search

acmesh-official / acme.sh

A pure Unix shell script implementing ACME client protocol
https://acme.sh
GNU General Public License v3.0
39.33k stars 4.97k forks source link

Issuing request gives 504 gateway timeout error #3850

Open freebrowser1 opened 2 years ago

freebrowser1 commented 2 years ago

Steps to reproduce

From my VPS I set the command to issue a domain. And a command ro renew existing domains. Both fail since a few weeks.

What is going on ?

Debug log

acme.sh  --debug 2  --issue -d example.com -w www.example.com.
[Fri Dec 10 08:51:26 CET 2021] _is_idn_d='example.com'
[Fri Dec 10 08:51:26 CET 2021] _idn_temp
[Fri Dec 10 08:51:26 CET 2021] Lets find script dir.
[Fri Dec 10 08:51:26 CET 2021] _SCRIPT_='.acme.sh/acme.sh'
[Fri Dec 10 08:51:26 CET 2021] _script='/root/.acme.sh/acme.sh'
[Fri Dec 10 08:51:26 CET 2021] _script_home='/root/.acme.sh'
[Fri Dec 10 08:51:26 CET 2021] Using config home:/root/.acme.sh
[Fri Dec 10 08:51:26 CET 2021] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.2
[Fri Dec 10 08:51:26 CET 2021] Running cmd: issue
[Fri Dec 10 08:51:26 CET 2021] _main_domain='example.com'
[Fri Dec 10 08:51:26 CET 2021] _alt_domains='no'
[Fri Dec 10 08:51:26 CET 2021] Using config home:/root/.acme.sh
[Fri Dec 10 08:51:26 CET 2021] default_acme_server
[Fri Dec 10 08:51:26 CET 2021] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Fri Dec 10 08:51:26 CET 2021] _ACME_SERVER_HOST='acme.zerossl.com'
[Fri Dec 10 08:51:26 CET 2021] _ACME_SERVER_PATH='v2/DV90'
[Fri Dec 10 08:51:26 CET 2021] DOMAIN_PATH='/root/.acme.sh/example.com'
[Fri Dec 10 08:51:26 CET 2021] '/var/www/html/example.com/' does not contain 'dns'
[Fri Dec 10 08:51:26 CET 2021] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
[Fri Dec 10 08:51:26 CET 2021] _init api for server: https://acme.zerossl.com/v2/DV90
[Fri Dec 10 08:51:26 CET 2021] Retrying GET
[Fri Dec 10 08:51:26 CET 2021] GET
[Fri Dec 10 08:51:26 CET 2021] url='https://acme.zerossl.com/v2/DV90'
[Fri Dec 10 08:51:26 CET 2021] timeout=
[Fri Dec 10 08:51:26 CET 2021] displayError='1'
[Fri Dec 10 08:51:26 CET 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.dNa8enPbxP  -g '
[Fri Dec 10 08:51:27 CET 2021] ret='0'
[Fri Dec 10 08:51:27 CET 2021] _hcode='0'
[Fri Dec 10 08:51:27 CET 2021] response='<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx</center>
</body>
'/html>
[Fri Dec 10 08:51:27 CET 2021] ACME_KEY_CHANGE
[Fri Dec 10 08:51:27 CET 2021] ACME_NEW_AUTHZ
[Fri Dec 10 08:51:27 CET 2021] ACME_NEW_ORDER

And when I do a renewal I get this:

"/root/.acme.sh"/acme.sh --debug 2  --cron --home "/root/.acme.sh"
............. 
[Fri Dec 10 08:57:15 CET 2021] url='https://acme.zerossl.com/v2/DV90'
[Fri Dec 10 08:57:15 CET 2021] timeout=
[Fri Dec 10 08:57:15 CET 2021] displayError='1'
[Fri Dec 10 08:57:15 CET 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.U1bjLhDRPB  -g '
[Fri Dec 10 08:57:16 CET 2021] ret='0'
[Fri Dec 10 08:57:16 CET 2021] _hcode='0'
[Fri Dec 10 08:57:16 CET 2021] response='{
  "newNonce": "https://acme.zerossl.com/v2/DV90/newNonce",
  "newAccount": "https://acme.zerossl.com/v2/DV90/newAccount",
  "newOrder": "https://acme.zerossl.com/v2/DV90/newOrder",
  "revokeCert": "https://acme.zerossl.com/v2/DV90/revokeCert",
  "keyChange": "https://acme.zerossl.com/v2/DV90/keyChange",
  "meta": {
    "termsOfService": "https://secure.trust-provider.com/repository/docs/Legacy/20201020_Certificate_Subscriber_Agreement_v_2_4_click.pdf",
    "website": "https://zerossl.com",
    "caaIdentities": ["sectigo.com", "trust-provider.com", "usertrust.com", "comodoca.com", "comodo.com"],
    "externalAccountRequired": true
  }
}'
[Fri Dec 10 08:57:16 CET 2021] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
[Fri Dec 10 08:57:16 CET 2021] ACME_NEW_AUTHZ
[Fri Dec 10 08:57:16 CET 2021] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
[Fri Dec 10 08:57:16 CET 2021] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
[Fri Dec 10 08:57:16 CET 2021] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
[Fri Dec 10 08:57:16 CET 2021] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20201020_Certificate_Subscriber_Agreement_v_2_4_click.pdf'
[Fri Dec 10 08:57:16 CET 2021] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
jrmbchtl commented 2 years ago

I think it's an issue on zerossl's side; when I try to access https://acme.zerossl.com/v2/DV90/newNonce in the browser, I get a 504 gateway timeout

nidr0x commented 2 years ago

Same problem here. It seems a problem on the ZeroSSL side.

kosli commented 2 years ago

I run into the same issue and switch backed to Let's encrypt. Never had ANY issues with them. see #3842

Rid commented 2 years ago

I'm getting the same issue, just getting Could not get nonce, let's try again. then Giving up sending to CA server after 20 retries.

I haven't even been able to generate one cert, and SSL.com limits you to one domain. So it looks like the only option is Let's Encrypt.

phlbrz commented 2 years ago

Hello, They answered me. image

phlbrz commented 2 years ago

I issued today with zerossl and letsencrypt successfully.

I have installed Bind 9 (9.11), our network team installed a long time ago. I had to do some fixes in my Bind 9 DNS after understand subdomain reading parts of the book DNS and Bind. I'm not using subdomain delegation in bind 9, it's not helping me, 'cause I'll need to create DNSSEC and DS for subdomain, so no, thanks for a while (I have only 15 subdomain to generate certificates with wildcard). My main domain (zone example.com) is authoritative for my subdomain (zone test.example.com), so example.com is authoritative to test.example.com and ns.example.com is the nameserver for both. I included all TXT registries inside a file and used $include directive inside the main zone to include this file. Using this approach, DNSSEC solved for me and chain of trust is now working as expected. Had to do everything to NSEC help letsencrypt / zerossl to recognize my chain, so I included A registries to some valid IP.

Let's encrypt: image

ZeroSSL: image

Thanks!

jianboy commented 8 months ago

acme version: v3.0.8

[root@iZuf61cpz1tgvevc1ogx40Z ~]# acme.sh --upgrade --debug 2
[Tue Feb 20 09:31:37 AM CST 2024] Lets find script dir.
[Tue Feb 20 09:31:37 AM CST 2024] _SCRIPT_='/root/.acme.sh/acme.sh'
[Tue Feb 20 09:31:37 AM CST 2024] _script='/root/.acme.sh/acme.sh'
[Tue Feb 20 09:31:37 AM CST 2024] _script_home='/root/.acme.sh'
[Tue Feb 20 09:31:37 AM CST 2024] Using config home:/root/.acme.sh
[Tue Feb 20 09:31:37 AM CST 2024] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/acmesh-official/acme.sh
v3.0.8
[Tue Feb 20 09:31:37 AM CST 2024] Running cmd: upgrade
[Tue Feb 20 09:31:37 AM CST 2024] Using config home:/root/.acme.sh
[Tue Feb 20 09:31:37 AM CST 2024] default_acme_server
[Tue Feb 20 09:31:37 AM CST 2024] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Tue Feb 20 09:31:37 AM CST 2024] _ACME_SERVER_HOST='acme.zerossl.com'
[Tue Feb 20 09:31:37 AM CST 2024] _ACME_SERVER_PATH='v2/DV90'
[Tue Feb 20 09:31:37 AM CST 2024] GET
[Tue Feb 20 09:31:37 AM CST 2024] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master'
[Tue Feb 20 09:31:37 AM CST 2024] timeout=
[Tue Feb 20 09:31:37 AM CST 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  --trace-ascii /tmp/tmp.NGmThC6YdM  -g  --insecure  '
[Tue Feb 20 09:31:37 AM CST 2024] ret='0'
[Tue Feb 20 09:31:37 AM CST 2024] Already uptodate!
[Tue Feb 20 09:31:37 AM CST 2024] Upgrade success!

