Problem with my SSL certificate

craisp · August 2, 2017, 8:49am

Hi there

I have an issue with my SSL Setup.

I’m running a discourse app on a linode, DNS records are alright.

Back when I installed the app I followed this howto:

My ssl certificate expired yesterday, and I don’t know why it hadn’t got renewed.
I tried to rebuild the app, what works without errors, but in the logs I have

nginx: [emerg] PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

The certificate file is not written correctly:

ls -l /var/discourse/shared/standalone/ssl
total 4
-rw-r--r-- 1 root root    0 Aug  2 10:18 MYDOMAIN.cer
-rw-r--r-- 1 root root 3243 Aug  2 10:18 MYDOMAIN.key

In the acme.sh.log is this line:

MYDOMAIN:Verify error:Fetching http://MYDOMAIN/.well-known/acme-challenge/vo77X_i6E6fgkPJ1YwOQijTaE8Uys-5p-O_tn2XYIis: Timeout

Any ideas?

joffreyjaffeux · August 2, 2017, 8:58am

What do you get when you try to directly access http://MYDOMAIN/.well-known/acme-challenge/vo77X_i6E6fgkPJ1YwOQijTaE8Uys-5p-O_tn2XYIis ? watch your logs while doing it, might show something.

craisp · August 2, 2017, 3:40pm

Chrome gives me an ERR_CONNECTION_REFUSED

The nginx error.log gives me the missing .cer-file error every second:

2017/08/02 15:34:01 [emerg] 25058#25058: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:02 [emerg] 25061#25061: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:03 [emerg] 25063#25063: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:04 [emerg] 25065#25065: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:05 [emerg] 25067#25067: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:06 [emerg] 25069#25069: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:07 [emerg] 25071#25071: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
2017/08/02 15:34:08 [emerg] 25073#25073: PEM_read_bio_X509_AUX("/shared/ssl/MYDOMAIN.cer") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)

What other log files should I check?

joffreyjaffeux · August 2, 2017, 3:48pm

Can you try both methods at the end of the first topic (try manual first and delete after if it still doesn’t work) :

craisp · August 2, 2017, 3:53pm

This is the section in my app.yml

templates:
  - "templates/postgres.template.yml"
  - "templates/redis.template.yml"
  - "templates/web.template.yml"
  - "templates/web.ratelimited.template.yml"
## Uncomment these two lines if you wish to add Lets Encrypt (https)
  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
  - "80:80"   # http
  - "443:443" # https

Are you talking about those two lines?

  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"

What methods do you mean?

craisp · August 2, 2017, 9:06pm

Ah, sorry, now I get it.

1 Manually reissue:

/usr/sbin/nginx -c /etc/nginx/letsencrypt.conf
[...]
[Wed Aug  2 17:13:52 UTC 2017] GET
[Wed Aug  2 17:13:52 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/[...]'
[Wed Aug  2 17:13:52 UTC 2017] timeout
[Wed Aug  2 17:13:52 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Wed Aug  2 17:13:52 UTC 2017] ret='0'
[Wed Aug  2 17:13:52 UTC 2017] Pending
[Wed Aug  2 17:13:52 UTC 2017] sleep 2 secs to verify
[Wed Aug  2 17:13:54 UTC 2017] checking
[Wed Aug  2 17:13:54 UTC 2017] GET
[Wed Aug  2 17:13:54 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/[...]'
[Wed Aug  2 17:13:54 UTC 2017] timeout
[Wed Aug  2 17:13:55 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Wed Aug  2 17:13:55 UTC 2017] ret='0'
[Wed Aug  2 17:13:55 UTC 2017] Pending
[Wed Aug  2 17:13:55 UTC 2017] sleep 2 secs to verify
[Wed Aug  2 17:13:57 UTC 2017] checking
[Wed Aug  2 17:13:57 UTC 2017] GET
[Wed Aug  2 17:13:57 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/[...]'
[Wed Aug  2 17:13:57 UTC 2017] timeout
[Wed Aug  2 17:13:57 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Wed Aug  2 17:13:58 UTC 2017] ret='0'
[Wed Aug  2 17:13:58 UTC 2017] MYDOMAIN:Verify error:Fetching http://MYDOMAIN/.well-known/acme-challenge/[...]: Timeout
[Wed Aug  2 17:13:58 UTC 2017] Debug: get token url.
[Wed Aug  2 17:13:58 UTC 2017] GET
[Wed Aug  2 17:13:58 UTC 2017] url='http://MYDOMAIN/.well-known/acme-challenge/[...]'
[Wed Aug  2 17:13:58 UTC 2017] timeout='1'
[Wed Aug  2 17:13:58 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header  --connect-timeout 1'
[Wed Aug  2 17:13:59 UTC 2017] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 28
[Wed Aug  2 17:13:59 UTC 2017] ret='28'
[Wed Aug  2 17:13:59 UTC 2017] Debugging, skip removing: /var/www/discourse/public/.well-known
[Wed Aug  2 17:13:59 UTC 2017] pid
[Wed Aug  2 17:13:59 UTC 2017] No need to restore nginx, skip.
[Wed Aug  2 17:13:59 UTC 2017] _clearupdns
[Wed Aug  2 17:13:59 UTC 2017] skip dns.
[Wed Aug  2 17:13:59 UTC 2017] _on_issue_err
[Wed Aug  2 17:13:59 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Wed Aug  2 17:13:59 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/[...]'
[Wed Aug  2 17:13:59 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "[...]"}'
[Wed Aug  2 17:13:59 UTC 2017] POST
[Wed Aug  2 17:13:59 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/[...]'
[Wed Aug  2 17:13:59 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Wed Aug  2 17:14:00 UTC 2017] _ret='0'
[Wed Aug  2 17:14:00 UTC 2017] code='400'
[Wed Aug  2 17:14:00 UTC 2017] nc doesn't exists.
[Wed Aug  2 17:14:00 UTC 2017] Diagnosis versions:
openssl:openssl
OpenSSL 1.0.2g  1 Mar 2016
apache:
apache doesn't exists.
nginx:
nginx version: nginx/1.12.1
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.0.2g  1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2 -Wno-deprecated-declarations' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_v2_module --with-http_sub_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --add-module=/tmp/ngx_brotli
nc:

