Let's Encrypt renewal errors

BrandonIFI · December 18, 2017, 7:55pm

The Let’s Encrypt cert on our site expired over the weekend, and I’m having trouble getting the site back online.

When I tried to enter the container, it prompted I needed to upgrade docker first. I did that, and then rebuilt and was able to get in. I still am unable to get the forum back online.

The logs have a bunch of lines like this:

nginx: [emerg] PEM_read_bio_X509_AUX("/shared/ssl/vexforum.cn.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

Relevant pats at the beginning of the log include:

run-parts: executing /etc/runit/1.d/letsencrypt
[Mon Dec 18 18:27:58 UTC 2017] Registering account
[Mon Dec 18 18:28:01 UTC 2017] Registered
[Mon Dec 18 18:28:01 UTC 2017] ACCOUNT_THUMBPRINT='zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Mon Dec 18 18:28:01 UTC 2017] Creating domain key
[Mon Dec 18 18:28:02 UTC 2017] The domain key is here: /shared/letsencrypt/vexforum.cn/vexforum.cn.key
[Mon Dec 18 18:28:02 UTC 2017] Single domain='vexforum.cn'
[Mon Dec 18 18:28:02 UTC 2017] Getting domain auth token for each domain
[Mon Dec 18 18:28:02 UTC 2017] Getting webroot for domain='vexforum.cn'
[Mon Dec 18 18:28:02 UTC 2017] Getting new-authz for domain='vexforum.cn'
[Mon Dec 18 18:28:06 UTC 2017] The new-authz request is ok.
[Mon Dec 18 18:28:06 UTC 2017] Verifying:vexforum.cn
[Mon Dec 18 18:28:11 UTC 2017] vexforum.cn:Verify error:Invalid response from .well-known/acme-challenge/iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8H
OpA:
[Mon Dec 18 18:28:11 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
Error loading file ca.cer
140313005983384:error:02001002:system library:fopen:No such file or directory:bss_file.c:175:fopen('ca.cer','r')
140313005983384:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:178:
140313005983384:error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system lib:by_file.c:253:
usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check] [-no_alt_chains] [-attime timestamp] [-engine e] cert1 cert2 ...
recognized usages:
        sslclient       SSL client
        sslserver       SSL server
        nssslserver     Netscape SSL server
        smimesign       S/MIME signing
        smimeencrypt    S/MIME encryption
        crlsign         CRL signing
        any             Any Purpose
        ocsphelper      OCSP helper
        timestampsign   Time Stamp signing
[Mon Dec 18 18:28:14 UTC 2017] Single domain='vexforum.cn'
[Mon Dec 18 18:28:14 UTC 2017] Getting domain auth token for each domain
[Mon Dec 18 18:28:14 UTC 2017] Getting webroot for domain='vexforum.cn'
[Mon Dec 18 18:28:14 UTC 2017] Getting new-authz for domain='vexforum.cn'
[Mon Dec 18 18:28:17 UTC 2017] The new-authz request is ok.
[Mon Dec 18 18:28:17 UTC 2017] Verifying:vexforum.cn
[Mon Dec 18 18:28:24 UTC 2017] vexforum.cn:Verify error:Invalid response from vexforum.cn/.well-known/acme-challenge/PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI
_jU:
[Mon Dec 18 18:28:24 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Mon Dec 18 18:28:27 UTC 2017] Installing key to:/shared/ssl/vexforum.cn.key
[Mon Dec 18 18:28:27 UTC 2017] Installing full chain to:/shared/ssl/vexforum.cn.cer
cat: /shared/letsencrypt/vexforum.cn/fullchain.cer: No such file or directory
[Mon Dec 18 18:28:27 UTC 2017] Run reload cmd: sv reload nginx

I saw other discussions about ipv6 causing trouble, but I’ve got no AAAA records on vexforum.cn

Am I missing something? Other things to try?

mpalmer · December 18, 2017, 10:51pm

That would be port o’ call #1. That path is relative to the container; its equivalent on the host is /var/discourse/shared/app/letsencrypt/acme.sh.log.

BrandonIFI · December 18, 2017, 11:05pm

[Mon Dec 18 18:28:11 UTC 2017] vexforum.cn:Verify error:Invalid response from vexforum.cn/.well-known/acme-challenge/iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA:

Here is the full log … looks like a similar error.
(replaced ‘https://’ with ‘LINK::’ and changed ‘http://vexforum.cn’ to just ‘vexforum.cn’ to get around my new account limitations)

