SSL expired, unable to renew

[absichtengrg]

I have this issue of being unable to renew SSL cert from Let's Encrypt.

Running.acme.sh/acme.sh --cron comes back with ===Starting cron=== ===End cron===

Please assist.

[danb35]

It's been a while since I used acme.sh in this script--did you use my script to install Nextcloud? If so, when?

[absichtengrg]

I used acme.sh because i was looking for solutions all around. Certbot and certtool as well. I did use your script. It was installed about 3 months ago.

[danb35]

If you used my script any time since I started using Caddy over a year ago, you don't need any other ACME client--Caddy should handle the cert issuance and renewal automatically. If the cert isn't being renewed, you should see the errors in /var/log/caddy.log.

[absichtengrg]

There are a lot of TLS Handshake Errors:

2020/09/06 13:51:12 [INFO][cache:0xc0001e6320] Scanning for expiring certificates

2020/09/06 13:51:12 [INFO] Certificate for [example.com] expires in -17h20m20.101836103s; attempting renewal

2020/09/06 13:51:12 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on [::1]:53: read udp [::1]:39758->[::1]:53: read: connection refused (attempt 1/3)

2020/09/06 13:51:13 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on [::1]:53: read udp [::1]:63490->[::1]:53: read: connection refused (attempt 2/3)

2020/09/06 13:51:14 [ERROR] Making new certificate manager: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on [::1]:53: read udp [::1]:26455->[::1]:53: read: connection refused (attempt 3/3)

2020/09/06 13:51:15 [ERROR][cloud.twistmedia.sg] get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org on [::1]:53: read udp [::1]:26455->[::1]:53: read: connection refused

[danb35]

That kind of looks like a DNS failure inside the jail--what happens if you run host acme-v02.api.letsencrypt.org in the jail?

[absichtengrg]

host acme-v02.api.letsencrypt.org

acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org. prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com. ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248 ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c

I did solve an issue with the DNS when Nextcloud showed that there "was no working internet connection. So the DNS now works but I'm not sure how to renew the cert.

[danb35]

That looks like a good start. What about curl https://acme-v02.api.letsencrypt.org/directory?

[absichtengrg]

Here's the output:

curl https://acme-v02.api.letsencrypt.org/directory { "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert", "taJzuYv9bVA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417" }

[absichtengrg]

Wait, for some reason the SSL cert is renewed. Is there a command to run to manually renew the certificate?

[danb35]

Is there a command to run to manually renew the certificate?

No, Caddy's supposed to handle it automatically, but there's no manual command. Perhaps it was temporarily confused about what to use as a name server.