Let's Encrypt cert renewals (suddenly) failing

A simple test we usually use is to create a file named 1234 (with no extension) containing “5678” in the directory from where nginx serves the challenge file. If you can access that file from a browser on your phone (using your wireless service, not your own Wifi), typically the Let’s Encrypt authentication servers (one primary and three secondary) can too.

1 Like

I should add though, that a second box with the same static ip address situation, that doesn’t run Discourse but does run Apache for other sites (I think now with certbot, I’d have to look) has been routinely renewing certs without difficulty.

2 Likes

That’s a good sign in terms of the external infrastructure. In terms of the onion, it means we’re hunting from the route to the Discourse box inwards to the acme.sh container. The fact that this had been working for a while and suddenly failed suggests either an update of some sort or a configuration change is the likely cause.

3 Likes

Let me know once you’ve tried the manual file creation and access test. That’s usually a very reliable litmus test.

1 Like

We also like to use this tool to check response:

The address should be like this:

http://yourdomain.com/.well-known/acme-challenge/1234

If testing the manual file 1234 from your phone and https://redirect-checker.org/ both work, that’s a pretty clear indication that the script/parameters being used for the ACME client process is the source of your woes.

2 Likes

Bingo! This problem is solved. The underlying issue was poor connectivity through a tunnel providing a single ip address associated with the Discourse forum. While tests via other sites including external ones had not shown this, your recommended test via mobile (which I should have thought of, but with all the other tests I’d done I just didn’t think of it this time) did show the performance problem, which apparently was bad enough to prevent certificate renewals from completing (via the route that Let’s Encrypt was using). This was straightforward to solve once the tunnel was indicated as the culprit, and a rebuild of the Discourse app immediately pulled in renewed certs, so back to full operation. Thanks Jonathan and all! Have a great upcoming New Year!

3 Likes

Wonderful!

:partying_face:

Glad it was resolved so quickly!

Have a very happy new year!

:two::zero::two::two:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.