[Mon Dec 18 18:26:34 UTC 2017] Lets find script dir.
[Mon Dec 18 18:26:34 UTC 2017] _SCRIPT_='./acme.sh'
[Mon Dec 18 18:26:34 UTC 2017] _script='/root/acme.sh/acme.sh'
[Mon Dec 18 18:26:34 UTC 2017] _script_home='/root/acme.sh'
[Mon Dec 18 18:26:34 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:26:34 UTC 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Mon Dec 18 18:26:34 UTC 2017] We use nc for standalone server if you use standalone mode.
[Mon Dec 18 18:26:34 UTC 2017] If you don't use standalone mode, just ignore this warning.
[Mon Dec 18 18:26:34 UTC 2017] Installing to /shared/letsencrypt
[Mon Dec 18 18:26:34 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Mon Dec 18 18:26:34 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:26:34 UTC 2017] Using sed  -i
[Mon Dec 18 18:26:34 UTC 2017] Found profile: /root/.profile
[Mon Dec 18 18:26:34 UTC 2017] Installing alias to '/root/.profile'
[Mon Dec 18 18:26:34 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Mon Dec 18 18:26:34 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:26:34 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:26:34 UTC 2017] Installing cron job
[Mon Dec 18 18:26:34 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Mon Dec 18 18:26:34 UTC 2017] OK
[Mon Dec 18 18:26:34 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:26:34 UTC 2017] Installing from online archive.
[Mon Dec 18 18:26:34 UTC 2017] Downloading LINK::github.com/Neilpang/acme.sh/archive/master.tar.gz
[Mon Dec 18 18:26:34 UTC 2017] GET
[Mon Dec 18 18:26:34 UTC 2017] url='LINK::github.com/Neilpang/acme.sh/archive/master.tar.gz'
[Mon Dec 18 18:26:34 UTC 2017] timeout
[Mon Dec 18 18:26:34 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:26:38 UTC 2017] ret='0'
[Mon Dec 18 18:26:38 UTC 2017] Extracting master.tar.gz
[Mon Dec 18 18:26:38 UTC 2017] Skip install cron job
[Mon Dec 18 18:26:38 UTC 2017] Installing to /shared/letsencrypt
[Mon Dec 18 18:26:38 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Mon Dec 18 18:26:38 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:26:38 UTC 2017] Using sed  -i
[Mon Dec 18 18:26:38 UTC 2017] Found profile: /root/.profile
[Mon Dec 18 18:26:38 UTC 2017] Installing alias to '/root/.profile'
[Mon Dec 18 18:26:38 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Mon Dec 18 18:26:38 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Mon Dec 18 18:26:38 UTC 2017] OK
[Mon Dec 18 18:26:38 UTC 2017] Install success!
[Mon Dec 18 18:26:38 UTC 2017] Upgrade success!
[Mon Dec 18 18:27:56 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:27:56 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/vexforum.cn'
[Mon Dec 18 18:27:56 UTC 2017] Using ACME_DIRECTORY: LINK::acme-v01.api.letsencrypt.org/directory
[Mon Dec 18 18:27:56 UTC 2017] _init api for server: LINK::acme-v01.api.letsencrypt.org/directory
[Mon Dec 18 18:27:56 UTC 2017] GET
[Mon Dec 18 18:27:56 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/directory'
[Mon Dec 18 18:27:56 UTC 2017] timeout
[Mon Dec 18 18:27:56 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:27:57 UTC 2017] ret='0'
[Mon Dec 18 18:27:57 UTC 2017] ACME_KEY_CHANGE='LINK::acme-v01.api.letsencrypt.org/acme/key-change'
[Mon Dec 18 18:27:57 UTC 2017] ACME_NEW_AUTHZ='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Dec 18 18:27:57 UTC 2017] ACME_NEW_ORDER='LINK::acme-v01.api.letsencrypt.org/acme/new-cert'
[Mon Dec 18 18:27:57 UTC 2017] ACME_NEW_ACCOUNT='LINK::acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Dec 18 18:27:57 UTC 2017] ACME_REVOKE_CERT='LINK::acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Mon Dec 18 18:27:57 UTC 2017] ACME_AGREEMENT='LINK::letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Mon Dec 18 18:27:57 UTC 2017] _on_before_issue
[Mon Dec 18 18:27:57 UTC 2017] Le_LocalAddress
[Mon Dec 18 18:27:57 UTC 2017] Check for domain='vexforum.cn'
[Mon Dec 18 18:27:57 UTC 2017] _currentRoot='/var/www/discourse/public'
[Mon Dec 18 18:27:57 UTC 2017] config file is empty, can not read CA_KEY_HASH
[Mon Dec 18 18:27:57 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:27:57 UTC 2017] Use default length 2048
[Mon Dec 18 18:27:57 UTC 2017] length='2048'
[Mon Dec 18 18:27:57 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:27:57 UTC 2017] Use length 2048
[Mon Dec 18 18:27:57 UTC 2017] Using RSA: 2048
[Mon Dec 18 18:27:58 UTC 2017] RSA key
[Mon Dec 18 18:27:58 UTC 2017] _init api for server: LINK::acme-v01.api.letsencrypt.org/directory
[Mon Dec 18 18:27:58 UTC 2017] Registering account
[Mon Dec 18 18:27:58 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Dec 18 18:27:58 UTC 2017] payload='{"resource": "new-reg", "terms-of-service-agreed": true, "agreement": "LINK::letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"}'
[Mon Dec 18 18:27:58 UTC 2017] GET
[Mon Dec 18 18:27:58 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/directory'
[Mon Dec 18 18:27:58 UTC 2017] timeout
[Mon Dec 18 18:27:58 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:27:59 UTC 2017] ret='0'
[Mon Dec 18 18:27:59 UTC 2017] POST
[Mon Dec 18 18:27:59 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Dec 18 18:27:59 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:01 UTC 2017] _ret='0'
[Mon Dec 18 18:28:01 UTC 2017] code='201'
[Mon Dec 18 18:28:01 UTC 2017] Registered
[Mon Dec 18 18:28:01 UTC 2017] _accUri='LINK::acme-v01.api.letsencrypt.org/acme/reg/26102130'
[Mon Dec 18 18:28:01 UTC 2017] Calc CA_KEY_HASH='Ee75JDztYSt7aMjNCAz0mbpr0lgfvXYHXS09KsiuJl0='
[Mon Dec 18 18:28:01 UTC 2017] ACCOUNT_THUMBPRINT='zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Mon Dec 18 18:28:01 UTC 2017] Read key length:
[Mon Dec 18 18:28:01 UTC 2017] Creating domain key
[Mon Dec 18 18:28:01 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:28:01 UTC 2017] Use length 4096
[Mon Dec 18 18:28:01 UTC 2017] Using RSA: 4096
[Mon Dec 18 18:28:02 UTC 2017] The domain key is here: /shared/letsencrypt/vexforum.cn/vexforum.cn.key
[Mon Dec 18 18:28:02 UTC 2017] _createcsr
[Mon Dec 18 18:28:02 UTC 2017] Single domain='vexforum.cn'
[Mon Dec 18 18:28:02 UTC 2017] Getting domain auth token for each domain
[Mon Dec 18 18:28:02 UTC 2017] Getting webroot for domain='vexforum.cn'
[Mon Dec 18 18:28:02 UTC 2017] _w='/var/www/discourse/public'
[Mon Dec 18 18:28:02 UTC 2017] _currentRoot='/var/www/discourse/public'
[Mon Dec 18 18:28:02 UTC 2017] Getting new-authz for domain='vexforum.cn'
[Mon Dec 18 18:28:02 UTC 2017] _init api for server: LINK::acme-v01.api.letsencrypt.org/directory
[Mon Dec 18 18:28:02 UTC 2017] Try new-authz for the 0 time.
[Mon Dec 18 18:28:02 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Dec 18 18:28:02 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "vexforum.cn"}}'
[Mon Dec 18 18:28:02 UTC 2017] POST
[Mon Dec 18 18:28:02 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Dec 18 18:28:02 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:06 UTC 2017] _ret='0'
[Mon Dec 18 18:28:06 UTC 2017] code='201'
[Mon Dec 18 18:28:06 UTC 2017] The new-authz request is ok.
[Mon Dec 18 18:28:06 UTC 2017] entry='"type":"http-01","status":"pending","uri":"LINK::acme-v01.api.letsencrypt.org/acme/challenge/HVWPi7kvO1i9OzfwoNy0Rn2QWBgMrbAYL3CvnSITDW0/2786891557","token":"iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA"'
[Mon Dec 18 18:28:06 UTC 2017] token='iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA'
[Mon Dec 18 18:28:06 UTC 2017] uri='LINK::acme-v01.api.letsencrypt.org/acme/challenge/HVWPi7kvO1i9OzfwoNy0Rn2QWBgMrbAYL3CvnSITDW0/2786891557'
[Mon Dec 18 18:28:06 UTC 2017] keyauthorization='iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Mon Dec 18 18:28:06 UTC 2017] dvlist='vexforum.cn#iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc#LINK::acme-v01.api.letsencrypt.org/acme/challenge/HVWPi7kvO1i9OzfwoNy0Rn2QWBgMrbAYL3CvnSITDW0/2786891557#http-01#/var/www/discourse/public'
[Mon Dec 18 18:28:06 UTC 2017] vlist='vexforum.cn#iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc#LINK::acme-v01.api.letsencrypt.org/acme/challenge/HVWPi7kvO1i9OzfwoNy0Rn2QWBgMrbAYL3CvnSITDW0/2786891557#http-01#/var/www/discourse/public,'
[Mon Dec 18 18:28:06 UTC 2017] ok, let's start to verify
[Mon Dec 18 18:28:06 UTC 2017] Verifying:vexforum.cn
[Mon Dec 18 18:28:06 UTC 2017] d='vexforum.cn'
[Mon Dec 18 18:28:06 UTC 2017] keyauthorization='iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Mon Dec 18 18:28:06 UTC 2017] uri='LINK::acme-v01.api.letsencrypt.org/acme/challenge/HVWPi7kvO1i9OzfwoNy0Rn2QWBgMrbAYL3CvnSITDW0/2786891557'
[Mon Dec 18 18:28:06 UTC 2017] _currentRoot='/var/www/discourse/public'
[Mon Dec 18 18:28:06 UTC 2017] wellknown_path='/var/www/discourse/public/.well-known/acme-challenge'
[Mon Dec 18 18:28:06 UTC 2017] writing token:iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA to /var/www/discourse/public/.well-known/acme-challenge/iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA
[Mon Dec 18 18:28:06 UTC 2017] Changing owner/group of .well-known to discourse:discourse
[Mon Dec 18 18:28:06 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/HVWPi7kvO1i9OzfwoNy0Rn2QWBgMrbAYL3CvnSITDW0/2786891557'
[Mon Dec 18 18:28:06 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc"}'