2 Removing cert files and rebuilding succeeds without errors, but doesn’t solve my ssl problem. Result is the same like before. Only the .key-file has content and the nginx emergency error comes every second.

craisp · August 3, 2017, 8:09am

This is the output from rebuilding after compressing js:

I, [2017-08-03T08:00:24.170845 #13]  INFO -- : File > /usr/local/bin/discourse  chmod: +x
I, [2017-08-03T08:00:24.174861 #13]  INFO -- : File > /usr/local/bin/rails  chmod: +x
I, [2017-08-03T08:00:24.178919 #13]  INFO -- : File > /usr/local/bin/rake  chmod: +x
I, [2017-08-03T08:00:24.189588 #13]  INFO -- : File > /etc/update-motd.d/10-web  chmod: +x
I, [2017-08-03T08:00:24.192880 #13]  INFO -- : File > /etc/logrotate.d/rails  chmod:
I, [2017-08-03T08:00:24.194993 #13]  INFO -- : File > /etc/logrotate.d/nginx  chmod:
I, [2017-08-03T08:00:24.205514 #13]  INFO -- : File > /etc/runit/1.d/00-ensure-links  chmod: +x
I, [2017-08-03T08:00:24.209356 #13]  INFO -- : File > /root/.bash_profile  chmod: 644
I, [2017-08-03T08:00:24.212819 #13]  INFO -- : Replacing (?-mix:server.+{) with limit_req_zone $binary_remote_addr zone=flood:10m rate=$reqs_per_secondr/s;
limit_req_zone $binary_remote_addr zone=bot:10m rate=$reqs_per_minuter/m;
limit_req_status 429;
limit_conn_zone $binary_remote_addr zone=connperip:10m;
limit_conn_status 429;
server {
 in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:24.214330 #13]  INFO -- : Replacing (?-mix:location @discourse {) with location @discourse {
  limit_conn connperip $conn_per_ip;
  limit_req zone=flood burst=$burst_per_second nodelay;
  limit_req zone=bot burst=$burst_per_minute nodelay; in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:24.223811 #13]  INFO -- : > mkdir -p /shared/ssl/
I, [2017-08-03T08:00:24.226421 #13]  INFO -- :
I, [2017-08-03T08:00:24.227093 #13]  INFO -- : Replacing (?-mix:server.+{) with server {
  listen 80;
  return 301 https://$$ENV_DISCOURSE_HOSTNAME$request_uri;
}
server {
 in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:24.227989 #13]  INFO -- : Replacing (?m-ix:listen 80;\s+gzip on;) with listen 443 ssl http2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA;
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;

ssl_certificate /shared/ssl/ssl.crt;
ssl_certificate_key /shared/ssl/ssl.key;

ssl_session_tickets off;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:1m;

gzip on;

add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain

if ($http_host != $$ENV_DISCOURSE_HOSTNAME) {
   rewrite (.*) https://$$ENV_DISCOURSE_HOSTNAME$1 permanent;
}
 in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:24.237532 #13]  INFO -- : > if [ -z "$LETSENCRYPT_ACCOUNT_EMAIL" ]; then echo "LETSENCRYPT_ACCOUNT_EMAIL ENV variable is required and has not been set."; exit 1; fi
I, [2017-08-03T08:00:24.246883 #13]  INFO -- :
I, [2017-08-03T08:00:24.247389 #13]  INFO -- : > /bin/bash -c "if [[ ! \"$LETSENCRYPT_ACCOUNT_EMAIL\" =~ ([^@]+)@([^\.]+) ]]; then echo \"LETSENCRYPT_ACCOUNT_EMAIL is not a valid email address\"; exit 1; fi"
I, [2017-08-03T08:00:24.260839 #13]  INFO -- :
I, [2017-08-03T08:00:24.261971 #13]  INFO -- : > cd /root && git clone https://github.com/Neilpang/acme.sh.git && cd /root/acme.sh && git reset --hard e5244cf3c04a5cad274d5a0be31ce80c336be388
Cloning into 'acme.sh'...
I, [2017-08-03T08:00:26.199630 #13]  INFO -- : HEAD is now at e5244cf Merge pull request #941 from Neilpang/dev

