Problem with my SSL certificate

craisp · 2017-08-02 08:49:10 UTC

Hi there

I have an issue with my SSL Setup.

I’m running a discourse app on a linode, DNS records are alright.

Back when I installed the app I followed this howto:

My ssl certificate expired yesterday, and I don’t know why it hadn’t got renewed.
I tried to rebuild the app, what works without errors, but in the logs I have

nginx: [emerg] PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

The certificate file is not written correctly:

ls -l /var/discourse/shared/standalone/ssl
total 4
-rw-r--r-- 1 root root    0 Aug  2 10:18 MYDOMAIN.cer
-rw-r--r-- 1 root root 3243 Aug  2 10:18 MYDOMAIN.key

In the acme.sh.log is this line:

MYDOMAIN:Verify error:Fetching http://MYDOMAIN/.well-known/acme-challenge/vo77X_i6E6fgkPJ1YwOQijTaE8Uys-5p-O_tn2XYIis: Timeout

Any ideas?

joffreyjaffeux · 2017-08-02 08:58:25 UTC

What do you get when you try to directly access http://MYDOMAIN/.well-known/acme-challenge/vo77X_i6E6fgkPJ1YwOQijTaE8Uys-5p-O_tn2XYIis ? watch your logs while doing it, might show something.

craisp · 2017-08-02 15:40:32 UTC

Chrome gives me an ERR_CONNECTION_REFUSED

The nginx error.log gives me the missing .cer-file error every second:

2017/08/02 15:34:01 [emerg] 25058#25058: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:02 [emerg] 25061#25061: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:03 [emerg] 25063#25063: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:04 [emerg] 25065#25065: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:05 [emerg] 25067#25067: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:06 [emerg] 25069#25069: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:07 [emerg] 25071#25071: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:08 [emerg] 25073#25073: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

What other log files should I check?

joffreyjaffeux · 2017-08-02 15:48:21 UTC

Can you try both methods at the end of the first topic (try manual first and delete after if it still doesn’t work) :

craisp · 2017-08-02 15:53:42 UTC

This is the section in my app.yml

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
  - "80:80"   # http
  - "443:443" # https

Are you talking about those two lines?

  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"

What methods do you mean?

craisp · 2017-08-02 21:06:05 UTC

Ah, sorry, now I get it.

1 Manually reissue:

/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
[...]
[Wed Aug  2 17:13:52 UTC 2017] GET
[Wed Aug  2 17:13:52 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/[...]'
[Wed Aug  2 17:13:52 UTC 2017] timeout
[Wed Aug  2 17:13:52 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Wed Aug  2 17:13:52 UTC 2017] ret='0'
[Wed Aug  2 17:13:52 UTC 2017] Pending
[Wed Aug  2 17:13:52 UTC 2017] sleep 2 secs to verify
[Wed Aug  2 17:13:54 UTC 2017] checking
[Wed Aug  2 17:13:54 UTC 2017] GET
[Wed Aug  2 17:13:54 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/[...]'
[Wed Aug  2 17:13:54 UTC 2017] timeout
[Wed Aug  2 17:13:55 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Wed Aug  2 17:13:55 UTC 2017] ret='0'
[Wed Aug  2 17:13:55 UTC 2017] Pending
[Wed Aug  2 17:13:55 UTC 2017] sleep 2 secs to verify
[Wed Aug  2 17:13:57 UTC 2017] checking
[Wed Aug  2 17:13:57 UTC 2017] GET
[Wed Aug  2 17:13:57 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/[...]'
[Wed Aug  2 17:13:57 UTC 2017] timeout
[Wed Aug  2 17:13:57 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Wed Aug  2 17:13:58 UTC 2017] ret='0'
[Wed Aug  2 17:13:58 UTC 2017] MYDOMAIN:Verify error:Fetching http://MYDOMAIN/.well-known/acme-challenge/[...]: Timeout
[Wed Aug  2 17:13:58 UTC 2017] Debug: get token url.
[Wed Aug  2 17:13:58 UTC 2017] GET
[Wed Aug  2 17:13:58 UTC 2017] url='http://MYDOMAIN/.well-known/acme-challenge/[...]'
[Wed Aug  2 17:13:58 UTC 2017] timeout='1'
[Wed Aug  2 17:13:58 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header  --connect-timeout 1'
[Wed Aug  2 17:13:59 UTC 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Wed Aug  2 17:13:59 UTC 2017] ret='28'
[Wed Aug  2 17:13:59 UTC 2017] Debugging, skip removing: /var/www/discourse/public/.well-known
[Wed Aug  2 17:13:59 UTC 2017] pid
[Wed Aug  2 17:13:59 UTC 2017] No need to restore nginx, skip.
[Wed Aug  2 17:13:59 UTC 2017] _clearupdns
[Wed Aug  2 17:13:59 UTC 2017] skip dns.
[Wed Aug  2 17:13:59 UTC 2017] _on_issue_err
[Wed Aug  2 17:13:59 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Wed Aug  2 17:13:59 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/[...]'
[Wed Aug  2 17:13:59 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "[...]"}'
[Wed Aug  2 17:13:59 UTC 2017] POST
[Wed Aug  2 17:13:59 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/[...]'
[Wed Aug  2 17:13:59 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Wed Aug  2 17:14:00 UTC 2017] _ret='0'
[Wed Aug  2 17:14:00 UTC 2017] code='400'
[Wed Aug  2 17:14:00 UTC 2017] nc doesn't exists.
[Wed Aug  2 17:14:00 UTC 2017] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2g  1 Mar 2016
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.12.1
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --add-module=/tmp/ngx_brotli
nc:

2 Removing cert files and rebuilding succeeds without errors, but doesn’t solve my ssl problem. Result is the same like before. Only the .key-file has content and the nginx emergency error comes every second.

craisp · 2017-08-03 08:09:19 UTC

This is the output from rebuilding after compressing js:

I, [2017-08-03T08:00:24.170845 #13]  INFO -- : File > /usr/local/bin/discourse  chmod: +x
I, [2017-08-03T08:00:24.174861 #13]  INFO -- : File > /usr/local/bin/rails  chmod: +x
I, [2017-08-03T08:00:24.178919 #13]  INFO -- : File > /usr/local/bin/rake  chmod: +x
I, [2017-08-03T08:00:24.189588 #13]  INFO -- : File > /etc/update-motd.d/10-web  chmod: +x
I, [2017-08-03T08:00:24.192880 #13]  INFO -- : File > /etc/logrotate.d/rails  chmod:
I, [2017-08-03T08:00:24.194993 #13]  INFO -- : File > /etc/logrotate.d/nginx  chmod:
I, [2017-08-03T08:00:24.205514 #13]  INFO -- : File > /etc/runit/1.d/00-ensure-links  chmod: +x
I, [2017-08-03T08:00:24.209356 #13]  INFO -- : File > /root/.bash_profile  chmod: 644
I, [2017-08-03T08:00:24.212819 #13]  INFO -- : Replacing (?-mix:server.+{) with limit_req_zone $binary_remote_addr zone=flood:10m rate=$reqs_per_secondr/s;
limit_req_zone $binary_remote_addr zone=bot:10m rate=$reqs_per_minuter/m;
limit_req_status 429;
limit_conn_zone $binary_remote_addr zone=connperip:10m;
limit_conn_status 429;
server {
 in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:24.214330 #13]  INFO -- : Replacing (?-mix:location @discourse {) with location @discourse {
  limit_conn connperip $conn_per_ip;
  limit_req zone=flood burst=$burst_per_second nodelay;
  limit_req zone=bot burst=$burst_per_minute nodelay; in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:24.223811 #13]  INFO -- : > mkdir -p /shared/ssl/
I, [2017-08-03T08:00:24.226421 #13]  INFO -- :
I, [2017-08-03T08:00:24.227093 #13]  INFO -- : Replacing (?-mix:server.+{) with server {
  listen 80;
  return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
}
server {
 in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:24.227989 #13]  INFO -- : Replacing (?m-ix:listen 80;\s+gzip on;) with listen 443 ssl http2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;

ssl_certificate /shared/ssl/ssl.crt;
ssl_certificate_key /shared/ssl/ssl.key;

ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:1m;

gzip on;

add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain

if ($http_host != $$ENV_DISCOURSE_HOSTNAME) {
   rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent;
}
 in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:24.237532 #13]  INFO -- : > if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi
I, [2017-08-03T08:00:24.246883 #13]  INFO -- :
I, [2017-08-03T08:00:24.247389 #13]  INFO -- : > /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi"
I, [2017-08-03T08:00:24.260839 #13]  INFO -- :
I, [2017-08-03T08:00:24.261971 #13]  INFO -- : > cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard e5244cf3c04a5cad274d5a0be31ce80c336be388
Cloning into 'acme.sh'...
I, [2017-08-03T08:00:26.199630 #13]  INFO -- : HEAD is now at e5244cf Merge pull request #941 from Neilpang/dev

I, [2017-08-03T08:00:26.200280 #13]  INFO -- : > touch /var/spool/cron/crontabs/root
I, [2017-08-03T08:00:26.212850 #13]  INFO -- :
I, [2017-08-03T08:00:26.213674 #13]  INFO -- : > install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
I, [2017-08-03T08:00:26.223667 #13]  INFO -- :
I, [2017-08-03T08:00:26.224307 #13]  INFO -- : > cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install --log "${LETSENCRYPT_DIR}/acme.sh.log"
[Thu Aug  3 08:00:26 UTC 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Thu Aug  3 08:00:26 UTC 2017] We use nc for standalone server if you use standalone mode.
[Thu Aug  3 08:00:26 UTC 2017] If you don't use standalone mode, just ignore this warning.
I, [2017-08-03T08:00:26.490394 #13]  INFO -- : [Thu Aug  3 08:00:26 UTC 2017] Installing to /shared/letsencrypt
[Thu Aug  3 08:00:26 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Thu Aug  3 08:00:26 UTC 2017] Installing alias to '/root/.profile'
[Thu Aug  3 08:00:26 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Thu Aug  3 08:00:26 UTC 2017] Installing cron job
[Thu Aug  3 08:00:26 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Thu Aug  3 08:00:26 UTC 2017] OK

I, [2017-08-03T08:00:26.491153 #13]  INFO -- : > cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade
[Thu Aug  3 08:00:28 UTC 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Thu Aug  3 08:00:28 UTC 2017] We use nc for standalone server if you use standalone mode.
[Thu Aug  3 08:00:28 UTC 2017] If you don't use standalone mode, just ignore this warning.
I, [2017-08-03T08:00:28.306935 #13]  INFO -- : [Thu Aug  3 08:00:26 UTC 2017] Installing from online archive.
[Thu Aug  3 08:00:26 UTC 2017] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Thu Aug  3 08:00:28 UTC 2017] Extracting master.tar.gz
[Thu Aug  3 08:00:28 UTC 2017] Installing to /shared/letsencrypt
[Thu Aug  3 08:00:28 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Thu Aug  3 08:00:28 UTC 2017] Installing alias to '/root/.profile'
[Thu Aug  3 08:00:28 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Thu Aug  3 08:00:28 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Thu Aug  3 08:00:28 UTC 2017] OK
[Thu Aug  3 08:00:28 UTC 2017] Install success!
[Thu Aug  3 08:00:28 UTC 2017] Upgrade success!

I, [2017-08-03T08:00:28.309898 #13]  INFO -- : File > /etc/nginx/letsencrypt.conf  chmod:
I, [2017-08-03T08:00:28.313627 #13]  INFO -- : File > /etc/runit/1.d/letsencrypt  chmod: +x
I, [2017-08-03T08:00:28.314561 #13]  INFO -- : Replacing (?-mix:ssl_certificate.+) with ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
 in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:28.315451 #13]  INFO -- : Replacing (?-mix:#?ACCOUNT_EMAIL=.+) with ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL
 in /shared/letsencrypt/account.conf
I, [2017-08-03T08:00:28.316079 #13]  INFO -- : Replacing (?-mix:ssl_certificate_key.+) with ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
 in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:28.325646 #13]  INFO -- : Replacing (?-mix:add_header.+) with add_header Strict-Transport-Security 'max-age=63072000'; in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:28.326892 #13]  INFO -- : Replacing (?m-ix:add_header Referrer-Policy 'no-referrer-when-downgrade';) with add_header Referrer-Policy 'no-referrer-when-downgrade';
add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:28.335859 #13]  INFO -- : > echo "Beginning of custom commands"
I, [2017-08-03T08:00:28.338375 #13]  INFO -- : Beginning of custom commands