[Mon Dec 18 18:28:06 UTC 2017] POST
[Mon Dec 18 18:28:06 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/HVWPi7kvO1i9OzfwoNy0Rn2QWBgMrbAYL3CvnSITDW0/2786891557'
[Mon Dec 18 18:28:06 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:08 UTC 2017] _ret='0'
[Mon Dec 18 18:28:08 UTC 2017] code='202'
[Mon Dec 18 18:28:08 UTC 2017] sleep 2 secs to verify
[Mon Dec 18 18:28:10 UTC 2017] checking
[Mon Dec 18 18:28:10 UTC 2017] GET
[Mon Dec 18 18:28:10 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/HVWPi7kvO1i9OzfwoNy0Rn2QWBgMrbAYL3CvnSITDW0/2786891557'
[Mon Dec 18 18:28:10 UTC 2017] timeout
[Mon Dec 18 18:28:10 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:11 UTC 2017] ret='0'
[Mon Dec 18 18:28:11 UTC 2017] vexforum.cn:Verify error:Invalid response from vexforum.cn/.well-known/acme-challenge/iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA:
[Mon Dec 18 18:28:11 UTC 2017] pid
[Mon Dec 18 18:28:11 UTC 2017] No need to restore nginx, skip.
[Mon Dec 18 18:28:11 UTC 2017] _clearupdns
[Mon Dec 18 18:28:11 UTC 2017] skip dns.
[Mon Dec 18 18:28:11 UTC 2017] _on_issue_err
[Mon Dec 18 18:28:11 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Mon Dec 18 18:28:11 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/HVWPi7kvO1i9OzfwoNy0Rn2QWBgMrbAYL3CvnSITDW0/2786891557'
[Mon Dec 18 18:28:11 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "iCC19XTIly-mShsL9NtjFyTin5AGXZ_BUVdCCE8HOpA.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc"}'
[Mon Dec 18 18:28:11 UTC 2017] POST
[Mon Dec 18 18:28:11 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/HVWPi7kvO1i9OzfwoNy0Rn2QWBgMrbAYL3CvnSITDW0/2786891557'
[Mon Dec 18 18:28:11 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:13 UTC 2017] _ret='0'
[Mon Dec 18 18:28:13 UTC 2017] code='400'
[Mon Dec 18 18:28:13 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:28:13 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/vexforum.cn'
[Mon Dec 18 18:28:13 UTC 2017] Using ACME_DIRECTORY: LINK::acme-v01.api.letsencrypt.org/directory
[Mon Dec 18 18:28:13 UTC 2017] _init api for server: LINK::acme-v01.api.letsencrypt.org/directory
[Mon Dec 18 18:28:13 UTC 2017] GET
[Mon Dec 18 18:28:13 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/directory'
[Mon Dec 18 18:28:13 UTC 2017] timeout
[Mon Dec 18 18:28:13 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:14 UTC 2017] ret='0'
[Mon Dec 18 18:28:14 UTC 2017] ACME_KEY_CHANGE='LINK::acme-v01.api.letsencrypt.org/acme/key-change'
[Mon Dec 18 18:28:14 UTC 2017] ACME_NEW_AUTHZ='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Dec 18 18:28:14 UTC 2017] ACME_NEW_ORDER='LINK::acme-v01.api.letsencrypt.org/acme/new-cert'
[Mon Dec 18 18:28:14 UTC 2017] ACME_NEW_ACCOUNT='LINK::acme-v01.api.letsencrypt.org/acme/new-reg'
[Mon Dec 18 18:28:14 UTC 2017] ACME_REVOKE_CERT='LINK::acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Mon Dec 18 18:28:14 UTC 2017] ACME_AGREEMENT='LINK::letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Mon Dec 18 18:28:14 UTC 2017] Le_NextRenewTime
[Mon Dec 18 18:28:14 UTC 2017] _on_before_issue
[Mon Dec 18 18:28:14 UTC 2017] Le_LocalAddress
[Mon Dec 18 18:28:14 UTC 2017] Check for domain='vexforum.cn'
[Mon Dec 18 18:28:14 UTC 2017] _currentRoot='/var/www/discourse/public'
[Mon Dec 18 18:28:14 UTC 2017] _saved_account_key_hash is not changed, skip register account.
[Mon Dec 18 18:28:14 UTC 2017] Read key length:4096
[Mon Dec 18 18:28:14 UTC 2017] _createcsr
[Mon Dec 18 18:28:14 UTC 2017] Single domain='vexforum.cn'
[Mon Dec 18 18:28:14 UTC 2017] Getting domain auth token for each domain
[Mon Dec 18 18:28:14 UTC 2017] Getting webroot for domain='vexforum.cn'
[Mon Dec 18 18:28:14 UTC 2017] _w='/var/www/discourse/public'
[Mon Dec 18 18:28:14 UTC 2017] _currentRoot='/var/www/discourse/public'
[Mon Dec 18 18:28:14 UTC 2017] Getting new-authz for domain='vexforum.cn'
[Mon Dec 18 18:28:14 UTC 2017] _init api for server: LINK::acme-v01.api.letsencrypt.org/directory
[Mon Dec 18 18:28:14 UTC 2017] Try new-authz for the 0 time.
[Mon Dec 18 18:28:14 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Dec 18 18:28:14 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "vexforum.cn"}}'
[Mon Dec 18 18:28:14 UTC 2017] RSA key
[Mon Dec 18 18:28:14 UTC 2017] GET
[Mon Dec 18 18:28:14 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/directory'
[Mon Dec 18 18:28:14 UTC 2017] timeout
[Mon Dec 18 18:28:14 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:15 UTC 2017] ret='0'
[Mon Dec 18 18:28:15 UTC 2017] POST
[Mon Dec 18 18:28:15 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Mon Dec 18 18:28:15 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:17 UTC 2017] _ret='0'
[Mon Dec 18 18:28:17 UTC 2017] code='201'
[Mon Dec 18 18:28:17 UTC 2017] The new-authz request is ok.
[Mon Dec 18 18:28:17 UTC 2017] entry='"type":"http-01","status":"pending","uri":"LINK::acme-v01.api.letsencrypt.org/acme/challenge/y0f3ArvAQq927JC3_AS2kjVjcwIKDhNOLMDh41m251g/2786893092","token":"PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU"'
[Mon Dec 18 18:28:17 UTC 2017] token='PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU'
[Mon Dec 18 18:28:17 UTC 2017] uri='LINK::acme-v01.api.letsencrypt.org/acme/challenge/y0f3ArvAQq927JC3_AS2kjVjcwIKDhNOLMDh41m251g/2786893092'
[Mon Dec 18 18:28:17 UTC 2017] keyauthorization='PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Mon Dec 18 18:28:17 UTC 2017] dvlist='vexforum.cn#PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc#LINK::acme-v01.api.letsencrypt.org/acme/challenge/y0f3ArvAQq927JC3_AS2kjVjcwIKDhNOLMDh41m251g/2786893092#http-01#/var/www/discourse/public'
[Mon Dec 18 18:28:17 UTC 2017] vlist='vexforum.cn#PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc#LINK::acme-v01.api.letsencrypt.org/acme/challenge/y0f3ArvAQq927JC3_AS2kjVjcwIKDhNOLMDh41m251g/2786893092#http-01#/var/www/discourse/public,'
[Mon Dec 18 18:28:17 UTC 2017] ok, let's start to verify
[Mon Dec 18 18:28:17 UTC 2017] Verifying:vexforum.cn
[Mon Dec 18 18:28:17 UTC 2017] d='vexforum.cn'
[Mon Dec 18 18:28:17 UTC 2017] keyauthorization='PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Mon Dec 18 18:28:17 UTC 2017] uri='LINK::acme-v01.api.letsencrypt.org/acme/challenge/y0f3ArvAQq927JC3_AS2kjVjcwIKDhNOLMDh41m251g/2786893092'
[Mon Dec 18 18:28:17 UTC 2017] _currentRoot='/var/www/discourse/public'
[Mon Dec 18 18:28:17 UTC 2017] wellknown_path='/var/www/discourse/public/.well-known/acme-challenge'
[Mon Dec 18 18:28:17 UTC 2017] writing token:PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU to /var/www/discourse/public/.well-known/acme-challenge/PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU
[Mon Dec 18 18:28:17 UTC 2017] Changing owner/group of .well-known to discourse:discourse
[Mon Dec 18 18:28:17 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/y0f3ArvAQq927JC3_AS2kjVjcwIKDhNOLMDh41m251g/2786893092'
[Mon Dec 18 18:28:17 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc"}'
[Mon Dec 18 18:28:17 UTC 2017] POST
[Mon Dec 18 18:28:17 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/y0f3ArvAQq927JC3_AS2kjVjcwIKDhNOLMDh41m251g/2786893092'
[Mon Dec 18 18:28:17 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:20 UTC 2017] _ret='0'
[Mon Dec 18 18:28:20 UTC 2017] code='202'
[Mon Dec 18 18:28:20 UTC 2017] sleep 2 secs to verify
[Mon Dec 18 18:28:22 UTC 2017] checking
[Mon Dec 18 18:28:22 UTC 2017] GET
[Mon Dec 18 18:28:22 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/y0f3ArvAQq927JC3_AS2kjVjcwIKDhNOLMDh41m251g/2786893092'
[Mon Dec 18 18:28:22 UTC 2017] timeout
[Mon Dec 18 18:28:22 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:24 UTC 2017] ret='0'
[Mon Dec 18 18:28:24 UTC 2017] vexforum.cn:Verify error:Invalid response from vexforum.cn/.well-known/acme-challenge/PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU:
[Mon Dec 18 18:28:24 UTC 2017] pid
[Mon Dec 18 18:28:24 UTC 2017] No need to restore nginx, skip.
[Mon Dec 18 18:28:24 UTC 2017] _clearupdns
[Mon Dec 18 18:28:24 UTC 2017] skip dns.
[Mon Dec 18 18:28:24 UTC 2017] _on_issue_err
[Mon Dec 18 18:28:24 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Mon Dec 18 18:28:24 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/y0f3ArvAQq927JC3_AS2kjVjcwIKDhNOLMDh41m251g/2786893092'
[Mon Dec 18 18:28:24 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "PUsMqe1mjPwhnyGnNALAh4R-Wsx83Rz8F_1MLqgI_jU.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc"}'
[Mon Dec 18 18:28:24 UTC 2017] POST
[Mon Dec 18 18:28:24 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/y0f3ArvAQq927JC3_AS2kjVjcwIKDhNOLMDh41m251g/2786893092'
[Mon Dec 18 18:28:24 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Mon Dec 18 18:28:27 UTC 2017] _ret='0'
[Mon Dec 18 18:28:27 UTC 2017] code='400'
[Mon Dec 18 18:28:27 UTC 2017] Using config home:/shared/letsencrypt
[Mon Dec 18 18:28:27 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/vexforum.cn'
[Mon Dec 18 18:28:27 UTC 2017] Installing key to:/shared/ssl/vexforum.cn.key
[Mon Dec 18 18:28:27 UTC 2017] Installing full chain to:/shared/ssl/vexforum.cn.cer
[Mon Dec 18 18:28:27 UTC 2017] Run reload cmd: sv reload nginx
[Mon Dec 18 18:28:27 UTC 2017] Reload error for :