I, [2017-08-03T08:00:26.200280 #13]  INFO -- : > touch /var/spool/cron/crontabs/root
I, [2017-08-03T08:00:26.212850 #13]  INFO -- :
I, [2017-08-03T08:00:26.213674 #13]  INFO -- : > install -d -m 0755 -g root -o root $LETSENCRYPT_DIR
I, [2017-08-03T08:00:26.223667 #13]  INFO -- :
I, [2017-08-03T08:00:26.224307 #13]  INFO -- : > cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --install --log "${LETSENCRYPT_DIR}/acme.sh.log"
[Thu Aug  3 08:00:26 UTC 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Thu Aug  3 08:00:26 UTC 2017] We use nc for standalone server if you use standalone mode.
[Thu Aug  3 08:00:26 UTC 2017] If you don't use standalone mode, just ignore this warning.
I, [2017-08-03T08:00:26.490394 #13]  INFO -- : [Thu Aug  3 08:00:26 UTC 2017] Installing to /shared/letsencrypt
[Thu Aug  3 08:00:26 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Thu Aug  3 08:00:26 UTC 2017] Installing alias to '/root/.profile'
[Thu Aug  3 08:00:26 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Thu Aug  3 08:00:26 UTC 2017] Installing cron job
[Thu Aug  3 08:00:26 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Thu Aug  3 08:00:26 UTC 2017] OK

I, [2017-08-03T08:00:26.491153 #13]  INFO -- : > cd /root/acme.sh && LE_WORKING_DIR="${LETSENCRYPT_DIR}" ./acme.sh --upgrade --auto-upgrade
[Thu Aug  3 08:00:28 UTC 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Thu Aug  3 08:00:28 UTC 2017] We use nc for standalone server if you use standalone mode.
[Thu Aug  3 08:00:28 UTC 2017] If you don't use standalone mode, just ignore this warning.
I, [2017-08-03T08:00:28.306935 #13]  INFO -- : [Thu Aug  3 08:00:26 UTC 2017] Installing from online archive.
[Thu Aug  3 08:00:26 UTC 2017] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Thu Aug  3 08:00:28 UTC 2017] Extracting master.tar.gz
[Thu Aug  3 08:00:28 UTC 2017] Installing to /shared/letsencrypt
[Thu Aug  3 08:00:28 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Thu Aug  3 08:00:28 UTC 2017] Installing alias to '/root/.profile'
[Thu Aug  3 08:00:28 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Thu Aug  3 08:00:28 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Thu Aug  3 08:00:28 UTC 2017] OK
[Thu Aug  3 08:00:28 UTC 2017] Install success!
[Thu Aug  3 08:00:28 UTC 2017] Upgrade success!

I, [2017-08-03T08:00:28.309898 #13]  INFO -- : File > /etc/nginx/letsencrypt.conf  chmod:
I, [2017-08-03T08:00:28.313627 #13]  INFO -- : File > /etc/runit/1.d/letsencrypt  chmod: +x
I, [2017-08-03T08:00:28.314561 #13]  INFO -- : Replacing (?-mix:ssl_certificate.+) with ssl_certificate /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.cer;
 in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:28.315451 #13]  INFO -- : Replacing (?-mix:#?ACCOUNT_EMAIL=.+) with ACCOUNT_EMAIL=$$ENV_LETSENCRYPT_ACCOUNT_EMAIL
 in /shared/letsencrypt/account.conf
I, [2017-08-03T08:00:28.316079 #13]  INFO -- : Replacing (?-mix:ssl_certificate_key.+) with ssl_certificate_key /shared/ssl/$$ENV_DISCOURSE_HOSTNAME.key;
 in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:28.325646 #13]  INFO -- : Replacing (?-mix:add_header.+) with add_header Strict-Transport-Security 'max-age=63072000'; in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:28.326892 #13]  INFO -- : Replacing (?m-ix:add_header Referrer-Policy 'no-referrer-when-downgrade';) with add_header Referrer-Policy 'no-referrer-when-downgrade';
add_header Strict-Transport-Security 'max-age=31536000'; # remember the certificate for a year and automatically connect to HTTPS for this domain in /etc/nginx/conf.d/discourse.conf
I, [2017-08-03T08:00:28.335859 #13]  INFO -- : > echo "Beginning of custom commands"
I, [2017-08-03T08:00:28.338375 #13]  INFO -- : Beginning of custom commands

I, [2017-08-03T08:00:28.339136 #13]  INFO -- : > echo "End of custom commands"
I, [2017-08-03T08:00:28.340810 #13]  INFO -- : End of custom commands

I, [2017-08-03T08:00:28.342105 #13]  INFO -- : Terminating async processes
I, [2017-08-03T08:00:28.342847 #13]  INFO -- : Sending INT to HOME=/var/lib/postgresql USER=postgres exec chpst -u postgres:postgres:ssl-cert -U postgres:postgres:ssl-cert /usr/lib/postgresql/9.5/bin/postmaster -D /etc/postgresql/9.5/main pid: 42
I, [2017-08-03T08:00:28.343668 #13]  INFO -- : Sending TERM to exec chpst -u redis -U redis /usr/bin/redis-server /etc/redis/redis.conf pid: 155
155:signal-handler (1501747228) Received SIGTERM scheduling shutdown...
2017-08-03 08:00:28.354 UTC [42] LOG:  received fast shutdown request
2017-08-03 08:00:28.355 UTC [42] LOG:  aborting any active transactions
2017-08-03 08:00:28.375 UTC [49] LOG:  autovacuum launcher shutting down
2017-08-03 08:00:28.381 UTC [46] LOG:  shutting down
2017-08-03 08:00:28.390 UTC [46] LOG:  database system is shut down
155:M 03 Aug 08:00:28.395 # User requested shutdown...
155:M 03 Aug 08:00:28.395 * Saving the final RDB snapshot before exiting.
155:M 03 Aug 08:00:28.748 * DB saved on disk
155:M 03 Aug 08:00:28.748 # Redis is now ready to exit, bye bye...
sha256:8611ebd87e64130667d8fa4277a30e8a9797c8690fc0b1a7c5473d6afaa40a7f
f5d3534badbe4f4474e5dd3dfa9b6a341eafed019fde000b92e97c1d77df282e
Removing old container
+ /usr/bin/docker rm app
app

+ /usr/bin/docker run -d --restart=always -e LANG=de_DE.UTF-8 -e RAILS_ENV=production -e UNICORN_WORKERS=2 -e UNICORN_SIDEKIQS=1 -e RUBY_GLOBAL_METHOD_CACHE_SIZE=131072 -e RUBY_GC_HEAP_GROWTH_MAX_SLOTS=40000 -e RUBY_GC_HEAP_INIT_SLOTS=400000 -e RUBY_GC_HEAP_OLDOBJECT_LIMIT_FACTOR=1.5 -e DISCOURSE_DB_SOCKET=/var/run/postgresql -e DISCOURSE_DB_HOST= -e DISCOURSE_DB_PORT= -e LETSENCRYPT_DIR=/shared/letsencrypt -e DISCOURSE_HOSTNAME=forum.solawi-dortmund.org -e DISCOURSE_DEVELOPER_EMAILS=webmaster@forum.solawi-dortmund.de -e DISCOURSE_SMTP_ADDRESS=smtp.sparkpostmail.com -e DISCOURSE_SMTP_PORT=587 -e DISCOURSE_SMTP_USER_NAME=SMTP_Injection -e DISCOURSE_SMTP_PASSWORD=4db38f16bc4794fa6578f3a6e3a6437879451c1c -e LETSENCRYPT_ACCOUNT_EMAIL=crispin.mueller@posteo.de -h solawiforum-app -e DOCKER_HOST_IP=172.17.0.1 --name app -t -p 80:80 -p 443:443 -v /var/discourse/shared/standalone:/shared -v /var/discourse/shared/standalone/log/var-log:/var/log --mac-address 02:54:b8:04:dc:67 local_discourse/app /sbin/boot

What about that netcat-warning? I use standalone mode.

craisp · August 8, 2017, 1:44pm

Does anyone have an idea, please?

I just tried again:

rm -rf /var/discourse/shared/standalone/ssl
rm -rf /var/discourse/shared/standalone/letsencrypt
./launcher rebuild app

This is the output of the acme.sh.log

$ cat shared/standalone/letsencrypt/acme.sh.log
[Tue Aug  8 13:30:43 UTC 2017] Lets find script dir.
[Tue Aug  8 13:30:43 UTC 2017] _SCRIPT_='./acme.sh'
[Tue Aug  8 13:30:43 UTC 2017] _script='/root/acme.sh/acme.sh'
[Tue Aug  8 13:30:43 UTC 2017] _script_home='/root/acme.sh'
[Tue Aug  8 13:30:43 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:43 UTC 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Tue Aug  8 13:30:43 UTC 2017] We use nc for standalone server if you use standalone mode.
[Tue Aug  8 13:30:43 UTC 2017] If you don't use standalone mode, just ignore this warning.
[Tue Aug  8 13:30:43 UTC 2017] Installing to /shared/letsencrypt
[Tue Aug  8 13:30:43 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Tue Aug  8 13:30:43 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:43 UTC 2017] Using sed  -i
[Tue Aug  8 13:30:43 UTC 2017] Found profile: /root/.profile
[Tue Aug  8 13:30:43 UTC 2017] Installing alias to '/root/.profile'
[Tue Aug  8 13:30:43 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Tue Aug  8 13:30:43 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:43 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:43 UTC 2017] Installing cron job
[Tue Aug  8 13:30:43 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Aug  8 13:30:44 UTC 2017] OK
[Tue Aug  8 13:30:44 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:44 UTC 2017] Installing from online archive.
[Tue Aug  8 13:30:44 UTC 2017] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz
[Tue Aug  8 13:30:44 UTC 2017] GET
[Tue Aug  8 13:30:44 UTC 2017] url='https://github.com/Neilpang/acme.sh/archive/master.tar.gz'
[Tue Aug  8 13:30:44 UTC 2017] timeout
[Tue Aug  8 13:30:44 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:30:46 UTC 2017] ret='0'
[Tue Aug  8 13:30:46 UTC 2017] Extracting master.tar.gz
[Tue Aug  8 13:30:46 UTC 2017] Skip install cron job
[Tue Aug  8 13:30:46 UTC 2017] It is recommended to install nc first, try to install 'nc' or 'netcat'.
[Tue Aug  8 13:30:46 UTC 2017] We use nc for standalone server if you use standalone mode.
[Tue Aug  8 13:30:46 UTC 2017] If you don't use standalone mode, just ignore this warning.
[Tue Aug  8 13:30:46 UTC 2017] Installing to /shared/letsencrypt
[Tue Aug  8 13:30:46 UTC 2017] Installed to /shared/letsencrypt/acme.sh
[Tue Aug  8 13:30:46 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:30:46 UTC 2017] Using sed  -i
[Tue Aug  8 13:30:46 UTC 2017] Found profile: /root/.profile
[Tue Aug  8 13:30:46 UTC 2017] Installing alias to '/root/.profile'
[Tue Aug  8 13:30:46 UTC 2017] OK, Close and reopen your terminal to start using acme.sh
[Tue Aug  8 13:30:46 UTC 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Tue Aug  8 13:30:46 UTC 2017] OK
[Tue Aug  8 13:30:46 UTC 2017] Install success!
[Tue Aug  8 13:30:46 UTC 2017] Upgrade success!
[Tue Aug  8 13:31:33 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:33 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/forum.solawi-dortmund.org'
[Tue Aug  8 13:31:33 UTC 2017] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:33 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:33 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:33 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug  8 13:31:33 UTC 2017] _on_before_issue
[Tue Aug  8 13:31:33 UTC 2017] Le_LocalAddress
[Tue Aug  8 13:31:33 UTC 2017] Check for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:33 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:33 UTC 2017] config file is empty, can not read CA_KEY_HASH
[Tue Aug  8 13:31:33 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:33 UTC 2017] Use default length 2048
[Tue Aug  8 13:31:33 UTC 2017] length='2048'
[Tue Aug  8 13:31:33 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:33 UTC 2017] Use length 2048
[Tue Aug  8 13:31:33 UTC 2017] Using RSA: 2048
[Tue Aug  8 13:31:33 UTC 2017] RSA key
[Tue Aug  8 13:31:33 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:33 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Aug  8 13:31:33 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:33 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug  8 13:31:33 UTC 2017] AGREEMENT
[Tue Aug  8 13:31:33 UTC 2017] Registering account
[Tue Aug  8 13:31:33 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:33 UTC 2017] payload='{"resource": "new-reg", "agreement": ""}'
[Tue Aug  8 13:31:33 UTC 2017] GET
[Tue Aug  8 13:31:33 UTC 2017] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug  8 13:31:33 UTC 2017] timeout
[Tue Aug  8 13:31:33 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:33 UTC 2017] ret='0'
[Tue Aug  8 13:31:33 UTC 2017] POST
[Tue Aug  8 13:31:33 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:33 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:34 UTC 2017] _ret='0'
[Tue Aug  8 13:31:34 UTC 2017] code='201'
[Tue Aug  8 13:31:34 UTC 2017] Registered
[Tue Aug  8 13:31:34 UTC 2017] _accUri='https://acme-v01.api.letsencrypt.org/acme/reg/19708985'
[Tue Aug  8 13:31:34 UTC 2017] _tos='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[Tue Aug  8 13:31:34 UTC 2017] AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'
[Tue Aug  8 13:31:34 UTC 2017] Update tos: https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
[Tue Aug  8 13:31:34 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/reg/19708985'
[Tue Aug  8 13:31:34 UTC 2017] payload='{"resource": "reg", "agreement": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"}'
[Tue Aug  8 13:31:34 UTC 2017] POST
[Tue Aug  8 13:31:34 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/reg/19708985'
[Tue Aug  8 13:31:34 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:35 UTC 2017] _ret='0'
[Tue Aug  8 13:31:35 UTC 2017] code='202'
[Tue Aug  8 13:31:35 UTC 2017] Update account tos info success.
[Tue Aug  8 13:31:35 UTC 2017] Calc CA_KEY_HASH='TPAKOQuzF4DEwvO08enXxxtGMaZd+pMzlBJKdSPWjtI='
[Tue Aug  8 13:31:35 UTC 2017] ACCOUNT_THUMBPRINT='JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4'
[Tue Aug  8 13:31:35 UTC 2017] Read key length:
[Tue Aug  8 13:31:35 UTC 2017] Creating domain key
[Tue Aug  8 13:31:35 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:35 UTC 2017] Use length 4096
[Tue Aug  8 13:31:35 UTC 2017] Using RSA: 4096
[Tue Aug  8 13:31:35 UTC 2017] The domain key is here: /shared/letsencrypt/forum.solawi-dortmund.org/forum.solawi-dortmund.org.key
[Tue Aug  8 13:31:35 UTC 2017] _createcsr
[Tue Aug  8 13:31:35 UTC 2017] Single domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:35 UTC 2017] Getting domain auth token for each domain
[Tue Aug  8 13:31:35 UTC 2017] Getting webroot for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:35 UTC 2017] _w='/var/www/discourse/public'
[Tue Aug  8 13:31:35 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:35 UTC 2017] Getting new-authz for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:35 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:35 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Aug  8 13:31:35 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:35 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Aug  8 13:31:35 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:35 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug  8 13:31:35 UTC 2017] Try new-authz for the 0 time.
[Tue Aug  8 13:31:35 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:35 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "forum.solawi-dortmund.org"}}'
[Tue Aug  8 13:31:36 UTC 2017] POST
[Tue Aug  8 13:31:36 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:36 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:36 UTC 2017] _ret='0'
[Tue Aug  8 13:31:36 UTC 2017] code='201'
[Tue Aug  8 13:31:36 UTC 2017] The new-authz request is ok.
[Tue Aug  8 13:31:36 UTC 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741","token":"pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M"'
[Tue Aug  8 13:31:36 UTC 2017] token='pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M'
[Tue Aug  8 13:31:36 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:36 UTC 2017] keyauthorization='pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4'
[Tue Aug  8 13:31:36 UTC 2017] dvlist='forum.solawi-dortmund.org#pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4#https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741#http-01#/var/www/discourse/public'
[Tue Aug  8 13:31:36 UTC 2017] vlist='forum.solawi-dortmund.org#pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4#https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741#http-01#/var/www/discourse/public,'
[Tue Aug  8 13:31:36 UTC 2017] ok, let's start to verify
[Tue Aug  8 13:31:36 UTC 2017] Verifying:forum.solawi-dortmund.org
[Tue Aug  8 13:31:36 UTC 2017] d='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:36 UTC 2017] keyauthorization='pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4'
[Tue Aug  8 13:31:36 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:36 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:36 UTC 2017] wellknown_path='/var/www/discourse/public/.well-known/acme-challenge'
[Tue Aug  8 13:31:36 UTC 2017] writing token:pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M to /var/www/discourse/public/.well-known/acme-challenge/pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M
[Tue Aug  8 13:31:36 UTC 2017] Changing owner/group of .well-known to discourse:discourse
[Tue Aug  8 13:31:37 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:37 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4"}'
[Tue Aug  8 13:31:37 UTC 2017] POST
[Tue Aug  8 13:31:37 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:37 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:37 UTC 2017] _ret='0'
[Tue Aug  8 13:31:37 UTC 2017] code='202'
[Tue Aug  8 13:31:37 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:39 UTC 2017] checking
[Tue Aug  8 13:31:39 UTC 2017] GET
[Tue Aug  8 13:31:39 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:39 UTC 2017] timeout
[Tue Aug  8 13:31:39 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:40 UTC 2017] ret='0'
[Tue Aug  8 13:31:40 UTC 2017] Pending
[Tue Aug  8 13:31:40 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:42 UTC 2017] checking
[Tue Aug  8 13:31:42 UTC 2017] GET
[Tue Aug  8 13:31:42 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:42 UTC 2017] timeout
[Tue Aug  8 13:31:42 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:42 UTC 2017] ret='0'
[Tue Aug  8 13:31:42 UTC 2017] Pending
[Tue Aug  8 13:31:42 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:44 UTC 2017] checking
[Tue Aug  8 13:31:44 UTC 2017] GET
[Tue Aug  8 13:31:44 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:44 UTC 2017] timeout
[Tue Aug  8 13:31:44 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:45 UTC 2017] ret='0'
[Tue Aug  8 13:31:45 UTC 2017] forum.solawi-dortmund.org:Verify error:Fetching http://forum.solawi-dortmund.org/.well-known/acme-challenge/pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M: Timeout
[Tue Aug  8 13:31:45 UTC 2017] pid
[Tue Aug  8 13:31:45 UTC 2017] No need to restore nginx, skip.
[Tue Aug  8 13:31:45 UTC 2017] _clearupdns
[Tue Aug  8 13:31:45 UTC 2017] skip dns.
[Tue Aug  8 13:31:45 UTC 2017] _on_issue_err
[Tue Aug  8 13:31:45 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Tue Aug  8 13:31:45 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:45 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "pHO2V_3h4vxW0j0ijXIR1b5sMQHJW1eFgJqWq6bQt8M.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4"}'
[Tue Aug  8 13:31:45 UTC 2017] POST
[Tue Aug  8 13:31:45 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/h_7JAg1Dk8DjsLWJBIE03kx6cfqJgoyLzcqtxyyNlFU/1709182741'
[Tue Aug  8 13:31:45 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:46 UTC 2017] _ret='0'
[Tue Aug  8 13:31:46 UTC 2017] code='400'
[Tue Aug  8 13:31:46 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:46 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/forum.solawi-dortmund.org'
[Tue Aug  8 13:31:46 UTC 2017] Using ACME_DIRECTORY: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:46 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:46 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:46 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug  8 13:31:46 UTC 2017] Le_NextRenewTime
[Tue Aug  8 13:31:46 UTC 2017] _on_before_issue
[Tue Aug  8 13:31:46 UTC 2017] Le_LocalAddress
[Tue Aug  8 13:31:46 UTC 2017] Check for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:46 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:46 UTC 2017] _saved_account_key_hash is not changed, skip register account.
[Tue Aug  8 13:31:46 UTC 2017] Read key length:4096
[Tue Aug  8 13:31:46 UTC 2017] _createcsr
[Tue Aug  8 13:31:46 UTC 2017] Single domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:46 UTC 2017] Getting domain auth token for each domain
[Tue Aug  8 13:31:46 UTC 2017] Getting webroot for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:46 UTC 2017] _w='/var/www/discourse/public'
[Tue Aug  8 13:31:46 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:46 UTC 2017] Getting new-authz for domain='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:46 UTC 2017] _init api for server: https://acme-v01.api.letsencrypt.org/directory
[Tue Aug  8 13:31:46 UTC 2017] ACME_KEY_CHANGE='https://acme-v01.api.letsencrypt.org/acme/key-change'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_AUTHZ='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_ORDER='https://acme-v01.api.letsencrypt.org/acme/new-cert'
[Tue Aug  8 13:31:46 UTC 2017] ACME_NEW_ACCOUNT='https://acme-v01.api.letsencrypt.org/acme/new-reg'
[Tue Aug  8 13:31:46 UTC 2017] ACME_REVOKE_CERT='https://acme-v01.api.letsencrypt.org/acme/revoke-cert'
[Tue Aug  8 13:31:46 UTC 2017] Try new-authz for the 0 time.
[Tue Aug  8 13:31:46 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:46 UTC 2017] payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "forum.solawi-dortmund.org"}}'
[Tue Aug  8 13:31:46 UTC 2017] RSA key
[Tue Aug  8 13:31:46 UTC 2017] GET
[Tue Aug  8 13:31:46 UTC 2017] url='https://acme-v01.api.letsencrypt.org/directory'
[Tue Aug  8 13:31:46 UTC 2017] timeout
[Tue Aug  8 13:31:46 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:46 UTC 2017] ret='0'
[Tue Aug  8 13:31:46 UTC 2017] POST
[Tue Aug  8 13:31:46 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/new-authz'
[Tue Aug  8 13:31:46 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:47 UTC 2017] _ret='0'
[Tue Aug  8 13:31:47 UTC 2017] code='201'
[Tue Aug  8 13:31:47 UTC 2017] The new-authz request is ok.
[Tue Aug  8 13:31:47 UTC 2017] entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486","token":"Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A"'
[Tue Aug  8 13:31:47 UTC 2017] token='Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A'
[Tue Aug  8 13:31:47 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:47 UTC 2017] keyauthorization='Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4'
[Tue Aug  8 13:31:47 UTC 2017] dvlist='forum.solawi-dortmund.org#Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4#https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486#http-01#/var/www/discourse/public'
[Tue Aug  8 13:31:47 UTC 2017] vlist='forum.solawi-dortmund.org#Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4#https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486#http-01#/var/www/discourse/public,'
[Tue Aug  8 13:31:47 UTC 2017] ok, let's start to verify
[Tue Aug  8 13:31:47 UTC 2017] Verifying:forum.solawi-dortmund.org
[Tue Aug  8 13:31:47 UTC 2017] d='forum.solawi-dortmund.org'
[Tue Aug  8 13:31:47 UTC 2017] keyauthorization='Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4'
[Tue Aug  8 13:31:47 UTC 2017] uri='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:47 UTC 2017] _currentRoot='/var/www/discourse/public'
[Tue Aug  8 13:31:47 UTC 2017] wellknown_path='/var/www/discourse/public/.well-known/acme-challenge'
[Tue Aug  8 13:31:47 UTC 2017] writing token:Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A to /var/www/discourse/public/.well-known/acme-challenge/Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A
[Tue Aug  8 13:31:47 UTC 2017] Changing owner/group of .well-known to discourse:discourse
[Tue Aug  8 13:31:47 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:47 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4"}'
[Tue Aug  8 13:31:47 UTC 2017] POST
[Tue Aug  8 13:31:47 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:47 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:48 UTC 2017] _ret='0'
[Tue Aug  8 13:31:48 UTC 2017] code='202'
[Tue Aug  8 13:31:48 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:50 UTC 2017] checking
[Tue Aug  8 13:31:50 UTC 2017] GET
[Tue Aug  8 13:31:50 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:50 UTC 2017] timeout
[Tue Aug  8 13:31:50 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:50 UTC 2017] ret='0'
[Tue Aug  8 13:31:50 UTC 2017] Pending
[Tue Aug  8 13:31:51 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:53 UTC 2017] checking
[Tue Aug  8 13:31:53 UTC 2017] GET
[Tue Aug  8 13:31:53 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:53 UTC 2017] timeout
[Tue Aug  8 13:31:53 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:53 UTC 2017] ret='0'
[Tue Aug  8 13:31:53 UTC 2017] Pending
[Tue Aug  8 13:31:53 UTC 2017] sleep 2 secs to verify
[Tue Aug  8 13:31:55 UTC 2017] checking
[Tue Aug  8 13:31:55 UTC 2017] GET
[Tue Aug  8 13:31:55 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:55 UTC 2017] timeout
[Tue Aug  8 13:31:55 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:55 UTC 2017] ret='0'
[Tue Aug  8 13:31:55 UTC 2017] forum.solawi-dortmund.org:Verify error:Fetching http://forum.solawi-dortmund.org/.well-known/acme-challenge/Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A: Timeout
[Tue Aug  8 13:31:55 UTC 2017] pid
[Tue Aug  8 13:31:55 UTC 2017] No need to restore nginx, skip.
[Tue Aug  8 13:31:55 UTC 2017] _clearupdns
[Tue Aug  8 13:31:55 UTC 2017] skip dns.
[Tue Aug  8 13:31:55 UTC 2017] _on_issue_err
[Tue Aug  8 13:31:55 UTC 2017] Please check log file for more details: /shared/letsencrypt/acme.sh.log
[Tue Aug  8 13:31:55 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:55 UTC 2017] payload='{"resource": "challenge", "keyAuthorization": "Q2bhAzm_Xse9hq25jeEMpApI8iRwERAXpJuFZTzIV0A.JVB0unwxG8pbbxFWKgB0A6czKZAc51kTBTE-hi3YGt4"}'
[Tue Aug  8 13:31:55 UTC 2017] POST
[Tue Aug  8 13:31:55 UTC 2017] url='https://acme-v01.api.letsencrypt.org/acme/challenge/hIfdrk5kRW6FlrDkNyDQhvaTIH7nadenCItJtI-SUCM/1709183486'
[Tue Aug  8 13:31:55 UTC 2017] _CURL='curl -L --silent --dump-header /shared/letsencrypt/http.header '
[Tue Aug  8 13:31:56 UTC 2017] _ret='0'
[Tue Aug  8 13:31:56 UTC 2017] code='400'
[Tue Aug  8 13:31:56 UTC 2017] Using config home:/shared/letsencrypt
[Tue Aug  8 13:31:56 UTC 2017] DOMAIN_PATH='/shared/letsencrypt/forum.solawi-dortmund.org'
[Tue Aug  8 13:31:56 UTC 2017] Installing key to:/shared/ssl/forum.solawi-dortmund.org.key
[Tue Aug  8 13:31:56 UTC 2017] Installing full chain to:/shared/ssl/forum.solawi-dortmund.org.cer
[Tue Aug  8 13:31:56 UTC 2017] Run reload cmd: sv reload nginx
[Tue Aug  8 13:31:56 UTC 2017] Reload error for :

tgxworld · August 16, 2017, 7:31am

Is your domain’s IPv6 address configured correctly? We had a similar issue previously

craisp · August 16, 2017, 9:23pm

Thanks for your answer !

That was indeed also my problem.

End of last week I deactivated the IPv6 entry for my site and then it worked again.

yooxinz · February 20, 2019, 4:20pm

I have same trouble. But I don’t know how to deactivated the IPv6 entry.

craisp · February 20, 2019, 4:22pm

Delete or disable the AAAA record for your discourse domain.

yooxinz · February 20, 2019, 4:28pm

I didn’t find any AAAA records on the DNS resolution panel

pfaffman · February 20, 2019, 4:43pm

Without your hostname there is little anyone can do but guess at your problem.

yooxinz · February 20, 2019, 4:49pm

forum.choerodon.io is my discourse domain

pfaffman · February 20, 2019, 5:02pm

You don’t have Discourse installed there (EDIT: if you access it by the IP). There is an nginx running there, which is preventing Discourse from accessing port 80. I’m guessing that you didn’t follow discourse/docs/INSTALL-cloud.md at main · discourse/discourse · GitHub or you’d have gotten a warning when you ran discourse-setup. (It could be that you subsequently installed nginx and have since rebooted so that nginx is now taking over port 80.

Or maybe you have an nginx in front as a reverse proxy. If that’s the case, the SSL problems are wtih nginx, not with Discourse.

yooxinz · February 21, 2019, 1:31am

I install a nginx to forward the request to discourse. After I replaced the generated SSL certificate, discourse was running normally.

I want to know how to resume the automatic renewal of discourse certificate

JammyDodger · June 8, 2024, 12:37pm

This topic was automatically closed after 2502 days. New replies are no longer allowed.

Topic		Replies	Views
Not able to access site after letsencrypt cert expiry and rebuild due to IPV6 Support	10	2927	June 8, 2024
Discourse setup completed successfully but not working due to SSL error Support	6	195	December 18, 2024
Let's encrypt auto renewal and ipv6 Support	6	919	July 1, 2020
Let's Encrypt renewal errors Installation	11	1797	February 22, 2020
Installation produced broken, zero byte certificate Installation letsencrypt	10	2121	September 14, 2022

Problem with my SSL certificate

Related topics