I, [2017-08-03T08:00:28.339136 #13]  INFO -- : > echo "End of custom commands"
I, [2017-08-03T08:00:28.340810 #13]  INFO -- : End of custom commands

I, [2017-08-03T08:00:28.342105 #13]  INFO -- : Terminating async processes
I, [2017-08-03T08:00:28.342847 #13]  INFO -- : Sending INT to HOME=/var/lib/postgresql USER=postgres exec chpst -u postgres:postgres:ssl-cert -U postgres:postgres:ssl-cert /usr/lib/postgresql/9.5/bin/postmaster -D /etc/postgresql/9.5/main pid: 42
I, [2017-08-03T08:00:28.343668 #13]  INFO -- : Sending TERM to exec chpst -u redis -U redis /usr/bin/redis-server /etc/redis/redis.conf pid: 155
155:signal-handler (1501747228) Received SIGTERM scheduling shutdown...
2017-08-03 08:00:28.354 UTC [42] LOG:  received fast shutdown request
2017-08-03 08:00:28.355 UTC [42] LOG:  aborting any active transactions
2017-08-03 08:00:28.375 UTC [49] LOG:  autovacuum launcher shutting down
2017-08-03 08:00:28.381 UTC [46] LOG:  shutting down
2017-08-03 08:00:28.390 UTC [46] LOG:  database system is shut down
155:M 03 Aug 08:00:28.395 # User requested shutdown...
155:M 03 Aug 08:00:28.395 * Saving the final RDB snapshot before exiting.
155:M 03 Aug 08:00:28.748 * DB saved on disk
155:M 03 Aug 08:00:28.748 # Redis is now ready to exit, bye bye...
sha256:8611ebd87e64130667d8fa4277a30e8a9797c8690fc0b1a7c5473d6afaa40a7f
f5d3534badbe4f4474e5dd3dfa9b6a341eafed019fde000b92e97c1d77df282e
Removing old container
+ /usr/bin/docker rm app
app

+ /usr/bin/docker run -d --restart=always -e LANG=de_DE.UTF-8 -e RAILS_ENV=production -e UNICORN_WORKERS=2 -e UNICORN_SIDEKIQS=1 -e RUBY_GLOBAL_METHOD_CACHE_SIZE=131072 -e RUBY_GC_HEAP_GROWTH_MAX_SLOTS=40000 -e RUBY_GC_HEAP_INIT_SLOTS=400000 -e RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR=1.5 -e DISCOURSE_DB_SOCKET=/var/run/postgresql -e DISCOURSE_DB_HOST= -e DISCOURSE_DB_PORT= -e LETSENCRYPT_DIR=/shared/letsencrypt -e DISCOURSE_HOSTNAME=forum.solawi-dortmund.org -e DISCOURSE_DEVELOPER_EMAILS=webmaster@forum.solawi-dortmund.de -e DISCOURSE_SMTP_ADDRESS=smtp.sparkpostmail.com -e DISCOURSE_SMTP_PORT=587 -e DISCOURSE_SMTP_USER_NAME=SMTP_Injection -e DISCOURSE_SMTP_PASSWORD=4db38f16bc4794fa6578f3a6e3a6437879451c1c -e LETSENCRYPT_ACCOUNT_EMAIL=crispin.mueller@posteo.de -h solawiforum-app -e DOCKER_HOST_IP=172.17.0.1 --name app -t -p 80:80 -p 443:443 -v /var/discourse/shared/standalone:/shared -v /var/discourse/shared/standalone/log/var-log:/var/log --mac-address 02:54:b8:04:dc:67 local_discourse/app /sbin/boot

What about that netcat-warning? I use standalone mode.

craisp · 2017-08-08 13:44:27 UTC

Does anyone have an idea, please?

I just tried again:

rm -rf /var/discourse/shared/standalone/ssl
rm -rf /var/discourse/shared/standalone/letsencrypt
./launcher rebuild app

This is the output of the acme.sh.log

$ cat shared/standalone/letsencrypt/acme.sh.log
[Tue Aug  8 13:30:43 UTC 2017] Lets find script dir.
[Tue Aug  8 13:30:43 UTC 2017] _SCRIPT_='./acme.sh'
[Tue Aug  8 13:30:43 UTC 2017] _script='/root/acme.sh/acme.sh'
[Tue Aug  8 13:30:43 UTC 2017] _script_home='/root/acme.sh'
[Tue Aug  8 13:30:43 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:43 UTC 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Tue Aug  8 13:30:43 UTC 2017] We use nc for standalone server if you use standalone mode.
[Tue Aug  8 13:30:43 UTC 2017] If you don't use standalone mode, just ignore this warning.
[Tue Aug  8 13:30:43 UTC 2017] Installing to /shared/letsencrypt
[Tue Aug  8 13:30:43 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Tue Aug  8 13:30:43 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:43 UTC 2017] Using sed  -i
[Tue Aug  8 13:30:43 UTC 2017] Found profile: /root/.profile
[Tue Aug  8 13:30:43 UTC 2017] Installing alias to '/root/.profile'
[Tue Aug  8 13:30:43 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Tue Aug  8 13:30:43 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:43 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:43 UTC 2017] Installing cron job
[Tue Aug  8 13:30:43 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Aug  8 13:30:44 UTC 2017] OK
[Tue Aug  8 13:30:44 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:44 UTC 2017] Installing from online archive.
[Tue Aug  8 13:30:44 UTC 2017] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Tue Aug  8 13:30:44 UTC 2017] GET
[Tue Aug  8 13:30:44 UTC 2017] url='https://github.com/Neilpang/acme.sh/archive/master.tar.gz'
[Tue Aug  8 13:30:44 UTC 2017] timeout
[Tue Aug  8 13:30:44 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:30:46 UTC 2017] ret='0'
[Tue Aug  8 13:30:46 UTC 2017] Extracting master.tar.gz
[Tue Aug  8 13:30:46 UTC 2017] Skip install cron job
[Tue Aug  8 13:30:46 UTC 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Tue Aug  8 13:30:46 UTC 2017] We use nc for standalone server if you use standalone mode.
[Tue Aug  8 13:30:46 UTC 2017] If you don't use standalone mode, just ignore this warning.
[Tue Aug  8 13:30:46 UTC 2017] Installing to /shared/letsencrypt
[Tue Aug  8 13:30:46 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Tue Aug  8 13:30:46 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:46 UTC 2017] Using sed  -i
[Tue Aug  8 13:30:46 UTC 2017] Found profile: /root/.profile
[Tue Aug  8 13:30:46 UTC 2017] Installing alias to '/root/.profile'
[Tue Aug  8 13:30:46 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Tue Aug  8 13:30:46 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Aug  8 13:30:46 UTC 2017] OK
[Tue Aug  8 13:30:46 UTC 2017] Install success!
[Tue Aug  8 13:30:46 UTC 2017] Upgrade success!
[Tue Aug  8 13:31:33 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:33 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/forum.solawi-dortmund.org'
[Tue Aug  8 13:31:33 UTC 2017] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:33 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:33 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:33 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug  8 13:31:33 UTC 2017] _on_before_issue
[Tue Aug  8 13:31:33 UTC 2017] Le_LocalAddress
[Tue Aug  8 13:31:33 UTC 2017] Check for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:33 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:33 UTC 2017] config file is empty, can not read CA_KEY_HASH
[Tue Aug  8 13:31:33 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:33 UTC 2017] Use default length 2048
[Tue Aug  8 13:31:33 UTC 2017] length='2048'
[Tue Aug  8 13:31:33 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:33 UTC 2017] Use length 2048
[Tue Aug  8 13:31:33 UTC 2017] Using RSA: 2048
[Tue Aug  8 13:31:33 UTC 2017] RSA key
[Tue Aug  8 13:31:33 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:33 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:33 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug  8 13:31:33 UTC 2017] AGREEMENT
[Tue Aug  8 13:31:33 UTC 2017] Registering account
[Tue Aug  8 13:31:33 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:33 UTC 2017] payload='{"resource": "new-reg", "agreement": ""}'
[Tue Aug  8 13:31:33 UTC 2017] GET
[Tue Aug  8 13:31:33 UTC 2017] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug  8 13:31:33 UTC 2017] timeout
[Tue Aug  8 13:31:33 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:33 UTC 2017] ret='0'