mpalmer · December 18, 2017, 11:28pm

Well, that log wasn’t as useful as one might hope. Given the presence of timeout, and the observation that the site appears to be hosted in mainland China, I’m giving some serious side-eye to the GFoC. While you say this is a renewal, so it was working at some point, the thing is changing so often you might have been caught up in some block or another.

Beyond that, I think I’m going to have to defer to @tgxworld, who Knows Things about acme.sh, for further analysis.

tgxworld · December 19, 2017, 1:09am

@BrandonIFI Can you run this manually and PM me the output?

LE_WORKING_DIR=/shared/letsencrypt /shared/letsencrypt/acme.sh --issue -d vexforum.cn -k 4096 -w /var/www/discourse/public --debug

BrandonIFI · December 19, 2017, 1:47am

Here is the output (same substitutions above for https and http in the links):

# LE_WORKING_DIR=/shared/letsencrypt /shared/letsencrypt/acme.sh --issue -d vexforum.cn -k 4096 -w /var/www/discourse/public --debug
[Tue Dec 19 01:43:22 UTC 2017] Lets find script dir.
[Tue Dec 19 01:43:22 UTC 2017] _SCRIPT_='/shared/letsencrypt/acme.sh'
[Tue Dec 19 01:43:22 UTC 2017] _script='/shared/letsencrypt/acme.sh'
[Tue Dec 19 01:43:22 UTC 2017] _script_home='/shared/letsencrypt'
[Tue Dec 19 01:43:22 UTC 2017] Using config home:/shared/letsencrypt
LINK::github.com/Neilpang/acme.sh
v2.7.6
[Tue Dec 19 01:43:22 UTC 2017] Using config home:/shared/letsencrypt
[Tue Dec 19 01:43:22 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/vexforum.cn'
[Tue Dec 19 01:43:22 UTC 2017] Using ACME_DIRECTORY: LINK::acme-v01.api.letsencrypt.org/directory
[Tue Dec 19 01:43:22 UTC 2017] _init api for server: LINK::acme-v01.api.letsencrypt.org/directory
[Tue Dec 19 01:43:22 UTC 2017] GET
[Tue Dec 19 01:43:22 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/directory'
[Tue Dec 19 01:43:22 UTC 2017] timeout
[Tue Dec 19 01:43:22 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Dec 19 01:43:22 UTC 2017] ret='0'
[Tue Dec 19 01:43:23 UTC 2017] ACME_KEY_CHANGE='LINK::acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Dec 19 01:43:23 UTC 2017] ACME_NEW_AUTHZ='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Dec 19 01:43:23 UTC 2017] ACME_NEW_ORDER='LINK::acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Dec 19 01:43:23 UTC 2017] ACME_NEW_ACCOUNT='LINK::acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Dec 19 01:43:23 UTC 2017] ACME_REVOKE_CERT='LINK::acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Dec 19 01:43:23 UTC 2017] ACME_AGREEMENT='LINK::letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Dec 19 01:43:23 UTC 2017] Le_NextRenewTime
[Tue Dec 19 01:43:23 UTC 2017] _on_before_issue
[Tue Dec 19 01:43:23 UTC 2017] Le_LocalAddress
[Tue Dec 19 01:43:23 UTC 2017] Check for domain='vexforum.cn'
[Tue Dec 19 01:43:23 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Dec 19 01:43:23 UTC 2017] _saved_account_key_hash is not changed, skip register account.
[Tue Dec 19 01:43:23 UTC 2017] Read key length:4096
[Tue Dec 19 01:43:23 UTC 2017] _createcsr
[Tue Dec 19 01:43:23 UTC 2017] Single domain='vexforum.cn'
[Tue Dec 19 01:43:23 UTC 2017] Getting domain auth token for each domain
[Tue Dec 19 01:43:23 UTC 2017] Getting webroot for domain='vexforum.cn'
[Tue Dec 19 01:43:23 UTC 2017] _w='/var/www/discourse/public'
[Tue Dec 19 01:43:23 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Dec 19 01:43:23 UTC 2017] Getting new-authz for domain='vexforum.cn'
[Tue Dec 19 01:43:23 UTC 2017] _init api for server: LINK::acme-v01.api.letsencrypt.org/directory
[Tue Dec 19 01:43:23 UTC 2017] Try new-authz for the 0 time.
[Tue Dec 19 01:43:23 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Dec 19 01:43:23 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "vexforum.cn"}}'
[Tue Dec 19 01:43:23 UTC 2017] RSA key
[Tue Dec 19 01:43:23 UTC 2017] GET
[Tue Dec 19 01:43:23 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/directory'
[Tue Dec 19 01:43:23 UTC 2017] timeout
[Tue Dec 19 01:43:23 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Dec 19 01:43:25 UTC 2017] ret='0'
[Tue Dec 19 01:43:25 UTC 2017] POST
[Tue Dec 19 01:43:25 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Dec 19 01:43:25 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Dec 19 01:43:26 UTC 2017] _ret='0'
[Tue Dec 19 01:43:26 UTC 2017] code='201'
[Tue Dec 19 01:43:26 UTC 2017] The new-authz request is ok.
[Tue Dec 19 01:43:26 UTC 2017] entry='"type":"http-01","status":"pending","uri":"LINK::acme-v01.api.letsencrypt.org/acme/challenge/NHzFRdO49zY19jUkiIqaUVbg1O5WnjqD8jiejkvhYJs/2790690064","token":"w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw"'
[Tue Dec 19 01:43:26 UTC 2017] token='w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw'
[Tue Dec 19 01:43:26 UTC 2017] uri='LINK::acme-v01.api.letsencrypt.org/acme/challenge/NHzFRdO49zY19jUkiIqaUVbg1O5WnjqD8jiejkvhYJs/2790690064'
[Tue Dec 19 01:43:26 UTC 2017] keyauthorization='w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Tue Dec 19 01:43:26 UTC 2017] dvlist='vexforum.cn#w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc#LINK::acme-v01.api.letsencrypt.org/acme/challenge/NHzFRdO49zY19jUkiIqaUVbg1O5WnjqD8jiejkvhYJs/2790690064#http-01#/var/www/discourse/public'
[Tue Dec 19 01:43:26 UTC 2017] vlist='vexforum.cn#w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc#LINK::acme-v01.api.letsencrypt.org/acme/challenge/NHzFRdO49zY19jUkiIqaUVbg1O5WnjqD8jiejkvhYJs/2790690064#http-01#/var/www/discourse/public,'
[Tue Dec 19 01:43:26 UTC 2017] ok, let's start to verify
[Tue Dec 19 01:43:26 UTC 2017] Verifying:vexforum.cn
[Tue Dec 19 01:43:26 UTC 2017] d='vexforum.cn'
[Tue Dec 19 01:43:26 UTC 2017] keyauthorization='w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Tue Dec 19 01:43:26 UTC 2017] uri='LINK::acme-v01.api.letsencrypt.org/acme/challenge/NHzFRdO49zY19jUkiIqaUVbg1O5WnjqD8jiejkvhYJs/2790690064'
[Tue Dec 19 01:43:26 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Dec 19 01:43:26 UTC 2017] wellknown_path='/var/www/discourse/public/.well-known/acme-challenge'
[Tue Dec 19 01:43:26 UTC 2017] writing token:w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw to /var/www/discourse/public/.well-known/acme-challenge/w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw
[Tue Dec 19 01:43:26 UTC 2017] Changing owner/group of .well-known to discourse:discourse
[Tue Dec 19 01:43:26 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/NHzFRdO49zY19jUkiIqaUVbg1O5WnjqD8jiejkvhYJs/2790690064'
[Tue Dec 19 01:43:26 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc"}'
[Tue Dec 19 01:43:26 UTC 2017] POST
[Tue Dec 19 01:43:26 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/NHzFRdO49zY19jUkiIqaUVbg1O5WnjqD8jiejkvhYJs/2790690064'
[Tue Dec 19 01:43:26 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Dec 19 01:43:28 UTC 2017] _ret='0'
[Tue Dec 19 01:43:28 UTC 2017] code='202'
[Tue Dec 19 01:43:28 UTC 2017] sleep 2 secs to verify
[Tue Dec 19 01:43:30 UTC 2017] checking
[Tue Dec 19 01:43:30 UTC 2017] GET
[Tue Dec 19 01:43:30 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/NHzFRdO49zY19jUkiIqaUVbg1O5WnjqD8jiejkvhYJs/2790690064'
[Tue Dec 19 01:43:30 UTC 2017] timeout
[Tue Dec 19 01:43:30 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Dec 19 01:43:31 UTC 2017] ret='0'
[Tue Dec 19 01:43:31 UTC 2017] vexforum.cn:Verify error:Fetching vexforum.cn/.well-known/acme-challenge/w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw: Connection refused
[Tue Dec 19 01:43:31 UTC 2017] Debug: get token url.
[Tue Dec 19 01:43:31 UTC 2017] GET
[Tue Dec 19 01:43:31 UTC 2017] url='vexforum.cn/.well-known/acme-challenge/w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw'
[Tue Dec 19 01:43:31 UTC 2017] timeout='1'
[Tue Dec 19 01:43:31 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header  --connect-timeout 1'
[Tue Dec 19 01:43:31 UTC 2017] Please refer to LINK::curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
[Tue Dec 19 01:43:31 UTC 2017] ret='7'
[Tue Dec 19 01:43:31 UTC 2017] Debugging, skip removing: /var/www/discourse/public/.well-known
[Tue Dec 19 01:43:31 UTC 2017] pid
[Tue Dec 19 01:43:31 UTC 2017] No need to restore nginx, skip.
[Tue Dec 19 01:43:31 UTC 2017] _clearupdns
[Tue Dec 19 01:43:31 UTC 2017] skip dns.
[Tue Dec 19 01:43:31 UTC 2017] _on_issue_err
[Tue Dec 19 01:43:31 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Tue Dec 19 01:43:31 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/NHzFRdO49zY19jUkiIqaUVbg1O5WnjqD8jiejkvhYJs/2790690064'
[Tue Dec 19 01:43:31 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "w4Eg1TuGsWFe0hGJ9-QyyHcRyAZQWZo5tx2c70rOyJw.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc"}'
[Tue Dec 19 01:43:31 UTC 2017] POST
[Tue Dec 19 01:43:31 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/NHzFRdO49zY19jUkiIqaUVbg1O5WnjqD8jiejkvhYJs/2790690064'
[Tue Dec 19 01:43:31 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Dec 19 01:43:34 UTC 2017] _ret='0'
[Tue Dec 19 01:43:34 UTC 2017] code='400'
[Tue Dec 19 01:43:34 UTC 2017] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2g  1 Mar 2016
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.12.1
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --add-module=/tmp/ngx_brotli
socat:
socat by Gerhard Rieger - see www.dest-unreach.org
Usage:
socat [options] <bi-address> <bi-address>
   options:
      -V     print version and feature information to stdout, and exit
      -h|-?  print a help text describing command line options and addresses
      -hh    like -h, plus a list of all common address option names
      -hhh   like -hh, plus a list of all available address option names
      -d     increase verbosity (use up to 4 times; 2 are recommended)
      -D     analyze file descriptors before loop
      -ly[facility]  log to syslog, using facility (default is daemon)
      -lf<logfile>   log to file
      -ls            log to stderr (default if no other log)
      -lm[facility]  mixed log mode (stderr during initialization, then syslog)
      -lp<progname>  set the program name used for logging
      -lu            use microseconds for logging timestamps
      -lh            add hostname to log messages
      -v     verbose data traffic, text
      -x     verbose data traffic, hexadecimal
      -b<size_t>     set data buffer size (8192)
      -s     sloppy (continue on error)
      -t<timeout>    wait seconds before closing second channel
      -T<timeout>    total inactivity timeout in seconds
      -u     unidirectional mode (left to right)
      -U     unidirectional mode (right to left)
      -g     do not check option groups
      -L <lockfile>  try to obtain lock, or fail
      -W <lockfile>  try to obtain lock, or wait
      -4     prefer IPv4 if version is not explicitly specified
      -6     prefer IPv6 if version is not explicitly specified
   bi-address:
      pipe[,<opts>]     groups=FD,FIFO
      <single-address>!!<single-address>
      <single-address>
   single-address:
      <address-head>[,<opts>]
   address-head:
      abstract-client:<filename>        groups=FD,SOCKET,RETRY,UNIX
      abstract-connect:<filename>       groups=FD,SOCKET,RETRY,UNIX
      abstract-listen:<filename>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,UNIX
      abstract-recv:<filename>  groups=FD,SOCKET,RETRY,UNIX
      abstract-recvfrom:<filename>      groups=FD,SOCKET,CHILD,RETRY,UNIX
      abstract-sendto:<filename>        groups=FD,SOCKET,RETRY,UNIX
      create:<filename> groups=FD,REG,NAMED
      exec:<command-line>       groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
      fd:<num>  groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      gopen:<filename>  groups=FD,FIFO,CHR,BLK,REG,SOCKET,NAMED,OPEN,TERMIOS,UNIX
      interface:<interface>     groups=FD,SOCKET
      ip-datagram:<host>:<protocol>     groups=FD,SOCKET,RANGE,IP4,IP6
      ip-recv:<protocol>        groups=FD,SOCKET,RANGE,IP4,IP6
      ip-recvfrom:<protocol>    groups=FD,SOCKET,CHILD,RANGE,IP4,IP6
      ip-sendto:<host>:<protocol>       groups=FD,SOCKET,IP4,IP6
      ip4-datagram:<host>:<protocol>    groups=FD,SOCKET,RANGE,IP4
      ip4-recv:<protocol>       groups=FD,SOCKET,RANGE,IP4
      ip4-recvfrom:<protocol>   groups=FD,SOCKET,CHILD,RANGE,IP4
      ip4-sendto:<host>:<protocol>      groups=FD,SOCKET,IP4
      ip6-datagram:<host>:<protocol>    groups=FD,SOCKET,RANGE,IP6
      ip6-recv:<protocol>       groups=FD,SOCKET,RANGE,IP6
      ip6-recvfrom:<protocol>   groups=FD,SOCKET,CHILD,RANGE,IP6
      ip6-sendto:<host>:<protocol>      groups=FD,SOCKET,IP6
      open:<filename>   groups=FD,FIFO,CHR,BLK,REG,NAMED,OPEN,TERMIOS
      openssl:<host>:<port>     groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,OPENSSL
      openssl-listen:<port>     groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP,OPENSSL
      pipe:<filename>   groups=FD,FIFO,NAMED,OPEN
      proxy:<proxy-server>:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,HTTP
      pty       groups=FD,NAMED,TERMIOS,PTY
      sctp-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,SCTP
      sctp-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,SCTP
      sctp4-connect:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP4,SCTP
      sctp4-listen:<port>       groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,SCTP
      sctp6-connect:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP6,SCTP
      sctp6-listen:<port>       groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,SCTP
      socket-connect:<domain>:<protocol>:<remote-address>       groups=FD,SOCKET,CHILD,RETRY
      socket-datagram:<domain>:<type>:<protocol>:<remote-address>       groups=FD,SOCKET,RANGE
      socket-listen:<domain>:<protocol>:<local-address> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE
      socket-recv:<domain>:<type>:<protocol>:<local-address>    groups=FD,SOCKET,RANGE
      socket-recvfrom:<domain>:<type>:<protocol>:<local-address>        groups=FD,SOCKET,CHILD,RANGE
      socket-sendto:<domain>:<type>:<protocol>:<remote-address> groups=FD,SOCKET
      socks4:<socks-server>:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
      socks4a:<socks-server>:<host>:<port>      groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
      stderr    groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdin     groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdio     groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdout    groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      system:<shell-command>    groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
      tcp-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP
      tcp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP
      tcp4-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,TCP
      tcp4-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,TCP
      tcp6-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP6,TCP
      tcp6-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,TCP
      tun[:<ip-addr>/<bits>]    groups=FD,CHR,NAMED,OPEN,INTERFACE
      udp-connect:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
      udp-datagram:<host>:<port>        groups=FD,SOCKET,RANGE,IP4,IP6,UDP
      udp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP
      udp-recv:<port>   groups=FD,SOCKET,RANGE,IP4,IP6,UDP
      udp-recvfrom:<port>       groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP
      udp-sendto:<host>:<port>  groups=FD,SOCKET,IP4,IP6,UDP
      udp4-connect:<host>:<port>        groups=FD,SOCKET,IP4,UDP
      udp4-datagram:<remote-address>:<port>     groups=FD,SOCKET,RANGE,IP4,UDP
      udp4-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP
      udp4-recv:<port>  groups=FD,SOCKET,RANGE,IP4,UDP
      udp4-recvfrom:<host>:<port>       groups=FD,SOCKET,CHILD,RANGE,IP4,UDP
      udp4-sendto:<host>:<port> groups=FD,SOCKET,IP4,UDP
      udp6-connect:<host>:<port>        groups=FD,SOCKET,IP6,UDP
      udp6-datagram:<host>:<port>       groups=FD,SOCKET,RANGE,IP6,UDP
      udp6-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP
      udp6-recv:<port>  groups=FD,SOCKET,RANGE,IP6,UDP
      udp6-recvfrom:<port>      groups=FD,SOCKET,CHILD,RANGE,IP6,UDP
      udp6-sendto:<host>:<port> groups=FD,SOCKET,IP6,UDP
      unix-client:<filename>    groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-connect:<filename>   groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-listen:<filename>    groups=FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
      unix-recv:<filename>      groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-recvfrom:<filename>  groups=FD,SOCKET,NAMED,CHILD,RETRY,UNIX
      unix-sendto:<filename>    groups=FD,SOCKET,NAMED,RETRY,UNIX

BrandonIFI · December 19, 2017, 2:10am

@tgxworld I wasn’t able to DM (maybe because of this being a new account?) If there is anything above that should be removed, let me know. Thanks for your help!

tgxworld · December 19, 2017, 2:13am

Sorry it should be --debug 2

LE_WORKING_DIR=/shared/letsencrypt /shared/letsencrypt/acme.sh --issue -d vexforum.cn -k 4096 -w /var/www/discourse/public --debug 2

BrandonIFI · December 19, 2017, 2:36am

Looks like they’re getting connection refused from my server. Should I try to disable SSL / Let’s Encrypt, get discourse running on just 80/http, and then rebuild with SSL, so it can do the validation? Or is there a better way?

# LE_WORKING_DIR=/shared/letsencrypt /shared/letsencrypt/acme.sh --issue -d vexforum.cn -k 4096 -w /var/www/discourse/public --debug 2
[Tue Dec 19 02:30:21 UTC 2017] Lets find script dir.
[Tue Dec 19 02:30:21 UTC 2017] _SCRIPT_='/shared/letsencrypt/acme.sh'
[Tue Dec 19 02:30:21 UTC 2017] _script='/shared/letsencrypt/acme.sh'
[Tue Dec 19 02:30:21 UTC 2017] _script_home='/shared/letsencrypt'
[Tue Dec 19 02:30:21 UTC 2017] Using config home:/shared/letsencrypt
[Tue Dec 19 02:30:21 UTC 2017] LE_WORKING_DIR='/shared/letsencrypt'
LINK::github.com/Neilpang/acme.sh
v2.7.6
[Tue Dec 19 02:30:21 UTC 2017] Using config home:/shared/letsencrypt
[Tue Dec 19 02:30:21 UTC 2017] ACME_DIRECTORY='LINK::acme-v01.api.letsencrypt.org/directory'
[Tue Dec 19 02:30:21 UTC 2017] _ACME_SERVER_HOST='acme-v01.api.letsencrypt.org'
[Tue Dec 19 02:30:21 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/vexforum.cn'
[Tue Dec 19 02:30:21 UTC 2017] Using ACME_DIRECTORY: LINK::acme-v01.api.letsencrypt.org/directory
[Tue Dec 19 02:30:21 UTC 2017] _init api for server: LINK::acme-v01.api.letsencrypt.org/directory
[Tue Dec 19 02:30:21 UTC 2017] GET
[Tue Dec 19 02:30:21 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/directory'
[Tue Dec 19 02:30:21 UTC 2017] timeout
[Tue Dec 19 02:30:21 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header  --trace-ascii /tmp/tmp.hxIwvh0yYJ '
[Tue Dec 19 02:30:23 UTC 2017] ret='0'
[Tue Dec 19 02:30:23 UTC 2017] response='{
  "5M9vkAy2ETI": "LINK::community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
  "key-change": "LINK::acme-v01.api.letsencrypt.org/acme/key-change",
  "meta": {
    "terms-of-service": "LINK::letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
  },
  "new-authz": "LINK::acme-v01.api.letsencrypt.org/acme/new-authz",
  "new-cert": "LINK::acme-v01.api.letsencrypt.org/acme/new-cert",
  "new-reg": "LINK::acme-v01.api.letsencrypt.org/acme/new-reg",
  "revoke-cert": "LINK::acme-v01.api.letsencrypt.org/acme/revoke-cert"
}'
[Tue Dec 19 02:30:23 UTC 2017] ACME_KEY_CHANGE='LINK::acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Dec 19 02:30:23 UTC 2017] ACME_NEW_AUTHZ='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Dec 19 02:30:23 UTC 2017] ACME_NEW_ORDER='LINK::acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Dec 19 02:30:23 UTC 2017] ACME_NEW_ACCOUNT='LINK::acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Dec 19 02:30:23 UTC 2017] ACME_REVOKE_CERT='LINK::acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Dec 19 02:30:23 UTC 2017] ACME_AGREEMENT='LINK::letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
[Tue Dec 19 02:30:23 UTC 2017] Le_NextRenewTime
[Tue Dec 19 02:30:23 UTC 2017] _on_before_issue
[Tue Dec 19 02:30:23 UTC 2017] '/var/www/discourse/public' does not contain 'no'
[Tue Dec 19 02:30:23 UTC 2017] Le_LocalAddress
[Tue Dec 19 02:30:23 UTC 2017] Check for domain='vexforum.cn'
[Tue Dec 19 02:30:23 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Dec 19 02:30:23 UTC 2017] '/var/www/discourse/public' does not contain 'apache'
[Tue Dec 19 02:30:23 UTC 2017] _saved_account_key_hash='Ee75JDztYSt7aMjNCAz0mbpr0lgfvXYHXS09KsiuJl0='
[Tue Dec 19 02:30:23 UTC 2017] _saved_account_key_hash is not changed, skip register account.
[Tue Dec 19 02:30:23 UTC 2017] Read key length:4096
[Tue Dec 19 02:30:23 UTC 2017] _createcsr
[Tue Dec 19 02:30:23 UTC 2017] domain='vexforum.cn'
[Tue Dec 19 02:30:23 UTC 2017] domainlist
[Tue Dec 19 02:30:23 UTC 2017] csrkey='/shared/letsencrypt/vexforum.cn/vexforum.cn.key'
[Tue Dec 19 02:30:23 UTC 2017] csr='/shared/letsencrypt/vexforum.cn/vexforum.cn.csr'
[Tue Dec 19 02:30:23 UTC 2017] csrconf='/shared/letsencrypt/vexforum.cn/vexforum.cn.csr.conf'
[Tue Dec 19 02:30:23 UTC 2017] Single domain='vexforum.cn'
[Tue Dec 19 02:30:23 UTC 2017] _is_idn_d='vexforum.cn'
[Tue Dec 19 02:30:23 UTC 2017] _idn_temp
[Tue Dec 19 02:30:23 UTC 2017] _csr_cn='vexforum.cn'
[Tue Dec 19 02:30:23 UTC 2017] Getting domain auth token for each domain
[Tue Dec 19 02:30:23 UTC 2017] Getting webroot for domain='vexforum.cn'
[Tue Dec 19 02:30:23 UTC 2017] _w='/var/www/discourse/public'
[Tue Dec 19 02:30:23 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Dec 19 02:30:23 UTC 2017] Getting new-authz for domain='vexforum.cn'
[Tue Dec 19 02:30:23 UTC 2017] _init api for server: LINK::acme-v01.api.letsencrypt.org/directory
[Tue Dec 19 02:30:23 UTC 2017] Try new-authz for the 0 time.
[Tue Dec 19 02:30:23 UTC 2017] _is_idn_d='vexforum.cn'
[Tue Dec 19 02:30:23 UTC 2017] _idn_temp
[Tue Dec 19 02:30:23 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Dec 19 02:30:23 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "vexforum.cn"}}'
[Tue Dec 19 02:30:23 UTC 2017] RSA key
[Tue Dec 19 02:30:23 UTC 2017] Get nonce. ACME_DIRECTORY='LINK::acme-v01.api.letsencrypt.org/directory'
[Tue Dec 19 02:30:23 UTC 2017] GET
[Tue Dec 19 02:30:23 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/directory'
[Tue Dec 19 02:30:23 UTC 2017] timeout
[Tue Dec 19 02:30:23 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header  --trace-ascii /tmp/tmp.alEkVVujJy '
[Tue Dec 19 02:30:24 UTC 2017] ret='0'
[Tue Dec 19 02:30:24 UTC 2017] _headers='HTTP/1.1 200 OK
Server: nginx
Content-Type: application/json
Content-Length: 562
Replay-Nonce: zmke2PE-VkXf6c3XGvkmuzWxlwtfQ-WT7UNsaEv2A-M
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 19 Dec 2017 02:30:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 19 Dec 2017 02:30:24 GMT
Connection: keep-alive
'
[Tue Dec 19 02:30:24 UTC 2017] _CACHED_NONCE='zmke2PE-VkXf6c3XGvkmuzWxlwtfQ-WT7UNsaEv2A-M'
[Tue Dec 19 02:30:24 UTC 2017] nonce='zmke2PE-VkXf6c3XGvkmuzWxlwtfQ-WT7UNsaEv2A-M'
[Tue Dec 19 02:30:24 UTC 2017] POST
[Tue Dec 19 02:30:24 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Dec 19 02:30:24 UTC 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "zr3rjOCyHlBK0IXSIgE0G2U-lVa9UiexU_ZHwgA65eMzYLtFK0PLErGRIP1QKBh2SQWtnvVI9mmZw2BZEsqqAKcNtTYkax7ghNYxL3d8kDpqMupISo5lh1HpR67yE2QsFcLRfFy9pYj5Fr83-Li0bPzn8RI9qczv2suPv4DGl3-gEiXY_qzpXiOmLHMSADSr4RZ0pY6ccRWYUM-lH49Omogmc_PpfVCzggblnefuIhgH2cls0krowF_i5Mr8HquDpLzTiHDpvnvLahMVwZbf63Y2v3gRt_R5f9Lil_rpaxtb_104wBF8CgCGomrojUbry9qcjOqo2_TnxCWh-nkHRw"}}, "protected": "eyJub25jZSI6ICJ6bWtlMlBFLVZrWGY2YzNYR3ZrbXV6V3hsd3RmUS1XVDdVTnNhRXYyQS1NIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctYXV0aHoiLCAiYWxnIjogIlJTMjU2IiwgImp3ayI6IHsiZSI6ICJBUUFCIiwgImt0eSI6ICJSU0EiLCAibiI6ICJ6cjNyak9DeUhsQkswSVhTSWdFMEcyVS1sVmE5VWlleFVfWkh3Z0E2NWVNellMdEZLMFBMRXJHUklQMVFLQmgyU1FXdG52Vkk5bW1adzJCWkVzcXFBS2NOdFRZa2F4N2doTll4TDNkOGtEcHFNdXBJU281bGgxSHBSNjd5RTJRc0ZjTFJmRnk5cFlqNUZyODMtTGkwYlB6bjhSSTlxY3p2MnN1UHY0REdsMy1nRWlYWV9xenBYaU9tTEhNU0FEU3I0UlowcFk2Y2NSV1lVTS1sSDQ5T21vZ21jX1BwZlZDemdnYmxuZWZ1SWhnSDJjbHMwa3Jvd0ZfaTVNcjhIcXVEcEx6VGlIRHB2bnZMYWhNVndaYmY2M1kydjNnUnRfUjVmOUxpbF9ycGF4dGJfMTA0d0JGOENnQ0dvbXJvalVicnk5cWNqT3FvMl9UbnhDV2gtbmtIUncifX0", "payload": "eyJyZXNvdXJjZSI6ICJuZXctYXV0aHoiLCAiaWRlbnRpZmllciI6IHsidHlwZSI6ICJkbnMiLCAidmFsdWUiOiAidmV4Zm9ydW0uY24ifX0", "signature": "IqI_4ra91TgUDD3E4VNh423nKTnXbBtVhYpBcXELVDHKebBsjNRn04fONKm6MAAs8fRfWeiA5y9YrNy_l5qO6A0QxqmFYxxOs1eF8PxnAhuyGtTbnYLcx7r35oRuQdAAm3a0hOh_YfRcZ7Nfm0fp73HJXn5B-64G4_z5T3IV87l5O19L4EPsLdsO8HmiPj_MqpFbv___3Gps0F3QuN5iYFzw8z0-KtixjrHPNVTAMelK_PC6f9WUwYyZS5BiF1LitLeXiZTc5Rrs4vvEc5piHJQEpPhuOZPum25_drSal71ce0h9TD_jwV4A4UPWfrVLyC27JRdlFWCX6Au0Lhe82g"}'
[Tue Dec 19 02:30:24 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header  --trace-ascii /tmp/tmp.FRjxbCi4fK '
[Tue Dec 19 02:30:26 UTC 2017] _ret='0'
[Tue Dec 19 02:30:26 UTC 2017] original='{
  "identifier": {
    "type": "dns",
    "value": "vexforum.cn"
  },
  "status": "pending",
  "expires": "2017-12-26T02:30:26.156185791Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "uri": "LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984",
      "token": "OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107987",
      "token": "J_6tJhRzX0XgH6W1C-uDCb_2uScLfscusDY-ZumfICs"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107989",
      "token": "xLKwjrRhS5Q_7i4cda-0D4bG8D93T2d1jVoYvlZ6AWk"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      1
    ],
    [
      0
    ]
  ]
}'
[Tue Dec 19 02:30:26 UTC 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Tue, 19 Dec 2017 02:30:25 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 201 Created
Server: nginx
Content-Type: application/json
Content-Length: 999
Boulder-Requester: 26102130
Link: <LINK::acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: LINK::acme-v01.api.letsencrypt.org/acme/authz/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ
Replay-Nonce: obf3cY0caLEc0y7H-fXbAtQffqIIekaMU2RygxlNcvc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 19 Dec 2017 02:30:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 19 Dec 2017 02:30:26 GMT
Connection: keep-alive
'
[Tue Dec 19 02:30:26 UTC 2017] response='{"identifier":{"type":"dns","value":"vexforum.cn"},"status":"pending","expires":"2017-12-26T02:30:26.156185791Z","challenges":[{"type":"http-01","status":"pending","uri":"LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984","token":"OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM"},{"type":"tls-sni-01","status":"pending","uri":"LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107987","token":"J_6tJhRzX0XgH6W1C-uDCb_2uScLfscusDY-ZumfICs"},{"type":"dns-01","status":"pending","uri":"LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107989","token":"xLKwjrRhS5Q_7i4cda-0D4bG8D93T2d1jVoYvlZ6AWk"}],"combinations":[[2],[1],[0]]}'
[Tue Dec 19 02:30:26 UTC 2017] code='201'
[Tue Dec 19 02:30:26 UTC 2017] The new-authz request is ok.
[Tue Dec 19 02:30:26 UTC 2017] entry='"type":"http-01","status":"pending","uri":"LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984","token":"OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM"'
[Tue Dec 19 02:30:26 UTC 2017] token='OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM'
[Tue Dec 19 02:30:26 UTC 2017] uri='LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984'
[Tue Dec 19 02:30:26 UTC 2017] keyauthorization='OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Tue Dec 19 02:30:26 UTC 2017] dvlist='vexforum.cn#OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc#LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984#http-01#/var/www/discourse/public'
[Tue Dec 19 02:30:26 UTC 2017] vlist='vexforum.cn#OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc#LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984#http-01#/var/www/discourse/public,'
[Tue Dec 19 02:30:26 UTC 2017] ok, let's start to verify
[Tue Dec 19 02:30:26 UTC 2017] Verifying:vexforum.cn
[Tue Dec 19 02:30:26 UTC 2017] d='vexforum.cn'
[Tue Dec 19 02:30:26 UTC 2017] keyauthorization='OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Tue Dec 19 02:30:26 UTC 2017] uri='LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984'
[Tue Dec 19 02:30:26 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Dec 19 02:30:26 UTC 2017] wellknown_path='/var/www/discourse/public/.well-known/acme-challenge'
[Tue Dec 19 02:30:26 UTC 2017] writing token:OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM to /var/www/discourse/public/.well-known/acme-challenge/OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM
[Tue Dec 19 02:30:26 UTC 2017] Changing owner/group of .well-known to discourse:discourse
[Tue Dec 19 02:30:26 UTC 2017] tigger domain validation.
[Tue Dec 19 02:30:26 UTC 2017] _t_url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984'
[Tue Dec 19 02:30:26 UTC 2017] _t_key_authz='OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Tue Dec 19 02:30:26 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984'
[Tue Dec 19 02:30:26 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc"}'
[Tue Dec 19 02:30:26 UTC 2017] Use cached jwk for file: /shared/letsencrypt/ca/acme-v01.api.letsencrypt.org/account.key
[Tue Dec 19 02:30:26 UTC 2017] Use _CACHED_NONCE='obf3cY0caLEc0y7H-fXbAtQffqIIekaMU2RygxlNcvc'
[Tue Dec 19 02:30:26 UTC 2017] nonce='obf3cY0caLEc0y7H-fXbAtQffqIIekaMU2RygxlNcvc'
[Tue Dec 19 02:30:26 UTC 2017] POST
[Tue Dec 19 02:30:26 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984'
[Tue Dec 19 02:30:26 UTC 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "zr3rjOCyHlBK0IXSIgE0G2U-lVa9UiexU_ZHwgA65eMzYLtFK0PLErGRIP1QKBh2SQWtnvVI9mmZw2BZEsqqAKcNtTYkax7ghNYxL3d8kDpqMupISo5lh1HpR67yE2QsFcLRfFy9pYj5Fr83-Li0bPzn8RI9qczv2suPv4DGl3-gEiXY_qzpXiOmLHMSADSr4RZ0pY6ccRWYUM-lH49Omogmc_PpfVCzggblnefuIhgH2cls0krowF_i5Mr8HquDpLzTiHDpvnvLahMVwZbf63Y2v3gRt_R5f9Lil_rpaxtb_104wBF8CgCGomrojUbry9qcjOqo2_TnxCWh-nkHRw"}}, "protected": "eyJub25jZSI6ICJvYmYzY1kwY2FMRWMweTdILWZYYkF0UWZmcUlJZWthTVUyUnlneGxOY3ZjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvQ2FiaUo1QWYyRVF1SFAyMnZ3cG95S19oX2x6S2lHa1dOS2M4a1NxSDJ4US8yNzkxMTA3OTg0IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAienIzcmpPQ3lIbEJLMElYU0lnRTBHMlUtbFZhOVVpZXhVX1pId2dBNjVlTXpZTHRGSzBQTEVyR1JJUDFRS0JoMlNRV3RudlZJOW1tWncyQlpFc3FxQUtjTnRUWWtheDdnaE5ZeEwzZDhrRHBxTXVwSVNvNWxoMUhwUjY3eUUyUXNGY0xSZkZ5OXBZajVGcjgzLUxpMGJQem44Ukk5cWN6djJzdVB2NERHbDMtZ0VpWFlfcXpwWGlPbUxITVNBRFNyNFJaMHBZNmNjUldZVU0tbEg0OU9tb2dtY19QcGZWQ3pnZ2JsbmVmdUloZ0gyY2xzMGtyb3dGX2k1TXI4SHF1RHBMelRpSERwdm52TGFoTVZ3WmJmNjNZMnYzZ1J0X1I1ZjlMaWxfcnBheHRiXzEwNHdCRjhDZ0NHb21yb2pVYnJ5OXFjak9xbzJfVG54Q1doLW5rSFJ3In19", "payload": "eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJPUUhuRGQtdko4RDJCQ0VrbzMyZkV6Tmp6dl9raTVvbm9DdzF3dlRFcEFNLnpHS3dJMjY1aGEwSjd2SWxUeUp4X29Yb21pUmFDRl9wS1BleDR6YVdzUWMifQ", "signature": "NeDZtap9RrccympppCTKBnEYPFULT8YKOL5TGsXhD8HRQhdX-_-AcRKYjqgFzhwlM-DVGoProABHEUVyOaBgfHSWbEZNobKSL4QFUFGAtew6Ih6zBiZmyM2gk-hNUCCjKv_H_InykNgnTLfpA-n0CBtSBykJJzMcOiYr5VD6tQ_RscA_IRyx6VuHrwTbNvN-m0dVLGvwKSVJNlUCf8rzxON2TBNDVDfc_IDXqGuZxMpjSQ5jN6w58C7X3g6APdwBMpb7_Bol4XaRequ1qd9qriOMdfK_ICP2uvDc07rlezS-_7vEgF_nGE8zYjVdO0G368fkAl7vcfr8Yqjj6ALDyA"}'
[Tue Dec 19 02:30:26 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header  --trace-ascii /tmp/tmp.cr232emB08 '
[Tue Dec 19 02:30:29 UTC 2017] _ret='0'
[Tue Dec 19 02:30:29 UTC 2017] original='{
  "type": "http-01",
  "status": "pending",
  "uri": "LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984",
  "token": "OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM",
  "keyAuthorization": "OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc"
}'
[Tue Dec 19 02:30:29 UTC 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Tue, 19 Dec 2017 02:30:28 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 202 Accepted
Server: nginx
Content-Type: application/json
Content-Length: 336
Boulder-Requester: 26102130
Link: <LINK::acme-v01.api.letsencrypt.org/acme/authz/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ>;rel="up"
Location: LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984
Replay-Nonce: 3n_RZ1IARdPPlskkijym0zspv7UGYvPUlGRp2tAufNs
Expires: Tue, 19 Dec 2017 02:30:29 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 19 Dec 2017 02:30:29 GMT
Connection: keep-alive
'
[Tue Dec 19 02:30:29 UTC 2017] response='{"type":"http-01","status":"pending","uri":"LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984","token":"OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM","keyAuthorization":"OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc"}'
[Tue Dec 19 02:30:29 UTC 2017] code='202'
[Tue Dec 19 02:30:29 UTC 2017] sleep 2 secs to verify
[Tue Dec 19 02:30:31 UTC 2017] checking
[Tue Dec 19 02:30:31 UTC 2017] GET
[Tue Dec 19 02:30:31 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984'
[Tue Dec 19 02:30:31 UTC 2017] timeout
[Tue Dec 19 02:30:31 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header  --trace-ascii /tmp/tmp.AM14otdNZY '
[Tue Dec 19 02:30:32 UTC 2017] ret='0'
[Tue Dec 19 02:30:32 UTC 2017] original='{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "Fetching vexforum.cn/.well-known/acme-challenge/OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM: Connection refused",
    "status": 400
  },
  "uri": "LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984",
  "token": "OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM",
  "keyAuthorization": "OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc",
  "validationRecord": [
    {
      "url": "vexforum.cn/.well-known/acme-challenge/OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM",
      "hostname": "vexforum.cn",
      "port": "80",
      "addressesResolved": [
        "119.254.168.222"
      ],
      "addressUsed": "119.254.168.222",
      "addressesTried": []
    }
  ]
}'
[Tue Dec 19 02:30:32 UTC 2017] response='{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:connection","detail":"Fetching vexforum.cn/.well-known/acme-challenge/OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM: Connection refused","status": 400},"uri":"LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984","token":"OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM","keyAuthorization":"OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc","validationRecord":[{"url":"vexforum.cn/.well-known/acme-challenge/OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM","hostname":"vexforum.cn","port":"80","addressesResolved":["119.254.168.222"],"addressUsed":"119.254.168.222","addressesTried":[]}]}'
[Tue Dec 19 02:30:32 UTC 2017] error='"error":{"type":"urn:acme:error:connection","detail":"Fetching vexforum.cn/.well-known/acme-challenge/OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM: Connection refused","status": 400'
[Tue Dec 19 02:30:32 UTC 2017] errordetail='Fetching vexforum.cn/.well-known/acme-challenge/OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM: Connection refused'
[Tue Dec 19 02:30:32 UTC 2017] vexforum.cn:Verify error:Fetching vexforum.cn/.well-known/acme-challenge/OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM: Connection refused
[Tue Dec 19 02:30:32 UTC 2017] Debug: get token url.
[Tue Dec 19 02:30:32 UTC 2017] GET
[Tue Dec 19 02:30:32 UTC 2017] url='vexforum.cn/.well-known/acme-challenge/OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM'
[Tue Dec 19 02:30:32 UTC 2017] timeout='1'
[Tue Dec 19 02:30:32 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header  --trace-ascii /tmp/tmp.tJSPoiEI8Q  --connect-timeout 1'
[Tue Dec 19 02:30:32 UTC 2017] Please refer to LINK::curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 7
[Tue Dec 19 02:30:32 UTC 2017] Here is the curl dump log:
[Tue Dec 19 02:30:32 UTC 2017] == Info:   Trying 119.254.168.222...
== Info: connect to 119.254.168.222 port 80 failed: Connection refused
== Info: Failed to connect to vexforum.cn port 80: Connection refused
== Info: Closing connection 0
[Tue Dec 19 02:30:32 UTC 2017] ret='7'
[Tue Dec 19 02:30:32 UTC 2017] Debugging, skip removing: /var/www/discourse/public/.well-known/acme-challenge/OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM
[Tue Dec 19 02:30:32 UTC 2017] pid
[Tue Dec 19 02:30:32 UTC 2017] No need to restore nginx, skip.
[Tue Dec 19 02:30:32 UTC 2017] _clearupdns
[Tue Dec 19 02:30:32 UTC 2017] skip dns.
[Tue Dec 19 02:30:32 UTC 2017] _on_issue_err
[Tue Dec 19 02:30:32 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Tue Dec 19 02:30:32 UTC 2017] _chk_vlist='vexforum.cn#OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc#LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984#http-01#/var/www/discourse/public,'
[Tue Dec 19 02:30:32 UTC 2017] start to deactivate authz
[Tue Dec 19 02:30:32 UTC 2017] tigger domain validation.
[Tue Dec 19 02:30:32 UTC 2017] _t_url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984'
[Tue Dec 19 02:30:32 UTC 2017] _t_key_authz='OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc'
[Tue Dec 19 02:30:32 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984'
[Tue Dec 19 02:30:32 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "OQHnDd-vJ8D2BCEko32fEzNjzv_ki5onoCw1wvTEpAM.zGKwI265ha0J7vIlTyJx_oXomiRaCF_pKPex4zaWsQc"}'
[Tue Dec 19 02:30:32 UTC 2017] Use cached jwk for file: /shared/letsencrypt/ca/acme-v01.api.letsencrypt.org/account.key
[Tue Dec 19 02:30:32 UTC 2017] Use _CACHED_NONCE='3n_RZ1IARdPPlskkijym0zspv7UGYvPUlGRp2tAufNs'
[Tue Dec 19 02:30:32 UTC 2017] nonce='3n_RZ1IARdPPlskkijym0zspv7UGYvPUlGRp2tAufNs'
[Tue Dec 19 02:30:32 UTC 2017] POST
[Tue Dec 19 02:30:32 UTC 2017] url='LINK::acme-v01.api.letsencrypt.org/acme/challenge/CabiJ5Af2EQuHP22vwpoyK_h_lzKiGkWNKc8kSqH2xQ/2791107984'
[Tue Dec 19 02:30:32 UTC 2017] body='{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "zr3rjOCyHlBK0IXSIgE0G2U-lVa9UiexU_ZHwgA65eMzYLtFK0PLErGRIP1QKBh2SQWtnvVI9mmZw2BZEsqqAKcNtTYkax7ghNYxL3d8kDpqMupISo5lh1HpR67yE2QsFcLRfFy9pYj5Fr83-Li0bPzn8RI9qczv2suPv4DGl3-gEiXY_qzpXiOmLHMSADSr4RZ0pY6ccRWYUM-lH49Omogmc_PpfVCzggblnefuIhgH2cls0krowF_i5Mr8HquDpLzTiHDpvnvLahMVwZbf63Y2v3gRt_R5f9Lil_rpaxtb_104wBF8CgCGomrojUbry9qcjOqo2_TnxCWh-nkHRw"}}, "protected": "eyJub25jZSI6ICIzbl9SWjFJQVJkUFBsc2traWp5bTB6c3B2N1VHWXZQVWxHUnAydEF1Zk5zIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAxLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbGVuZ2UvQ2FiaUo1QWYyRVF1SFAyMnZ3cG95S19oX2x6S2lHa1dOS2M4a1NxSDJ4US8yNzkxMTA3OTg0IiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAienIzcmpPQ3lIbEJLMElYU0lnRTBHMlUtbFZhOVVpZXhVX1pId2dBNjVlTXpZTHRGSzBQTEVyR1JJUDFRS0JoMlNRV3RudlZJOW1tWncyQlpFc3FxQUtjTnRUWWtheDdnaE5ZeEwzZDhrRHBxTXVwSVNvNWxoMUhwUjY3eUUyUXNGY0xSZkZ5OXBZajVGcjgzLUxpMGJQem44Ukk5cWN6djJzdVB2NERHbDMtZ0VpWFlfcXpwWGlPbUxITVNBRFNyNFJaMHBZNmNjUldZVU0tbEg0OU9tb2dtY19QcGZWQ3pnZ2JsbmVmdUloZ0gyY2xzMGtyb3dGX2k1TXI4SHF1RHBMelRpSERwdm52TGFoTVZ3WmJmNjNZMnYzZ1J0X1I1ZjlMaWxfcnBheHRiXzEwNHdCRjhDZ0NHb21yb2pVYnJ5OXFjak9xbzJfVG54Q1doLW5rSFJ3In19", "payload": "eyJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLCAia2V5QXV0aG9yaXphdGlvbiI6ICJPUUhuRGQtdko4RDJCQ0VrbzMyZkV6Tmp6dl9raTVvbm9DdzF3dlRFcEFNLnpHS3dJMjY1aGEwSjd2SWxUeUp4X29Yb21pUmFDRl9wS1BleDR6YVdzUWMifQ", "signature": "S3NRSTxxi_8mHulF52d3RGRLwGKovjHsZYKdVFGqByW3tyeEMYT3icgEF65MmHIQBHLoWYTWPw7XI5P7Ou0qcK4JFOmwa0oN5BUdA8vV1zqYh1F83RSNE9rTBoBfHBzIdFEAxLRxgv3L-B9Asauc-hnjxYwSvMEWQwv1PrY8-r5VGyLWLdimf5uBwfrHQ3E3lIa0Jss8K2UOL6iCO8qGM5IOMK5MFcP5OOVBFInJ0B2d0lu-IvaTKbO1Q83gzoYMWhopfZjd-sAnKInpMC9V1BODnIqYZE6s_4vxRwwd5LBzWnvsjNpzJ7Utf_42MYLAf9DYWX5jDmp45m836J70sA"}'
[Tue Dec 19 02:30:32 UTC 2017] Http already initialized.
[Tue Dec 19 02:30:32 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header  --trace-ascii /tmp/tmp.tJSPoiEI8Q '
[Tue Dec 19 02:30:35 UTC 2017] _ret='0'
[Tue Dec 19 02:30:35 UTC 2017] original='{
  "type": "urn:acme:error:malformed",
  "detail": "Unable to update challenge :: The challenge is not pending.",
  "status": 400
}'
[Tue Dec 19 02:30:35 UTC 2017] responseHeaders='HTTP/1.1 100 Continue
Expires: Tue, 19 Dec 2017 02:30:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 132
Boulder-Requester: 26102130
Replay-Nonce: -xiRq8BiqWLaXbWt9dGn_KBRP5e8e2wIbH8XAnsBM7A
Expires: Tue, 19 Dec 2017 02:30:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 19 Dec 2017 02:30:35 GMT
Connection: close
'
[Tue Dec 19 02:30:35 UTC 2017] response='{"type":"urn:acme:error:malformed","detail":"Unable to update challenge :: The challenge is not pending.","status": 400}'
[Tue Dec 19 02:30:35 UTC 2017] code='400'
[Tue Dec 19 02:30:35 UTC 2017] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2g  1 Mar 2016
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.12.1
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.5)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --add-module=/tmp/ngx_brotli
socat:
socat by Gerhard Rieger - see www.dest-unreach.org
Usage:
socat [options] <bi-address> <bi-address>
