    and then
    git pull
    Thanks to Jenna all is fine now :)

    Leave a comment:


  • d2d4j
    replied
    Hi Michael

    Many thanks, Iw guys rock

    Glad it's resolved but if you could update once you think you may have found the LE issue you originally posted over

    Please shout or post if you want anything testing or ideas

    Many thanks, going to try to enjoy our 1 day of summer here in uk haha

    John

    Leave a comment:


  • mdeinhardt
    replied
    Hi John,

    you are on the right track with the IP. The second error is related to one of the alternate domains (mail.domain.com) pointing to another IP on some of our servers. That one is my mistake. IW Jenna found (and fixed) this for me.

    So when LE looks up the domains names, it encounters 2 IPs for the DNS entries and throws an error. But this error was happening today only. My original problem (Temporary failure in name resolution) still persists. But tracking that down will be hard, as it only happens once per account and then works on the scond try, so I can't point to an account where it happens and IW can troubleshoot.

    I will keep an eye out for this and see if it happens more often then before. If not, I will simply have to live with it. As I also wrote Jenna, it is more of a nuisance than a real problem anyway...
    Last edited by mdeinhardt; 05-23-2017, 10:09 AM.

    Leave a comment:


  • d2d4j
    replied
    Hi Michael

    Just a thought, as I think it's vps Iw.

    On the Iw server you took the log extract on, i.e. Max retries exceeded. Is there more then 1 IP address it could use

    I'm thinking (seen it before), the original outgoing request maybe on 1 ip but subsequently change its outgoing ip to a different ip, there exceeding tries on new connection.

    It's just a thought

    Many thanks

    John

    Leave a comment:


  • d2d4j
    replied
    Hi Michael

    Ahh yes, haha but just seems to happen to me sorry

    I thought before replying I had better test, so enabled the domain and LE worked lovely, so disabled the account.

    IW-Jenna did ask if you were still having the issue, to open a support ticket so IW could have a look to see what's happening.

    I do believe it is connected with dns though, as your earlier post showed domain resolution failed but guess I need a holiday to recharge my aging batteries

    Many thanks

    John

    Leave a comment:


  • mdeinhardt
    replied
    Hi John,
    hehe, these things happen, no worries...

    But nope, the domains are active and as written above I sometimes have the issue when adding a new domain, but also when I want to exchange the certificate (e.g. in order to add a subdomain) on a domain, that has been online for months or years. I cannot find any common denominator, only that it doesn't work on the first try quite often.

    The new issue of today, where I get this error
    Installing SSL Certificate failed!
    <p"
    seems to be unrelated and opnly happened on one server so far.

    I'm gonna restart the relevant server tonight and if the problem persists, I might need some help from IW.

    Leave a comment:


  • d2d4j
    replied
    Hi Michael

    I'll hang my head in shame sorry :(

    The domain I tested on Saturday by repointing to test server, which worked lovely Saturday and repointed back, was... a disabled domain on live server, which is why I forgot about it sorry

    It was IW-Jenna who looked into it and told me. Kudos to IW

    Is your domain same as mine, disabled in IW

    I hope that helps

    Many thanks

    John

    Leave a comment:

Working...
X