[Tue Aug  8 13:31:33 UTC 2017] POST
[Tue Aug  8 13:31:33 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:33 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:34 UTC 2017] _ret='0'
[Tue Aug  8 13:31:34 UTC 2017] code='201'
[Tue Aug  8 13:31:34 UTC 2017] Registered
[Tue Aug  8 13:31:34 UTC 2017] _accUri='https://acme-v01.api.letsencrypt.org/acme/reg/19708985'
[Tue Aug  8 13:31:34 UTC 2017] _tos='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[Tue Aug  8 13:31:34 UTC 2017] AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[Tue Aug  8 13:31:34 UTC 2017] Update tos: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
[Tue Aug  8 13:31:34 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/reg/19708985'
[Tue Aug  8 13:31:34 UTC 2017] payload='{"resource": "reg", "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"}'
[Tue Aug  8 13:31:34 UTC 2017] POST
[Tue Aug  8 13:31:34 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/reg/19708985'
[Tue Aug  8 13:31:34 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:35 UTC 2017] _ret='0'
[Tue Aug  8 13:31:35 UTC 2017] code='202'
[Tue Aug  8 13:31:35 UTC 2017] Update account tos info success.
[Tue Aug  8 13:31:35 UTC 2017] Calc CA_KEY_HASH='TPAKOQuzF4DEwvO08enXxxtGMaZd+pMzlBJKdSPWjtI='
[Tue Aug  8 13:31:35 UTC 2017] ACCOUNT_THUMBPRINT='JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4'
[Tue Aug  8 13:31:35 UTC 2017] Read key length:
[Tue Aug  8 13:31:35 UTC 2017] Creating domain key
[Tue Aug  8 13:31:35 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:35 UTC 2017] Use length 4096
[Tue Aug  8 13:31:35 UTC 2017] Using RSA: 4096
[Tue Aug  8 13:31:35 UTC 2017] The domain key is here: /shared/letsencrypt/forum.solawi-dortmund.org/forum.solawi-dortmund.org.key
[Tue Aug  8 13:31:35 UTC 2017] _createcsr
[Tue Aug  8 13:31:35 UTC 2017] Single domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:35 UTC 2017] Getting domain auth token for each domain
[Tue Aug  8 13:31:35 UTC 2017] Getting webroot for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:35 UTC 2017] _w='/var/www/discourse/public'
[Tue Aug  8 13:31:35 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:35 UTC 2017] Getting new-authz for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:35 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:35 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Aug  8 13:31:35 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:35 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Aug  8 13:31:35 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:35 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug  8 13:31:35 UTC 2017] Try new-authz for the 0 time.
[Tue Aug  8 13:31:35 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:35 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "forum.solawi-dortmund.org"}}'
[Tue Aug  8 13:31:36 UTC 2017] POST
[Tue Aug  8 13:31:36 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:36 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:36 UTC 2017] _ret='0'
[Tue Aug  8 13:31:36 UTC 2017] code='201'
[Tue Aug  8 13:31:36 UTC 2017] The new-authz request is ok.
[Tue Aug  8 13:31:36 UTC 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741","token":"pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M"'
[Tue Aug  8 13:31:36 UTC 2017] token='pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M'
[Tue Aug  8 13:31:36 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:36 UTC 2017] keyauthorization='pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4'
[Tue Aug  8 13:31:36 UTC 2017] dvlist='forum.solawi-dortmund.org#pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4#https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741#http-01#/var/www/discourse/public'
[Tue Aug  8 13:31:36 UTC 2017] vlist='forum.solawi-dortmund.org#pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4#https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741#http-01#/var/www/discourse/public,'
[Tue Aug  8 13:31:36 UTC 2017] ok, let's start to verify
[Tue Aug  8 13:31:36 UTC 2017] Verifying:forum.solawi-dortmund.org
[Tue Aug  8 13:31:36 UTC 2017] d='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:36 UTC 2017] keyauthorization='pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4'
[Tue Aug  8 13:31:36 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:36 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:36 UTC 2017] wellknown_path='/var/www/discourse/public/.well-known/acme-challenge'
[Tue Aug  8 13:31:36 UTC 2017] writing token:pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M to /var/www/discourse/public/.well-known/acme-challenge/pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M
[Tue Aug  8 13:31:36 UTC 2017] Changing owner/group of .well-known to discourse:discourse
[Tue Aug  8 13:31:37 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:37 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4"}'
[Tue Aug  8 13:31:37 UTC 2017] POST
[Tue Aug  8 13:31:37 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:37 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:37 UTC 2017] _ret='0'
[Tue Aug  8 13:31:37 UTC 2017] code='202'
[Tue Aug  8 13:31:37 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:39 UTC 2017] checking
[Tue Aug  8 13:31:39 UTC 2017] GET
[Tue Aug  8 13:31:39 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:39 UTC 2017] timeout
[Tue Aug  8 13:31:39 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:40 UTC 2017] ret='0'
[Tue Aug  8 13:31:40 UTC 2017] Pending
[Tue Aug  8 13:31:40 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:42 UTC 2017] checking
[Tue Aug  8 13:31:42 UTC 2017] GET
[Tue Aug  8 13:31:42 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:42 UTC 2017] timeout
[Tue Aug  8 13:31:42 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:42 UTC 2017] ret='0'
[Tue Aug  8 13:31:42 UTC 2017] Pending
[Tue Aug  8 13:31:42 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:44 UTC 2017] checking
[Tue Aug  8 13:31:44 UTC 2017] GET
[Tue Aug  8 13:31:44 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:44 UTC 2017] timeout
[Tue Aug  8 13:31:44 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:45 UTC 2017] ret='0'
[Tue Aug  8 13:31:45 UTC 2017] forum.solawi-dortmund.org:Verify error:Fetching http://forum.solawi-dortmund.org/.well-known/acme-challenge/pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M: Timeout
[Tue Aug  8 13:31:45 UTC 2017] pid
[Tue Aug  8 13:31:45 UTC 2017] No need to restore nginx, skip.
[Tue Aug  8 13:31:45 UTC 2017] _clearupdns
[Tue Aug  8 13:31:45 UTC 2017] skip dns.
[Tue Aug  8 13:31:45 UTC 2017] _on_issue_err
[Tue Aug  8 13:31:45 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Tue Aug  8 13:31:45 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:45 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4"}'
[Tue Aug  8 13:31:45 UTC 2017] POST
[Tue Aug  8 13:31:45 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:45 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:46 UTC 2017] _ret='0'
[Tue Aug  8 13:31:46 UTC 2017] code='400'
[Tue Aug  8 13:31:46 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:46 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/forum.solawi-dortmund.org'
[Tue Aug  8 13:31:46 UTC 2017] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:46 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:46 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:46 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug  8 13:31:46 UTC 2017] Le_NextRenewTime
[Tue Aug  8 13:31:46 UTC 2017] _on_before_issue
[Tue Aug  8 13:31:46 UTC 2017] Le_LocalAddress
[Tue Aug  8 13:31:46 UTC 2017] Check for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:46 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:46 UTC 2017] _saved_account_key_hash is not changed, skip register account.
[Tue Aug  8 13:31:46 UTC 2017] Read key length:4096
[Tue Aug  8 13:31:46 UTC 2017] _createcsr
[Tue Aug  8 13:31:46 UTC 2017] Single domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:46 UTC 2017] Getting domain auth token for each domain
[Tue Aug  8 13:31:46 UTC 2017] Getting webroot for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:46 UTC 2017] _w='/var/www/discourse/public'
[Tue Aug  8 13:31:46 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:46 UTC 2017] Getting new-authz for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:46 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:46 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:46 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug  8 13:31:46 UTC 2017] Try new-authz for the 0 time.
[Tue Aug  8 13:31:46 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:46 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "forum.solawi-dortmund.org"}}'
[Tue Aug  8 13:31:46 UTC 2017] RSA key
[Tue Aug  8 13:31:46 UTC 2017] GET
[Tue Aug  8 13:31:46 UTC 2017] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug  8 13:31:46 UTC 2017] timeout
[Tue Aug  8 13:31:46 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:46 UTC 2017] ret='0'
[Tue Aug  8 13:31:46 UTC 2017] POST
[Tue Aug  8 13:31:46 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:46 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:47 UTC 2017] _ret='0'
[Tue Aug  8 13:31:47 UTC 2017] code='201'
[Tue Aug  8 13:31:47 UTC 2017] The new-authz request is ok.
[Tue Aug  8 13:31:47 UTC 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486","token":"Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A"'
[Tue Aug  8 13:31:47 UTC 2017] token='Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A'
[Tue Aug  8 13:31:47 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:47 UTC 2017] keyauthorization='Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4'
[Tue Aug  8 13:31:47 UTC 2017] dvlist='forum.solawi-dortmund.org#Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4#https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486#http-01#/var/www/discourse/public'
[Tue Aug  8 13:31:47 UTC 2017] vlist='forum.solawi-dortmund.org#Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4#https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486#http-01#/var/www/discourse/public,'
[Tue Aug  8 13:31:47 UTC 2017] ok, let's start to verify
[Tue Aug  8 13:31:47 UTC 2017] Verifying:forum.solawi-dortmund.org
[Tue Aug  8 13:31:47 UTC 2017] d='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:47 UTC 2017] keyauthorization='Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4'
[Tue Aug  8 13:31:47 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:47 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:47 UTC 2017] wellknown_path='/var/www/discourse/public/.well-known/acme-challenge'
[Tue Aug  8 13:31:47 UTC 2017] writing token:Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A to /var/www/discourse/public/.well-known/acme-challenge/Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A
[Tue Aug  8 13:31:47 UTC 2017] Changing owner/group of .well-known to discourse:discourse
[Tue Aug  8 13:31:47 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:47 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4"}'
[Tue Aug  8 13:31:47 UTC 2017] POST
[Tue Aug  8 13:31:47 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:47 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:48 UTC 2017] _ret='0'
[Tue Aug  8 13:31:48 UTC 2017] code='202'
[Tue Aug  8 13:31:48 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:50 UTC 2017] checking
[Tue Aug  8 13:31:50 UTC 2017] GET
[Tue Aug  8 13:31:50 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:50 UTC 2017] timeout
[Tue Aug  8 13:31:50 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:50 UTC 2017] ret='0'
[Tue Aug  8 13:31:50 UTC 2017] Pending
[Tue Aug  8 13:31:51 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:53 UTC 2017] checking
[Tue Aug  8 13:31:53 UTC 2017] GET
[Tue Aug  8 13:31:53 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:53 UTC 2017] timeout
[Tue Aug  8 13:31:53 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:53 UTC 2017] ret='0'
[Tue Aug  8 13:31:53 UTC 2017] Pending
[Tue Aug  8 13:31:53 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:55 UTC 2017] checking
[Tue Aug  8 13:31:55 UTC 2017] GET
[Tue Aug  8 13:31:55 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:55 UTC 2017] timeout
[Tue Aug  8 13:31:55 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:55 UTC 2017] ret='0'
[Tue Aug  8 13:31:55 UTC 2017] forum.solawi-dortmund.org:Verify error:Fetching http://forum.solawi-dortmund.org/.well-known/acme-challenge/Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A: Timeout
[Tue Aug  8 13:31:55 UTC 2017] pid
[Tue Aug  8 13:31:55 UTC 2017] No need to restore nginx, skip.
[Tue Aug  8 13:31:55 UTC 2017] _clearupdns
[Tue Aug  8 13:31:55 UTC 2017] skip dns.
[Tue Aug  8 13:31:55 UTC 2017] _on_issue_err
[Tue Aug  8 13:31:55 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Tue Aug  8 13:31:55 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:55 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4"}'
[Tue Aug  8 13:31:55 UTC 2017] POST
[Tue Aug  8 13:31:55 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:55 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:56 UTC 2017] _ret='0'
[Tue Aug  8 13:31:56 UTC 2017] code='400'
[Tue Aug  8 13:31:56 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:56 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/forum.solawi-dortmund.org'
[Tue Aug  8 13:31:56 UTC 2017] Installing key to:/shared/ssl/forum.solawi-dortmund.org.key
[Tue Aug  8 13:31:56 UTC 2017] Installing full chain to:/shared/ssl/forum.solawi-dortmund.org.cer
[Tue Aug  8 13:31:56 UTC 2017] Run reload cmd: sv reload nginx
[Tue Aug  8 13:31:56 UTC 2017] Reload error for :

tgxworld · 2017-08-16 07:31:27 UTC

Is your domain’s IPv6 address configured correctly? We had a similar issue previously

craisp · 2017-08-16 21:23:58 UTC

Thanks for your answer !

That was indeed also my problem.

End of last week I deactivated the IPv6 entry for my site and then it worked again.