   options:
      -V     print version and feature information to stdout, and exit
      -h|-?  print a help text describing command line options and addresses
      -hh    like -h, plus a list of all common address option names
      -hhh   like -hh, plus a list of all available address option names
      -d     increase verbosity (use up to 4 times; 2 are recommended)
      -D     analyze file descriptors before loop
      -ly[facility]  log to syslog, using facility (default is daemon)
      -lf<logfile>   log to file
      -ls            log to stderr (default if no other log)
      -lm[facility]  mixed log mode (stderr during initialization, then syslog)
      -lp<progname>  set the program name used for logging
      -lu            use microseconds for logging timestamps
      -lh            add hostname to log messages
      -v     verbose data traffic, text
      -x     verbose data traffic, hexadecimal
      -b<size_t>     set data buffer size (8192)
      -s     sloppy (continue on error)
      -t<timeout>    wait seconds before closing second channel
      -T<timeout>    total inactivity timeout in seconds
      -u     unidirectional mode (left to right)
      -U     unidirectional mode (right to left)
      -g     do not check option groups
      -L <lockfile>  try to obtain lock, or fail
      -W <lockfile>  try to obtain lock, or wait
      -4     prefer IPv4 if version is not explicitly specified
      -6     prefer IPv6 if version is not explicitly specified
   bi-address:
      pipe[,<opts>]     groups=FD,FIFO
      <single-address>!!<single-address>
      <single-address>
   single-address:
      <address-head>[,<opts>]
   address-head:
      abstract-client:<filename>        groups=FD,SOCKET,RETRY,UNIX
      abstract-connect:<filename>       groups=FD,SOCKET,RETRY,UNIX
      abstract-listen:<filename>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,UNIX
      abstract-recv:<filename>  groups=FD,SOCKET,RETRY,UNIX
      abstract-recvfrom:<filename>      groups=FD,SOCKET,CHILD,RETRY,UNIX
      abstract-sendto:<filename>        groups=FD,SOCKET,RETRY,UNIX
      create:<filename> groups=FD,REG,NAMED
      exec:<command-line>       groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
      fd:<num>  groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      gopen:<filename>  groups=FD,FIFO,CHR,BLK,REG,SOCKET,NAMED,OPEN,TERMIOS,UNIX
      interface:<interface>     groups=FD,SOCKET
      ip-datagram:<host>:<protocol>     groups=FD,SOCKET,RANGE,IP4,IP6
      ip-recv:<protocol>        groups=FD,SOCKET,RANGE,IP4,IP6
      ip-recvfrom:<protocol>    groups=FD,SOCKET,CHILD,RANGE,IP4,IP6
      ip-sendto:<host>:<protocol>       groups=FD,SOCKET,IP4,IP6
      ip4-datagram:<host>:<protocol>    groups=FD,SOCKET,RANGE,IP4
      ip4-recv:<protocol>       groups=FD,SOCKET,RANGE,IP4
      ip4-recvfrom:<protocol>   groups=FD,SOCKET,CHILD,RANGE,IP4
      ip4-sendto:<host>:<protocol>      groups=FD,SOCKET,IP4
      ip6-datagram:<host>:<protocol>    groups=FD,SOCKET,RANGE,IP6
      ip6-recv:<protocol>       groups=FD,SOCKET,RANGE,IP6
      ip6-recvfrom:<protocol>   groups=FD,SOCKET,CHILD,RANGE,IP6
      ip6-sendto:<host>:<protocol>      groups=FD,SOCKET,IP6
      open:<filename>   groups=FD,FIFO,CHR,BLK,REG,NAMED,OPEN,TERMIOS
      openssl:<host>:<port>     groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,OPENSSL
      openssl-listen:<port>     groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP,OPENSSL
      pipe:<filename>   groups=FD,FIFO,NAMED,OPEN
      proxy:<proxy-server>:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,HTTP
      pty       groups=FD,NAMED,TERMIOS,PTY
      sctp-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,SCTP
      sctp-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,SCTP
      sctp4-connect:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP4,SCTP
      sctp4-listen:<port>       groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,SCTP
      sctp6-connect:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP6,SCTP
      sctp6-listen:<port>       groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,SCTP
      socket-connect:<domain>:<protocol>:<remote-address>       groups=FD,SOCKET,CHILD,RETRY
      socket-datagram:<domain>:<type>:<protocol>:<remote-address>       groups=FD,SOCKET,RANGE
      socket-listen:<domain>:<protocol>:<local-address> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE
      socket-recv:<domain>:<type>:<protocol>:<local-address>    groups=FD,SOCKET,RANGE
      socket-recvfrom:<domain>:<type>:<protocol>:<local-address>        groups=FD,SOCKET,CHILD,RANGE
      socket-sendto:<domain>:<type>:<protocol>:<remote-address> groups=FD,SOCKET
      socks4:<socks-server>:<host>:<port>       groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
      socks4a:<socks-server>:<host>:<port>      groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP,SOCKS4
      stderr    groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdin     groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdio     groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      stdout    groups=FD,FIFO,CHR,BLK,REG,SOCKET,TERMIOS,UNIX,IP4,IP6,UDP,TCP,SCTP
      system:<shell-command>    groups=FD,FIFO,SOCKET,EXEC,FORK,TERMIOS,PTY,PARENT,UNIX
      tcp-connect:<host>:<port> groups=FD,SOCKET,CHILD,RETRY,IP4,IP6,TCP
      tcp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,IP6,TCP
      tcp4-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP4,TCP
      tcp4-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP4,TCP
      tcp6-connect:<host>:<port>        groups=FD,SOCKET,CHILD,RETRY,IP6,TCP
      tcp6-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RETRY,RANGE,IP6,TCP
      tun[:<ip-addr>/<bits>]    groups=FD,CHR,NAMED,OPEN,INTERFACE
      udp-connect:<host>:<port> groups=FD,SOCKET,IP4,IP6,UDP
      udp-datagram:<host>:<port>        groups=FD,SOCKET,RANGE,IP4,IP6,UDP
      udp-listen:<port> groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,IP6,UDP
      udp-recv:<port>   groups=FD,SOCKET,RANGE,IP4,IP6,UDP
      udp-recvfrom:<port>       groups=FD,SOCKET,CHILD,RANGE,IP4,IP6,UDP
      udp-sendto:<host>:<port>  groups=FD,SOCKET,IP4,IP6,UDP
      udp4-connect:<host>:<port>        groups=FD,SOCKET,IP4,UDP
      udp4-datagram:<remote-address>:<port>     groups=FD,SOCKET,RANGE,IP4,UDP
      udp4-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP4,UDP
      udp4-recv:<port>  groups=FD,SOCKET,RANGE,IP4,UDP
      udp4-recvfrom:<host>:<port>       groups=FD,SOCKET,CHILD,RANGE,IP4,UDP
      udp4-sendto:<host>:<port> groups=FD,SOCKET,IP4,UDP
      udp6-connect:<host>:<port>        groups=FD,SOCKET,IP6,UDP
      udp6-datagram:<host>:<port>       groups=FD,SOCKET,RANGE,IP6,UDP
      udp6-listen:<port>        groups=FD,SOCKET,LISTEN,CHILD,RANGE,IP6,UDP
      udp6-recv:<port>  groups=FD,SOCKET,RANGE,IP6,UDP
      udp6-recvfrom:<port>      groups=FD,SOCKET,CHILD,RANGE,IP6,UDP
      udp6-sendto:<host>:<port> groups=FD,SOCKET,IP6,UDP
      unix-client:<filename>    groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-connect:<filename>   groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-listen:<filename>    groups=FD,SOCKET,NAMED,LISTEN,CHILD,RETRY,UNIX
      unix-recv:<filename>      groups=FD,SOCKET,NAMED,RETRY,UNIX
      unix-recvfrom:<filename>  groups=FD,SOCKET,NAMED,CHILD,RETRY,UNIX
      unix-sendto:<filename>    groups=FD,SOCKET,NAMED,RETRY,UNIX

supermathie · February 22, 2020, 9:46pm

We followed up privately; the domain’s traffic was being blocked by the Chinese government.

Topic		Replies	Views
Set up Let’s Encrypt with multiple domains / redirects Sysadmins how-to	71	18107	September 25, 2024
Fresh installation with Let’s Encrypt errors Installation	18	3789	December 26, 2019
Let's encrypt auto renewal and ipv6 Support	6	899	July 1, 2020
Problem with my SSL certificate Installation	17	11237	June 8, 2024
Let's Encrypt cert renewals (suddenly) failing Installation	27	2657	January 27, 2022

Let's Encrypt renewal errors

Related topics