issue cert:

[Tue Feb 20 09:28:36 AM CST 2024] code='200'
[Tue Feb 20 09:28:36 AM CST 2024] original='{"identifier":{"type":"dns","value":"code.xx.com"},"status":"invalid","expires":"2024-03-05T10:45:10Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/NosmwFNyGR3fljcsB72dsQ","status":"invalid","error":{},"token":"Fj61-jrpSJhoqKNcwfTL2fmTeJV5BmiEJ6va90uEeAU"}]}'
[Tue Feb 20 09:28:36 AM CST 2024] response='{"identifier":{"type":"dns","value":"code.xx.com"},"status":"invalid","expires":"2024-03-05T10:45:10Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/NosmwFNyGR3fljcsB72dsQ","status":"invalid","error":{},"token":"Fj61-jrpSJhoqKNcwfTL2fmTeJV5BmiEJ6va90uEeAU"}]}'
[Tue Feb 20 09:28:36 AM CST 2024] response='{"identifier":{"type":"dns","value":"code.xx.com"},"status":"invalid","expires":"2024-03-05T10:45:10Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/NosmwFNyGR3fljcsB72dsQ","status":"invalid","error":{},"token":"Fj61-jrpSJhoqKNcwfTL2fmTeJV5BmiEJ6va90uEeAU"}]}'
[Tue Feb 20 09:28:36 AM CST 2024] get authz objec with invalid status, please try again later.
[Tue Feb 20 09:28:36 AM CST 2024] _authorizations_seg='https://acme.zerossl.com/v2/DV90/authz/jKHAVEhueMpSO8ZfOx9zYA'
[Tue Feb 20 09:28:36 AM CST 2024] {"identifier":{"type":"dns","value":"code.xx.com"},"status":"invalid","expires":"2024-03-05T10:45:10Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/NosmwFNyGR3fljcsB72dsQ","status":"invalid","error":{},"token":"Fj61-jrpSJhoqKNcwfTL2fmTeJV5BmiEJ6va90uEeAU"}]}
[Tue Feb 20 09:28:36 AM CST 2024] pid
[Tue Feb 20 09:28:36 AM CST 2024] No need to restore nginx, skip.
[Tue Feb 20 09:28:36 AM CST 2024] _clearupdns
[Tue Feb 20 09:28:36 AM CST 2024] dns_entries
[Tue Feb 20 09:28:36 AM CST 2024] skip dns.
[Tue Feb 20 09:28:36 AM CST 2024] _on_issue_err
[Tue Feb 20 09:28:36 AM CST 2024] Please add '--debug' or '--log' to check more details.
[Tue Feb 20 09:28:36 AM CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
[Tue Feb 20 09:28:36 AM CST 2024] _chk_vlist
[Tue Feb 20 09:28:36 AM CST 2024] '/data/wwwroot/code.xx.com' does not contain 'dns'
[Tue Feb 20 09:28:36 AM CST 2024] Diagnosis versions:


[Tue Feb 20 09:21:22 AM CST 2024] get to authz error.
[Tue Feb 20 09:21:22 AM CST 2024] _authorizations_map=',<html><head><title>504 Gateway Time-out</title></head><body><center><h1>504 Gateway Time-out</h1></center><hr><center>nginx</center></body></html>#https://acme.zerossl.com/v2/DV90/authz/jKHAVEhueMpSO8ZfOx9zYA
'
[Tue Feb 20 09:21:22 AM CST 2024] pid
[Tue Feb 20 09:21:22 AM CST 2024] No need to restore nginx, skip.
[Tue Feb 20 09:21:22 AM CST 2024] _clearupdns
[Tue Feb 20 09:21:22 AM CST 2024] dns_entries
[Tue Feb 20 09:21:22 AM CST 2024] skip dns.
[Tue Feb 20 09:21:22 AM CST 2024] _on_issue_err
[Tue Feb 20 09:21:22 AM CST 2024] Please add '--debug' or '--log' to check more details.
[Tue Feb 20 09:21:22 AM CST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh