Prevent future email outages by fixing LetsEncrypt SSL autorenewal issues and monitoring expiry dates

[joshuacwnewton]

This issue is tangential to https://github.com/spinalcordmri/spinalcordmri.github.io/issues/79. That issue is about monitoring email outages of any kind. However, to mitigate outages specifically related to SSL certificate renewal, we should get to the bottom of why the SSL certificate failed to auto-renew in the first place.

1st outage

The expiry date for the very first cert (first email outage) was:

forum@forum:~$ cd /var/discourse/shared/standalone/ssl_backup_expired_cert
forum@forum:/var/discourse/shared/standalone/ssl_backup_expired_cert$ openssl x509 -enddate -noout -in devforum.spinalcordmri.org.cer
notAfter=Mar 14 23:22:16 2023 GMT

This seems to line up with when emails began getting dropped:

This outage was caught and fixed on May 11th, 2023.

2nd outage

After renewal, the expiry date for the new cert (i.e. second email outage) was:

forum@forum:/var/discourse/shared/standalone/ssl_backup_expired_cert$ openssl x509 -enddate -noout -in forum.spinalcordmri.org.cer
notAfter=Jul 14 23:22:16 2023 GMT

This doesn't quite make sense to me, as LetsEncrypt SSL certs should last for 90 days. May 11th + 90 days = August 9th, which is also when the forum began dropping emails a second time:

The second outage was caught and fixed on August 18th, 2023.

Next outage

If we check the current cert, we see:

forum@forum:/var/discourse/shared/standalone/ssl_backup_expired_cert$ cd ../ssl
forum@forum:/var/discourse/shared/standalone/ssl$ openssl x509 -enddate -noout -in forum.spinalcordmri.org.cer
notAfter=Oct 7 23:03:14 2023 GMT

This is again a bit strange, since August 18th + 90 days = November 16th instead. Still, even if the auto-renewal issues are fixed, we should keep an eye out on these various dates, and perhaps set up some sort of reminder.

[joshuacwnewton]

From what I can tell from the documentation, Discourse uses acme.sh for cert renewal (as opposed to, say, certbot). Plus, setting up Discourse should automatically enable a cron job that will run acme.sh:

At the same time, it adds a cron job that runs a daily cert renewal check. This will automatically renew your cert. Nothing happens if cert has not expired. If the certificate does expire, you’ll get an email about it from Let’s Encrypt at the email address you provided during setup.

I checked our app.yml config file, and everything appears to be setup correctly for LetsEncrypt/SSL:

## Uncomment these two lines if you wish to add Lets Encrypt (https)
  - "templates/web.ssl.template.yml"
  - "templates/web.letsencrypt.ssl.template.yml"

## which TCP/IP ports should this container expose?
## If you want Discourse to share a port with another webserver like Apache or nginx,
## see https://meta.discourse.org/t/17247 for details
expose:
  - "80:80"   # http
  - "443:443" # https

[...]

  ## If you added the Lets Encrypt template, uncomment below to get a free SSL certificate
  LETSENCRYPT_ACCOUNT_EMAIL: neuropoly-admin@liste.polymtl.ca

Yet, we've never received an email at "neuropoly-admin@liste.polymtl.ca" about a LetsEncrypt expiry. Very curious!

[joshuacwnewton]

Digging in deeper into the acme.sh logs:

root@forum:~# cd /var/discourse
root@forum:/var/discourse# ./launcher enter app
root@forum-app:/var/www/discourse# cd /shared/letsencrypt
root@forum-app:/shared/letsencrypt# cat acme.sh.log 
[...]
[Wed Sep  6 00:20:12 UTC 2023] Skip, Next renewal time is: 2023-09-07T00:03:16Z
[Wed Sep  6 00:20:12 UTC 2023] Add '--force' to force to renew.
[Wed Sep  6 00:20:12 UTC 2023] Return code: 2
[Wed Sep  6 00:20:12 UTC 2023] Skipped forum.spinalcordmri.org

``` [Wed Sep 6 00:20:01 UTC 2023] LE_WORKING_DIR='/shared/letsencrypt' [Wed Sep 6 00:20:01 UTC 2023] Running cmd: cron [Wed Sep 6 00:20:01 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:01 UTC 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:01 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:01 UTC 2023] ===Starting cron=== [Wed Sep 6 00:20:01 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:01 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:01 UTC 2023] GET [Wed Sep 6 00:20:01 UTC 2023] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master' [Wed Sep 6 00:20:01 UTC 2023] timeout= [Wed Sep 6 00:20:01 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:01 UTC 2023] ret='0' [Wed Sep 6 00:20:01 UTC 2023] Already uptodate! [Wed Sep 6 00:20:01 UTC 2023] Upgrade success! [Wed Sep 6 00:20:01 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:01 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:01 UTC 2023] Auto upgraded to: 3.0.7 [Wed Sep 6 00:20:01 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:01 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:01 UTC 2023] _stopRenewOnError [Wed Sep 6 00:20:01 UTC 2023] _server [Wed Sep 6 00:20:01 UTC 2023] _set_level='2' [Wed Sep 6 00:20:01 UTC 2023] di='/shared/letsencrypt/devforum.spinalcordmri.org/' [Wed Sep 6 00:20:01 UTC 2023] d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:01 UTC 2023] _renewServer [Wed Sep 6 00:20:01 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:01 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:01 UTC 2023] DOMAIN_PATH='/shared/letsencrypt/devforum.spinalcordmri.org' [Wed Sep 6 00:20:01 UTC 2023] Renew: 'devforum.spinalcordmri.org' [Wed Sep 6 00:20:01 UTC 2023] Le_API='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:01 UTC 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory [Wed Sep 6 00:20:01 UTC 2023] initpath again. [Wed Sep 6 00:20:01 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:01 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:01 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:01 UTC 2023] _main_domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:01 UTC 2023] _alt_domains='no' [Wed Sep 6 00:20:01 UTC 2023] '/var/www/discourse/public' does not contain 'dns' [Wed Sep 6 00:20:01 UTC 2023] '/var/www/discourse/public' does not contain 'dns' [Wed Sep 6 00:20:01 UTC 2023] Le_NextRenewTime='1676133797' [Wed Sep 6 00:20:01 UTC 2023] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory [Wed Sep 6 00:20:01 UTC 2023] _init api for server: https://acme-v02.api.letsencrypt.org/directory [Wed Sep 6 00:20:01 UTC 2023] GET [Wed Sep 6 00:20:01 UTC 2023] url='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:01 UTC 2023] timeout= [Wed Sep 6 00:20:01 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:01 UTC 2023] ret='0' [Wed Sep 6 00:20:01 UTC 2023] response='{ "-yySsZGZ9S4": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf", "website": "https://letsencrypt.org" }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" }' [Wed Sep 6 00:20:01 UTC 2023] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change' [Wed Sep 6 00:20:01 UTC 2023] ACME_NEW_AUTHZ [Wed Sep 6 00:20:01 UTC 2023] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Sep 6 00:20:01 UTC 2023] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct' [Wed Sep 6 00:20:01 UTC 2023] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert' [Wed Sep 6 00:20:01 UTC 2023] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf' [Wed Sep 6 00:20:01 UTC 2023] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed Sep 6 00:20:02 UTC 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory [Wed Sep 6 00:20:02 UTC 2023] _on_before_issue [Wed Sep 6 00:20:02 UTC 2023] _chk_main_domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:02 UTC 2023] _chk_alt_domains [Wed Sep 6 00:20:02 UTC 2023] '/var/www/discourse/public' does not contain 'no' [Wed Sep 6 00:20:02 UTC 2023] Le_LocalAddress [Wed Sep 6 00:20:02 UTC 2023] d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:02 UTC 2023] Check for domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:02 UTC 2023] _currentRoot='/var/www/discourse/public' [Wed Sep 6 00:20:02 UTC 2023] d [Wed Sep 6 00:20:02 UTC 2023] '/var/www/discourse/public' does not contain 'apache' [Wed Sep 6 00:20:02 UTC 2023] _saved_account_key_hash='Fe0wria7nQ32QfF6akPdYBguDcgorWproKyCpdsTFhU=' [Wed Sep 6 00:20:02 UTC 2023] _saved_account_key_hash is not changed, skip register account. [Wed Sep 6 00:20:02 UTC 2023] Read key length:4096 [Wed Sep 6 00:20:02 UTC 2023] _createcsr [Wed Sep 6 00:20:02 UTC 2023] domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:02 UTC 2023] domainlist [Wed Sep 6 00:20:02 UTC 2023] csrkey='/shared/letsencrypt/devforum.spinalcordmri.org/devforum.spinalcordmri.org.key' [Wed Sep 6 00:20:02 UTC 2023] csr='/shared/letsencrypt/devforum.spinalcordmri.org/devforum.spinalcordmri.org.csr' [Wed Sep 6 00:20:02 UTC 2023] csrconf='/shared/letsencrypt/devforum.spinalcordmri.org/devforum.spinalcordmri.org.csr.conf' [Wed Sep 6 00:20:02 UTC 2023] Single domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:02 UTC 2023] seg='devforum' [Wed Sep 6 00:20:02 UTC 2023] _is_idn_d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:02 UTC 2023] _idn_temp [Wed Sep 6 00:20:02 UTC 2023] _is_idn_d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:02 UTC 2023] _idn_temp [Wed Sep 6 00:20:02 UTC 2023] _csr_cn='devforum.spinalcordmri.org' [Wed Sep 6 00:20:02 UTC 2023] seg='devforum' [Wed Sep 6 00:20:02 UTC 2023] Getting domain auth token for each domain [Wed Sep 6 00:20:02 UTC 2023] seg='devforum' [Wed Sep 6 00:20:02 UTC 2023] _is_idn_d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:02 UTC 2023] _idn_temp [Wed Sep 6 00:20:02 UTC 2023] d [Wed Sep 6 00:20:02 UTC 2023] _identifiers='{"type":"dns","value":"devforum.spinalcordmri.org"}' [Wed Sep 6 00:20:02 UTC 2023] _notBefore [Wed Sep 6 00:20:02 UTC 2023] _notAfter [Wed Sep 6 00:20:02 UTC 2023] =======Begin Send Signed Request======= [Wed Sep 6 00:20:02 UTC 2023] url='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Sep 6 00:20:02 UTC 2023] payload='{"identifiers": [{"type":"dns","value":"devforum.spinalcordmri.org"}]}' [Wed Sep 6 00:20:02 UTC 2023] RSA key [Wed Sep 6 00:20:02 UTC 2023] _URGLY_PRINTF [Wed Sep 6 00:20:02 UTC 2023] xargs [Wed Sep 6 00:20:02 UTC 2023] _URGLY_PRINTF [Wed Sep 6 00:20:02 UTC 2023] xargs [Wed Sep 6 00:20:02 UTC 2023] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed Sep 6 00:20:02 UTC 2023] HEAD [Wed Sep 6 00:20:02 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed Sep 6 00:20:02 UTC 2023] body [Wed Sep 6 00:20:02 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:02 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g -I ' [Wed Sep 6 00:20:02 UTC 2023] _ret='0' [Wed Sep 6 00:20:02 UTC 2023] _headers='HTTP/2 200 server: nginx date: Wed, 06 Sep 2023 00:20:02 GMT cache-control: public, max-age=0, no-cache link: ;rel="index" replay-nonce: 5x-p0dvMVJDEPT_pQhGt89g-m5CF_qz8xZmwuNg1BY_QvghATjI x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed Sep 6 00:20:02 UTC 2023] _CACHED_NONCE='5x-p0dvMVJDEPT_pQhGt89g-m5CF_qz8xZmwuNg1BY_QvghATjI' [Wed Sep 6 00:20:02 UTC 2023] nonce='5x-p0dvMVJDEPT_pQhGt89g-m5CF_qz8xZmwuNg1BY_QvghATjI' [Wed Sep 6 00:20:02 UTC 2023] POST [Wed Sep 6 00:20:02 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Sep 6 00:20:02 UTC 2023] body='{"protected": "eyJub25jZSI6ICI1eC1wMGR2TVZKREVQVF9wUWhHdDg5Zy1tNUNGX3F6OHhabXd1TmcxQllfUXZnaEFUakkiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODcxNDQyMjc3In0", "payload": "eyJpZGVudGlmaWVycyI6IFt7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6ImRldmZvcnVtLnNwaW5hbGNvcmRtcmkub3JnIn1dfQ", "signature": "B8at6CaVfb-21t-WzdPRUK7ps1Bie0GTkBPZhdmfDpN4QB678hbTpqvhRJBTdYInRR8bq7eQBVpD--BHkEIAbIGWdJhSaqCyEzPZHi6Zw6zYvdl9lbqJUPzOXm7kPD2LEB3M4ORsEcxD2JQo5tk0w_nXULZVbgZO7lro8vrKWEU_516PjcQC_sVWqeOMC3kGrWPvZSG_Po5ZlX1OjncI99VWIoBfUKW40U68X-O3Mzas1kakpY_DmFt0v7_ispjGBY6JGneCRPiu1GA2STP4IBNEqjk-5krZwf9wFp8_kUEuLwIl1vqQG765KIlgdQzPAFW0qgaBjkW436L72QPfhg"}' [Wed Sep 6 00:20:02 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:02 UTC 2023] Http already initialized. [Wed Sep 6 00:20:02 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:03 UTC 2023] _ret='0' [Wed Sep 6 00:20:03 UTC 2023] responseHeaders='HTTP/2 201 server: nginx date: Wed, 06 Sep 2023 00:20:03 GMT content-type: application/json content-length: 351 boulder-requester: 871442277 cache-control: public, max-age=0, no-cache link: ;rel="index" location: https://acme-v02.api.letsencrypt.org/acme/order/871442277/206458280836 replay-nonce: NeA5tXIgW2BjkC91jivkTv1pFZ72C8ErmWLHUOzUT_orFRFnRYw x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed Sep 6 00:20:03 UTC 2023] code='201' [Wed Sep 6 00:20:03 UTC 2023] original='{ "status": "pending", "expires": "2023-09-13T00:20:02Z", "identifiers": [ { "type": "dns", "value": "devforum.spinalcordmri.org" } ], "authorizations": [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596" ], "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/871442277/206458280836" }' [Wed Sep 6 00:20:03 UTC 2023] response='{"status":"pending","expires":"2023-09-13T00:20:02Z","identifiers":[{"type":"dns","value":"devforum.spinalcordmri.org"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/871442277/206458280836"}' [Wed Sep 6 00:20:03 UTC 2023] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/871442277/206458280836' [Wed Sep 6 00:20:03 UTC 2023] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/871442277/206458280836' [Wed Sep 6 00:20:03 UTC 2023] _authorizations_seg='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:03 UTC 2023] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:03 UTC 2023] =======Begin Send Signed Request======= [Wed Sep 6 00:20:03 UTC 2023] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:03 UTC 2023] payload [Wed Sep 6 00:20:03 UTC 2023] Use cached jwk for file: /shared/letsencrypt/ca/acme-v02.api.letsencrypt.org/directory/account.key [Wed Sep 6 00:20:03 UTC 2023] Use _CACHED_NONCE='NeA5tXIgW2BjkC91jivkTv1pFZ72C8ErmWLHUOzUT_orFRFnRYw' [Wed Sep 6 00:20:03 UTC 2023] nonce='NeA5tXIgW2BjkC91jivkTv1pFZ72C8ErmWLHUOzUT_orFRFnRYw' [Wed Sep 6 00:20:03 UTC 2023] POST [Wed Sep 6 00:20:03 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:03 UTC 2023] body='{"protected": "eyJub25jZSI6ICJOZUE1dFhJZ1cyQmprQzkxaml2a1R2MXBGWjcyQzhFcm1XTEhVT3pVVF9vckZSRm5SWXciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzI2MTc0ODIxODU5NiIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODcxNDQyMjc3In0", "payload": "", "signature": "wK046s1pnwcUa4eu2MxY6vu8cgsSHmwi1tjggCA2eofMlyajn1k_x-gJd08mCmBR64VGI_vn1GUi8jShRYdhvph8Lt74BE7YI_HWUkgyps0Y7ePv1QilLvog4uI6Mpd7LdaygRqFD2JsWCxHeLz_6JLTTZ275OfwlLWOUP-RSKl1Hq3dWau0DJWroQ9gn6CHQuBHyng6IlTnFRdv1fS9amXTN6MgGO4CC-UEsDGLo90h9v67xFCM8G2j6csTysNBqQQYqzNXO4ScozgREjQApkGb3KCjvHZwooQgWdPz4PmOKdYBgp_3yFz27bDVq1sXr2mFUGyk97r9_ZzowsIpjg"}' [Wed Sep 6 00:20:03 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:03 UTC 2023] Http already initialized. [Wed Sep 6 00:20:03 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:03 UTC 2023] _ret='0' [Wed Sep 6 00:20:03 UTC 2023] responseHeaders='HTTP/2 200 server: nginx date: Wed, 06 Sep 2023 00:20:03 GMT content-type: application/json content-length: 810 boulder-requester: 871442277 cache-control: public, max-age=0, no-cache link: ;rel="index" replay-nonce: 2zuXfv7ZyRSryf7uXyOZWuFz61uSnHbpfsagQHygsXxrhhFyEmE x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed Sep 6 00:20:03 UTC 2023] code='200' [Wed Sep 6 00:20:03 UTC 2023] original='{ "identifier": { "type": "dns", "value": "devforum.spinalcordmri.org" }, "status": "pending", "expires": "2023-09-13T00:20:02Z", "challenges": [ { "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw", "token": "fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM" }, { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/V2krpg", "token": "fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/nZsdzg", "token": "fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM" } ] }' [Wed Sep 6 00:20:03 UTC 2023] response='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"pending","expires":"2023-09-13T00:20:02Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/V2krpg","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/nZsdzg","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"}]}' [Wed Sep 6 00:20:03 UTC 2023] response='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"pending","expires":"2023-09-13T00:20:02Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/V2krpg","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/nZsdzg","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"}]}' [Wed Sep 6 00:20:03 UTC 2023] _d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:03 UTC 2023] _authorizations_map='devforum.spinalcordmri.org,{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"pending","expires":"2023-09-13T00:20:02Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/V2krpg","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/nZsdzg","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"}]}#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596 ' [Wed Sep 6 00:20:03 UTC 2023] d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:03 UTC 2023] Getting webroot for domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:03 UTC 2023] _w='/var/www/discourse/public' [Wed Sep 6 00:20:03 UTC 2023] _currentRoot='/var/www/discourse/public' [Wed Sep 6 00:20:03 UTC 2023] _is_idn_d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:03 UTC 2023] _idn_temp [Wed Sep 6 00:20:03 UTC 2023] _candidates='devforum.spinalcordmri.org,{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"pending","expires":"2023-09-13T00:20:02Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/V2krpg","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/nZsdzg","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"}]}#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:03 UTC 2023] response='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"pending","expires":"2023-09-13T00:20:02Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/V2krpg","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/nZsdzg","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"}]}#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:03 UTC 2023] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:03 UTC 2023] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"' [Wed Sep 6 00:20:03 UTC 2023] token='fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM' [Wed Sep 6 00:20:03 UTC 2023] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw' [Wed Sep 6 00:20:03 UTC 2023] keyauthorization='fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA' [Wed Sep 6 00:20:03 UTC 2023] dvlist='devforum.spinalcordmri.org#fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA#https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw#http-01#/var/www/discourse/public#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:03 UTC 2023] d [Wed Sep 6 00:20:03 UTC 2023] vlist='devforum.spinalcordmri.org#fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA#https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw#http-01#/var/www/discourse/public#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596,' [Wed Sep 6 00:20:03 UTC 2023] d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:03 UTC 2023] ok, let's start to verify [Wed Sep 6 00:20:03 UTC 2023] Verifying: devforum.spinalcordmri.org [Wed Sep 6 00:20:03 UTC 2023] d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:03 UTC 2023] keyauthorization='fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA' [Wed Sep 6 00:20:03 UTC 2023] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw' [Wed Sep 6 00:20:03 UTC 2023] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:03 UTC 2023] _currentRoot='/var/www/discourse/public' [Wed Sep 6 00:20:03 UTC 2023] wellknown_path='/var/www/discourse/public/.well-known/acme-challenge' [Wed Sep 6 00:20:03 UTC 2023] writing token:fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM to /var/www/discourse/public/.well-known/acme-challenge/fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM [Wed Sep 6 00:20:03 UTC 2023] Trigger domain validation. [Wed Sep 6 00:20:03 UTC 2023] _t_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw' [Wed Sep 6 00:20:03 UTC 2023] _t_key_authz='fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA' [Wed Sep 6 00:20:03 UTC 2023] _t_vtype='http-01' [Wed Sep 6 00:20:03 UTC 2023] =======Begin Send Signed Request======= [Wed Sep 6 00:20:03 UTC 2023] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw' [Wed Sep 6 00:20:03 UTC 2023] payload='{}' [Wed Sep 6 00:20:03 UTC 2023] Use cached jwk for file: /shared/letsencrypt/ca/acme-v02.api.letsencrypt.org/directory/account.key [Wed Sep 6 00:20:03 UTC 2023] Use _CACHED_NONCE='2zuXfv7ZyRSryf7uXyOZWuFz61uSnHbpfsagQHygsXxrhhFyEmE' [Wed Sep 6 00:20:03 UTC 2023] nonce='2zuXfv7ZyRSryf7uXyOZWuFz61uSnHbpfsagQHygsXxrhhFyEmE' [Wed Sep 6 00:20:03 UTC 2023] POST [Wed Sep 6 00:20:03 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw' [Wed Sep 6 00:20:03 UTC 2023] body='{"protected": "eyJub25jZSI6ICIyenVYZnY3WnlSU3J5Zjd1WHlPWld1Rno2MXVTbkhicGZzYWdRSHlnc1h4cmhoRnlFbUUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzI2MTc0ODIxODU5Ni9iX001anciLCAiYWxnIjogIlJTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzg3MTQ0MjI3NyJ9", "payload": "e30", "signature": "hMIi2ZKN4_AnX-fzeeYvwW5kMjGcPqMER60Ws7Qt44wCwrPGtJVBvJ30OyjxMj2ePaBwNerJCA8SfHvH189Z2UyOh3u7DShLnmutFJoJFXZVVdEkTxvAcj2T2jC2IXLQbWGlX0Yo4t6wJOu4QQg4a1RpwIfQc11NrFAeIcJqwwKrK9Xe9qQVshL1VTNGLNQwg-V1PRoOPAu-lY4BukSJHQMFMePAwucn6oCGc1wz2IPtcri5d7_6fhX2GuKQA2EYINm6WpZh0dPo5i_so-mNgL7fNE4yytDUD2F7BXHBNCHUCLWuApcbuyQd3aVwZlkM9VrtXTRjddjeeqKK0yj9zg"}' [Wed Sep 6 00:20:03 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:03 UTC 2023] Http already initialized. [Wed Sep 6 00:20:03 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:04 UTC 2023] _ret='0' [Wed Sep 6 00:20:04 UTC 2023] responseHeaders='HTTP/2 200 server: nginx date: Wed, 06 Sep 2023 00:20:04 GMT content-type: application/json content-length: 187 boulder-requester: 871442277 cache-control: public, max-age=0, no-cache link: ;rel="index" link: ;rel="up" location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw replay-nonce: De3Ke-Skw5gz3S_5m9od47ym-3kg83ilG2eR14q5_cKRMcqJDOs x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed Sep 6 00:20:04 UTC 2023] code='200' [Wed Sep 6 00:20:04 UTC 2023] original='{ "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw", "token": "fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM" }' [Wed Sep 6 00:20:04 UTC 2023] response='{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"}' [Wed Sep 6 00:20:04 UTC 2023] trigger validation code: 200 [Wed Sep 6 00:20:04 UTC 2023] Lets check the status of the authz [Wed Sep 6 00:20:04 UTC 2023] original='{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"}' [Wed Sep 6 00:20:04 UTC 2023] response='{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM"}' [Wed Sep 6 00:20:04 UTC 2023] status='pending' [Wed Sep 6 00:20:04 UTC 2023] Pending, The CA is processing your order, please just wait. (1/30) [Wed Sep 6 00:20:04 UTC 2023] sleep 2 secs to verify again [Wed Sep 6 00:20:06 UTC 2023] checking [Wed Sep 6 00:20:06 UTC 2023] =======Begin Send Signed Request======= [Wed Sep 6 00:20:06 UTC 2023] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:06 UTC 2023] payload [Wed Sep 6 00:20:06 UTC 2023] Use cached jwk for file: /shared/letsencrypt/ca/acme-v02.api.letsencrypt.org/directory/account.key [Wed Sep 6 00:20:06 UTC 2023] Use _CACHED_NONCE='De3Ke-Skw5gz3S_5m9od47ym-3kg83ilG2eR14q5_cKRMcqJDOs' [Wed Sep 6 00:20:06 UTC 2023] nonce='De3Ke-Skw5gz3S_5m9od47ym-3kg83ilG2eR14q5_cKRMcqJDOs' [Wed Sep 6 00:20:06 UTC 2023] POST [Wed Sep 6 00:20:06 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596' [Wed Sep 6 00:20:06 UTC 2023] body='{"protected": "eyJub25jZSI6ICJEZTNLZS1Ta3c1Z3ozU181bTlvZDQ3eW0tM2tnODNpbEcyZVIxNHE1X2NLUk1jcUpET3MiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzI2MTc0ODIxODU5NiIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODcxNDQyMjc3In0", "payload": "", "signature": "u6aVDnZjz_IX3ohYeKsOWP0Z0P6egL74qeztp64c-zYtjYDMg0cNlIsYJ07pI_OKE2Miiy87kSn1jy5-PBGj96rRRBsbpTt60ve1HrwNHCGdj0kkGDJOpFZXVYbBosBITFUmNw7DyoEdsW3Plt3J2tMV7quvc3z4YVPqSXzZXH_-KJE73V2A3-wVvUWjzJ3ZRb5cxGLyKPlU1YYlEZDFxouTGlUj_LMcdg2gMV-rSq0eReUWWpa_yZZ2mMGZI-r8CD-Lzn-U4M8Bw0vVYq9b9XQD03as1--C_3-dQyix6P1oOlYfaAlqdWljrin4L_RYFlLCoBP2mb0zeeHo0XIGQQ"}' [Wed Sep 6 00:20:06 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:06 UTC 2023] Http already initialized. [Wed Sep 6 00:20:06 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:06 UTC 2023] _ret='0' [Wed Sep 6 00:20:06 UTC 2023] responseHeaders='HTTP/2 200 server: nginx date: Wed, 06 Sep 2023 00:20:06 GMT content-type: application/json content-length: 777 boulder-requester: 871442277 cache-control: public, max-age=0, no-cache link: ;rel="index" replay-nonce: 5x-p0dvMIJ2pqaxqXon4pCJ1QDsIy6eHUnUmN2ezQpNIilWJFQw x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed Sep 6 00:20:06 UTC 2023] code='200' [Wed Sep 6 00:20:06 UTC 2023] original='{ "identifier": { "type": "dns", "value": "devforum.spinalcordmri.org" }, "status": "invalid", "expires": "2023-09-13T00:20:02Z", "challenges": [ { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:dns", "detail": "DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw", "token": "fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM", "validated": "2023-09-06T00:20:04Z" } ] }' [Wed Sep 6 00:20:06 UTC 2023] response='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"invalid","expires":"2023-09-13T00:20:02Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM","validated":"2023-09-06T00:20:04Z"}]}' [Wed Sep 6 00:20:06 UTC 2023] original='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"invalid","expires":"2023-09-13T00:20:02Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM","validated":"2023-09-06T00:20:04Z"}]}' [Wed Sep 6 00:20:06 UTC 2023] response='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"invalid","expires":"2023-09-13T00:20:02Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw","token":"fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM","validated":"2023-09-06T00:20:04Z"}]}' [Wed Sep 6 00:20:06 UTC 2023] status='invalid invalid' [Wed Sep 6 00:20:06 UTC 2023] error='"error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain","status": 400' [Wed Sep 6 00:20:06 UTC 2023] errordetail='DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain' [Wed Sep 6 00:20:06 UTC 2023] Invalid status, devforum.spinalcordmri.org:Verify error detail:DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain [Wed Sep 6 00:20:06 UTC 2023] pid [Wed Sep 6 00:20:06 UTC 2023] No need to restore nginx, skip. [Wed Sep 6 00:20:06 UTC 2023] _clearupdns [Wed Sep 6 00:20:06 UTC 2023] dns_entries [Wed Sep 6 00:20:06 UTC 2023] skip dns. [Wed Sep 6 00:20:06 UTC 2023] _on_issue_err [Wed Sep 6 00:20:06 UTC 2023] Please check log file for more details: /shared/letsencrypt/acme.sh.log [Wed Sep 6 00:20:06 UTC 2023] _chk_vlist='devforum.spinalcordmri.org#fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA#https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw#http-01#/var/www/discourse/public#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748218596,' [Wed Sep 6 00:20:06 UTC 2023] start to deactivate authz [Wed Sep 6 00:20:06 UTC 2023] Trigger domain validation. [Wed Sep 6 00:20:06 UTC 2023] _t_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw' [Wed Sep 6 00:20:06 UTC 2023] _t_key_authz='fuhujLPOjTt5mLWISde1btvdHSPT1hlGYZjFX06tvWM.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA' [Wed Sep 6 00:20:06 UTC 2023] _t_vtype [Wed Sep 6 00:20:06 UTC 2023] =======Begin Send Signed Request======= [Wed Sep 6 00:20:06 UTC 2023] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw' [Wed Sep 6 00:20:06 UTC 2023] payload='{}' [Wed Sep 6 00:20:06 UTC 2023] Use cached jwk for file: /shared/letsencrypt/ca/acme-v02.api.letsencrypt.org/directory/account.key [Wed Sep 6 00:20:06 UTC 2023] Use _CACHED_NONCE='5x-p0dvMIJ2pqaxqXon4pCJ1QDsIy6eHUnUmN2ezQpNIilWJFQw' [Wed Sep 6 00:20:06 UTC 2023] nonce='5x-p0dvMIJ2pqaxqXon4pCJ1QDsIy6eHUnUmN2ezQpNIilWJFQw' [Wed Sep 6 00:20:06 UTC 2023] POST [Wed Sep 6 00:20:06 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748218596/b_M5jw' [Wed Sep 6 00:20:06 UTC 2023] body='{"protected": "eyJub25jZSI6ICI1eC1wMGR2TUlKMnBxYXhxWG9uNHBDSjFRRHNJeTZlSFVuVW1OMmV6UXBOSWlsV0pGUXciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzI2MTc0ODIxODU5Ni9iX001anciLCAiYWxnIjogIlJTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzg3MTQ0MjI3NyJ9", "payload": "e30", "signature": "ahxFY7knrKB6C7LaHYqKrO1hlxmwjSj1JKQHVPvmaeh4hMLcvV75_ukN-vRcBQb4sqnjitj1by1of_PHyOZqE_po_Q0W8k6Z7Qj2sh87I3cHvxJ1CYZiLGWik0DBYMJi-GiB3TF6zslPjrOfTpEJM2MndmB40Q2wQE6h-Msv9XmwMgR36b0zfNVR8vnAz0rgl1qEznzMot0lw4QUaa06JFLtGo32XI3RdahAPwofD_BRlNQLe4vY7mS3KJPhleJb083x3d_VUYjLVCSfH2zA91NA4E6mbsJi0ENBFZyt8aHUaCm1GLlZESq6zV4HakRaT7sI9oSccchs5aeP5YYHdw"}' [Wed Sep 6 00:20:06 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:06 UTC 2023] Http already initialized. [Wed Sep 6 00:20:06 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:06 UTC 2023] _ret='0' [Wed Sep 6 00:20:06 UTC 2023] responseHeaders='HTTP/2 400 server: nginx date: Wed, 06 Sep 2023 00:20:06 GMT content-type: application/problem+json content-length: 144 boulder-requester: 871442277 cache-control: public, max-age=0, no-cache link: ;rel="index" replay-nonce: De3Ke-Skl23ElYoYWPHWeSItIQAuiudp52gZnyc2A5p31799rJ0 ' [Wed Sep 6 00:20:06 UTC 2023] code='400' [Wed Sep 6 00:20:06 UTC 2023] original='{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Unable to update challenge :: authorization must be pending", "status": 400 }' [Wed Sep 6 00:20:06 UTC 2023] response='{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Unable to update challenge :: authorization must be pending", "status": 400 }' [Wed Sep 6 00:20:06 UTC 2023] '/var/www/discourse/public' does not contain 'dns' [Wed Sep 6 00:20:06 UTC 2023] Return code: 1 [Wed Sep 6 00:20:06 UTC 2023] Error renew devforum.spinalcordmri.org. [Wed Sep 6 00:20:06 UTC 2023] di='/shared/letsencrypt/devforum.spinalcordmri.org_ecc/' [Wed Sep 6 00:20:06 UTC 2023] d='devforum.spinalcordmri.org_ecc' [Wed Sep 6 00:20:06 UTC 2023] _renewServer [Wed Sep 6 00:20:06 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:06 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:06 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:06 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:06 UTC 2023] DOMAIN_PATH='/shared/letsencrypt/devforum.spinalcordmri.org_ecc' [Wed Sep 6 00:20:06 UTC 2023] Renew: 'devforum.spinalcordmri.org' [Wed Sep 6 00:20:06 UTC 2023] Le_API='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:07 UTC 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory [Wed Sep 6 00:20:07 UTC 2023] initpath again. [Wed Sep 6 00:20:07 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:07 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:07 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:07 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:07 UTC 2023] _main_domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:07 UTC 2023] _alt_domains='no' [Wed Sep 6 00:20:07 UTC 2023] '/var/www/discourse/public' does not contain 'dns' [Wed Sep 6 00:20:07 UTC 2023] '/var/www/discourse/public' does not contain 'dns' [Wed Sep 6 00:20:07 UTC 2023] Le_NextRenewTime='1676133802' [Wed Sep 6 00:20:07 UTC 2023] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory [Wed Sep 6 00:20:07 UTC 2023] _init api for server: https://acme-v02.api.letsencrypt.org/directory [Wed Sep 6 00:20:07 UTC 2023] GET [Wed Sep 6 00:20:07 UTC 2023] url='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:07 UTC 2023] timeout= [Wed Sep 6 00:20:07 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:07 UTC 2023] ret='0' [Wed Sep 6 00:20:07 UTC 2023] response='{ "eCLLNZ3VodA": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf", "website": "https://letsencrypt.org" }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-01/renewalInfo/", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" }' [Wed Sep 6 00:20:07 UTC 2023] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change' [Wed Sep 6 00:20:07 UTC 2023] ACME_NEW_AUTHZ [Wed Sep 6 00:20:07 UTC 2023] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Sep 6 00:20:07 UTC 2023] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct' [Wed Sep 6 00:20:07 UTC 2023] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert' [Wed Sep 6 00:20:07 UTC 2023] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf' [Wed Sep 6 00:20:07 UTC 2023] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed Sep 6 00:20:07 UTC 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory [Wed Sep 6 00:20:07 UTC 2023] _on_before_issue [Wed Sep 6 00:20:07 UTC 2023] _chk_main_domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:07 UTC 2023] _chk_alt_domains [Wed Sep 6 00:20:07 UTC 2023] '/var/www/discourse/public' does not contain 'no' [Wed Sep 6 00:20:07 UTC 2023] Le_LocalAddress [Wed Sep 6 00:20:07 UTC 2023] d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:07 UTC 2023] Check for domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:07 UTC 2023] _currentRoot='/var/www/discourse/public' [Wed Sep 6 00:20:07 UTC 2023] d [Wed Sep 6 00:20:07 UTC 2023] '/var/www/discourse/public' does not contain 'apache' [Wed Sep 6 00:20:07 UTC 2023] _saved_account_key_hash='Fe0wria7nQ32QfF6akPdYBguDcgorWproKyCpdsTFhU=' [Wed Sep 6 00:20:07 UTC 2023] _saved_account_key_hash is not changed, skip register account. [Wed Sep 6 00:20:07 UTC 2023] Read key length:ec-256 [Wed Sep 6 00:20:07 UTC 2023] _createcsr [Wed Sep 6 00:20:07 UTC 2023] domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:07 UTC 2023] domainlist [Wed Sep 6 00:20:07 UTC 2023] csrkey='/shared/letsencrypt/devforum.spinalcordmri.org_ecc/devforum.spinalcordmri.org.key' [Wed Sep 6 00:20:07 UTC 2023] csr='/shared/letsencrypt/devforum.spinalcordmri.org_ecc/devforum.spinalcordmri.org.csr' [Wed Sep 6 00:20:07 UTC 2023] csrconf='/shared/letsencrypt/devforum.spinalcordmri.org_ecc/devforum.spinalcordmri.org.csr.conf' [Wed Sep 6 00:20:07 UTC 2023] Single domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:07 UTC 2023] seg='devforum' [Wed Sep 6 00:20:07 UTC 2023] _is_idn_d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:07 UTC 2023] _idn_temp [Wed Sep 6 00:20:07 UTC 2023] _is_idn_d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:07 UTC 2023] _idn_temp [Wed Sep 6 00:20:07 UTC 2023] _csr_cn='devforum.spinalcordmri.org' [Wed Sep 6 00:20:07 UTC 2023] seg='devforum' [Wed Sep 6 00:20:07 UTC 2023] Getting domain auth token for each domain [Wed Sep 6 00:20:07 UTC 2023] seg='devforum' [Wed Sep 6 00:20:07 UTC 2023] _is_idn_d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:07 UTC 2023] _idn_temp [Wed Sep 6 00:20:07 UTC 2023] d [Wed Sep 6 00:20:07 UTC 2023] _identifiers='{"type":"dns","value":"devforum.spinalcordmri.org"}' [Wed Sep 6 00:20:07 UTC 2023] _notBefore [Wed Sep 6 00:20:07 UTC 2023] _notAfter [Wed Sep 6 00:20:07 UTC 2023] =======Begin Send Signed Request======= [Wed Sep 6 00:20:07 UTC 2023] url='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Sep 6 00:20:07 UTC 2023] payload='{"identifiers": [{"type":"dns","value":"devforum.spinalcordmri.org"}]}' [Wed Sep 6 00:20:07 UTC 2023] RSA key [Wed Sep 6 00:20:07 UTC 2023] _URGLY_PRINTF [Wed Sep 6 00:20:07 UTC 2023] xargs [Wed Sep 6 00:20:07 UTC 2023] _URGLY_PRINTF [Wed Sep 6 00:20:07 UTC 2023] xargs [Wed Sep 6 00:20:07 UTC 2023] Get nonce with HEAD. ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed Sep 6 00:20:07 UTC 2023] HEAD [Wed Sep 6 00:20:07 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Wed Sep 6 00:20:07 UTC 2023] body [Wed Sep 6 00:20:07 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:07 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g -I ' [Wed Sep 6 00:20:07 UTC 2023] _ret='0' [Wed Sep 6 00:20:07 UTC 2023] _headers='HTTP/2 200 server: nginx date: Wed, 06 Sep 2023 00:20:07 GMT cache-control: public, max-age=0, no-cache link: ;rel="index" replay-nonce: 5x-p0dvM6wWTh-kDahc0MYgWu1JKl8MJWAOIxplSXgO-1tlkOLk x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed Sep 6 00:20:07 UTC 2023] _CACHED_NONCE='5x-p0dvM6wWTh-kDahc0MYgWu1JKl8MJWAOIxplSXgO-1tlkOLk' [Wed Sep 6 00:20:07 UTC 2023] nonce='5x-p0dvM6wWTh-kDahc0MYgWu1JKl8MJWAOIxplSXgO-1tlkOLk' [Wed Sep 6 00:20:07 UTC 2023] POST [Wed Sep 6 00:20:07 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/new-order' [Wed Sep 6 00:20:07 UTC 2023] body='{"protected": "eyJub25jZSI6ICI1eC1wMGR2TTZ3V1RoLWtEYWhjME1ZZ1d1MUpLbDhNSldBT0l4cGxTWGdPLTF0bGtPTGsiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1vcmRlciIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODcxNDQyMjc3In0", "payload": "eyJpZGVudGlmaWVycyI6IFt7InR5cGUiOiJkbnMiLCJ2YWx1ZSI6ImRldmZvcnVtLnNwaW5hbGNvcmRtcmkub3JnIn1dfQ", "signature": "KWDZ1tqu5WrkLJZFS1W6UAjL9SC2-MvVJNZGDpX5UjrhAOFdmr1MeBD8IZVE1n9jCz7k6p39lGyx3NXBLeaKSVszTzOeVVaKNG2ajQRDm1Eh3Nj1nGOuFjVQv0hBQfycUPxnO2TXtHWP6eDu3ayMsx-CphCFu4CxXkr1zfAlq5TRX_6YeBKkgq7MNze5-vQ0o8YLLDCdzof7Ja7-lo3RYFdYXQYpZONjwLoOCQg12oD-yDZfGhJKe1t4qJAhmX0UZblNE4_m5QdgMeGVutM9EohO_5zNgtZiEmftsbUho-x8AIc90MkGZERyDBGN6QCEz40f4i5ax-0cvfcpph56Tw"}' [Wed Sep 6 00:20:07 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:07 UTC 2023] Http already initialized. [Wed Sep 6 00:20:07 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:08 UTC 2023] _ret='0' [Wed Sep 6 00:20:08 UTC 2023] responseHeaders='HTTP/2 201 server: nginx date: Wed, 06 Sep 2023 00:20:08 GMT content-type: application/json content-length: 351 boulder-requester: 871442277 cache-control: public, max-age=0, no-cache link: ;rel="index" location: https://acme-v02.api.letsencrypt.org/acme/order/871442277/206458315486 replay-nonce: 5x-p0dvMfzwgV9NpD7SKwdHvrzUnJLtjzGGa6UQO9ydXv5LUB1k x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed Sep 6 00:20:08 UTC 2023] code='201' [Wed Sep 6 00:20:08 UTC 2023] original='{ "status": "pending", "expires": "2023-09-13T00:20:08Z", "identifiers": [ { "type": "dns", "value": "devforum.spinalcordmri.org" } ], "authorizations": [ "https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206" ], "finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/871442277/206458315486" }' [Wed Sep 6 00:20:08 UTC 2023] response='{"status":"pending","expires":"2023-09-13T00:20:08Z","identifiers":[{"type":"dns","value":"devforum.spinalcordmri.org"}],"authorizations":["https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206"],"finalize":"https://acme-v02.api.letsencrypt.org/acme/finalize/871442277/206458315486"}' [Wed Sep 6 00:20:08 UTC 2023] Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/871442277/206458315486' [Wed Sep 6 00:20:08 UTC 2023] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/871442277/206458315486' [Wed Sep 6 00:20:08 UTC 2023] _authorizations_seg='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:08 UTC 2023] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:08 UTC 2023] =======Begin Send Signed Request======= [Wed Sep 6 00:20:08 UTC 2023] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:08 UTC 2023] payload [Wed Sep 6 00:20:08 UTC 2023] Use cached jwk for file: /shared/letsencrypt/ca/acme-v02.api.letsencrypt.org/directory/account.key [Wed Sep 6 00:20:08 UTC 2023] Use _CACHED_NONCE='5x-p0dvMfzwgV9NpD7SKwdHvrzUnJLtjzGGa6UQO9ydXv5LUB1k' [Wed Sep 6 00:20:08 UTC 2023] nonce='5x-p0dvMfzwgV9NpD7SKwdHvrzUnJLtjzGGa6UQO9ydXv5LUB1k' [Wed Sep 6 00:20:08 UTC 2023] POST [Wed Sep 6 00:20:08 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:08 UTC 2023] body='{"protected": "eyJub25jZSI6ICI1eC1wMGR2TWZ6d2dWOU5wRDdTS3dkSHZyelVuSkx0anpHR2E2VVFPOXlkWHY1TFVCMWsiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzI2MTc0ODI2MjIwNiIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODcxNDQyMjc3In0", "payload": "", "signature": "GEGJKNDEYoOdQzcUQ-WTJ4QOCu6tBxKPd6d35vuJfmbazpDF68WHfTZJczVZHBnBCO3kdAMLgRVRkjYN9QM1oAXvi50HIbBEHDTfKAY6gErr8_SVqkjfqoZHeRGou2tUOsJFwemc1VfGgfMnTHAw7d15AMxYW_mHKsaTVHu5cbf-xMR9yZb5OcM_PH6saepUk9cPE_z5hd6kTurWOTzTelQCpExMg4vIk7v6wAT2ARMHGS7V5uoDQnOFOi_gX882l6h7m_w-_rD5pcpYzAzADTDjZrZ3TMRcc5r51Ps8WU-7Td-Z2Xx74q5oqFrvINE0fZrCsWUSdcH6ihCH9BAb4Q"}' [Wed Sep 6 00:20:08 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:08 UTC 2023] Http already initialized. [Wed Sep 6 00:20:08 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:08 UTC 2023] _ret='0' [Wed Sep 6 00:20:08 UTC 2023] responseHeaders='HTTP/2 200 server: nginx date: Wed, 06 Sep 2023 00:20:08 GMT content-type: application/json content-length: 810 boulder-requester: 871442277 cache-control: public, max-age=0, no-cache link: ;rel="index" replay-nonce: 5x-p0dvMVt3W1NkFKkr73Cu43cuwG-NdJo7rDQW5xnRjjCzHj-U x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed Sep 6 00:20:08 UTC 2023] code='200' [Wed Sep 6 00:20:08 UTC 2023] original='{ "identifier": { "type": "dns", "value": "devforum.spinalcordmri.org" }, "status": "pending", "expires": "2023-09-13T00:20:08Z", "challenges": [ { "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg", "token": "qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU" }, { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/wuGgGw", "token": "qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU" }, { "type": "tls-alpn-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/e1MKPQ", "token": "qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU" } ] }' [Wed Sep 6 00:20:08 UTC 2023] response='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"pending","expires":"2023-09-13T00:20:08Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/wuGgGw","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/e1MKPQ","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"}]}' [Wed Sep 6 00:20:08 UTC 2023] response='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"pending","expires":"2023-09-13T00:20:08Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/wuGgGw","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/e1MKPQ","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"}]}' [Wed Sep 6 00:20:08 UTC 2023] _d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:08 UTC 2023] _authorizations_map='devforum.spinalcordmri.org,{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"pending","expires":"2023-09-13T00:20:08Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/wuGgGw","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/e1MKPQ","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"}]}#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206 ' [Wed Sep 6 00:20:08 UTC 2023] d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:08 UTC 2023] Getting webroot for domain='devforum.spinalcordmri.org' [Wed Sep 6 00:20:08 UTC 2023] _w='/var/www/discourse/public' [Wed Sep 6 00:20:08 UTC 2023] _currentRoot='/var/www/discourse/public' [Wed Sep 6 00:20:08 UTC 2023] _is_idn_d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:08 UTC 2023] _idn_temp [Wed Sep 6 00:20:08 UTC 2023] _candidates='devforum.spinalcordmri.org,{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"pending","expires":"2023-09-13T00:20:08Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/wuGgGw","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/e1MKPQ","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"}]}#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:08 UTC 2023] response='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"pending","expires":"2023-09-13T00:20:08Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/wuGgGw","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/e1MKPQ","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"}]}#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:08 UTC 2023] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:08 UTC 2023] entry='"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"' [Wed Sep 6 00:20:08 UTC 2023] token='qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU' [Wed Sep 6 00:20:08 UTC 2023] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg' [Wed Sep 6 00:20:08 UTC 2023] keyauthorization='qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA' [Wed Sep 6 00:20:08 UTC 2023] dvlist='devforum.spinalcordmri.org#qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA#https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg#http-01#/var/www/discourse/public#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:08 UTC 2023] d [Wed Sep 6 00:20:08 UTC 2023] vlist='devforum.spinalcordmri.org#qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA#https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg#http-01#/var/www/discourse/public#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206,' [Wed Sep 6 00:20:08 UTC 2023] d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:08 UTC 2023] ok, let's start to verify [Wed Sep 6 00:20:08 UTC 2023] Verifying: devforum.spinalcordmri.org [Wed Sep 6 00:20:08 UTC 2023] d='devforum.spinalcordmri.org' [Wed Sep 6 00:20:08 UTC 2023] keyauthorization='qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA' [Wed Sep 6 00:20:08 UTC 2023] uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg' [Wed Sep 6 00:20:08 UTC 2023] _authz_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:08 UTC 2023] _currentRoot='/var/www/discourse/public' [Wed Sep 6 00:20:08 UTC 2023] wellknown_path='/var/www/discourse/public/.well-known/acme-challenge' [Wed Sep 6 00:20:08 UTC 2023] writing token:qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU to /var/www/discourse/public/.well-known/acme-challenge/qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU [Wed Sep 6 00:20:08 UTC 2023] Trigger domain validation. [Wed Sep 6 00:20:08 UTC 2023] _t_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg' [Wed Sep 6 00:20:08 UTC 2023] _t_key_authz='qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA' [Wed Sep 6 00:20:08 UTC 2023] _t_vtype='http-01' [Wed Sep 6 00:20:08 UTC 2023] =======Begin Send Signed Request======= [Wed Sep 6 00:20:08 UTC 2023] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg' [Wed Sep 6 00:20:08 UTC 2023] payload='{}' [Wed Sep 6 00:20:08 UTC 2023] Use cached jwk for file: /shared/letsencrypt/ca/acme-v02.api.letsencrypt.org/directory/account.key [Wed Sep 6 00:20:08 UTC 2023] Use _CACHED_NONCE='5x-p0dvMVt3W1NkFKkr73Cu43cuwG-NdJo7rDQW5xnRjjCzHj-U' [Wed Sep 6 00:20:08 UTC 2023] nonce='5x-p0dvMVt3W1NkFKkr73Cu43cuwG-NdJo7rDQW5xnRjjCzHj-U' [Wed Sep 6 00:20:08 UTC 2023] POST [Wed Sep 6 00:20:08 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg' [Wed Sep 6 00:20:08 UTC 2023] body='{"protected": "eyJub25jZSI6ICI1eC1wMGR2TVZ0M1cxTmtGS2tyNzNDdTQzY3V3Ry1OZEpvN3JEUVc1eG5SampDekhqLVUiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzI2MTc0ODI2MjIwNi9yNWVLTWciLCAiYWxnIjogIlJTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzg3MTQ0MjI3NyJ9", "payload": "e30", "signature": "KmFfnEf6QLWvmtn5emNmn50WdaiMME9-09G1bsdU0UMAv7C9pmcW7dw6FzAyu_OBqrKplNnUstlG9RpSfjbZAxD4aYOEhqa46ecyA10RA3UhnGwY3yAAiZpYv97ewqXa9Bv3h_TeD7-OjFpNwYKOtdacjQ8NIEQRWtziw6imtDqAzNYxBHZZ3SxzQcg8Qf2kxFiJL4aSzORl9v_np-shbPegnfpccg6VB_okU-m4o6dfbLPiGYQitdBnKSirO14hwYdAE3nRBsE8tbvfakvFBRD0fy0RIFN5PqdcDhqQ5XP2wqAyk0YA7kADf9YjZm9LjbC3EuifaWpQzKaZUCd_QQ"}' [Wed Sep 6 00:20:09 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:09 UTC 2023] Http already initialized. [Wed Sep 6 00:20:09 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:09 UTC 2023] _ret='0' [Wed Sep 6 00:20:09 UTC 2023] responseHeaders='HTTP/2 200 server: nginx date: Wed, 06 Sep 2023 00:20:09 GMT content-type: application/json content-length: 187 boulder-requester: 871442277 cache-control: public, max-age=0, no-cache link: ;rel="index" link: ;rel="up" location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg replay-nonce: 2zuXfv7ZZJm4RjV9CZAnm1WEB3HMudDUsPmQnCoKdBBNgF45uxk x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed Sep 6 00:20:09 UTC 2023] code='200' [Wed Sep 6 00:20:09 UTC 2023] original='{ "type": "http-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg", "token": "qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU" }' [Wed Sep 6 00:20:09 UTC 2023] response='{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"}' [Wed Sep 6 00:20:09 UTC 2023] trigger validation code: 200 [Wed Sep 6 00:20:09 UTC 2023] Lets check the status of the authz [Wed Sep 6 00:20:09 UTC 2023] original='{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"}' [Wed Sep 6 00:20:09 UTC 2023] response='{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU"}' [Wed Sep 6 00:20:09 UTC 2023] status='pending' [Wed Sep 6 00:20:09 UTC 2023] Pending, The CA is processing your order, please just wait. (1/30) [Wed Sep 6 00:20:09 UTC 2023] sleep 2 secs to verify again [Wed Sep 6 00:20:11 UTC 2023] checking [Wed Sep 6 00:20:11 UTC 2023] =======Begin Send Signed Request======= [Wed Sep 6 00:20:11 UTC 2023] url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:11 UTC 2023] payload [Wed Sep 6 00:20:11 UTC 2023] Use cached jwk for file: /shared/letsencrypt/ca/acme-v02.api.letsencrypt.org/directory/account.key [Wed Sep 6 00:20:11 UTC 2023] Use _CACHED_NONCE='2zuXfv7ZZJm4RjV9CZAnm1WEB3HMudDUsPmQnCoKdBBNgF45uxk' [Wed Sep 6 00:20:11 UTC 2023] nonce='2zuXfv7ZZJm4RjV9CZAnm1WEB3HMudDUsPmQnCoKdBBNgF45uxk' [Wed Sep 6 00:20:11 UTC 2023] POST [Wed Sep 6 00:20:11 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206' [Wed Sep 6 00:20:11 UTC 2023] body='{"protected": "eyJub25jZSI6ICIyenVYZnY3WlpKbTRSalY5Q1pBbm0xV0VCM0hNdWREVXNQbVFuQ29LZEJCTmdGNDV1eGsiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2F1dGh6LXYzLzI2MTc0ODI2MjIwNiIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvODcxNDQyMjc3In0", "payload": "", "signature": "PemDZLxx0Nbln1PQu7w9ccJ4-42GD9Wgy6zNJ-ImJG-rsfo3ioUrjxEeZUWj_iDwr_E8y4oUkcehFNHUIol_VE5tu767H9fe8JfaenKZ65csTF5ulUsMFmN98jel5pvxT_ESVRFePHgBsfpKbNcLBCkDVvBoWUmNdhDww9G25xXAVN4jl4t_lOi0bYpbqay7XemDgbkwyiMBjliaSc8Crgd1puabaugoV6cMeGLkoEr7T98JS9xpNlEalBnCMnWYLuVfy2euT7qewczFJq6GgZfaGJZt_M438oEiGahgioqKEfwRMeM2HHY4lunMif6FWAik3sMHrvt2q0g1MH0ltw"}' [Wed Sep 6 00:20:11 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:11 UTC 2023] Http already initialized. [Wed Sep 6 00:20:11 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:11 UTC 2023] _ret='0' [Wed Sep 6 00:20:11 UTC 2023] responseHeaders='HTTP/2 200 server: nginx date: Wed, 06 Sep 2023 00:20:11 GMT content-type: application/json content-length: 777 boulder-requester: 871442277 cache-control: public, max-age=0, no-cache link: ;rel="index" replay-nonce: 5x-p0dvMwk7_mCPD6AmGMGZz4c0MYJmuBf9Qskbrw1GHanFLe0A x-frame-options: DENY strict-transport-security: max-age=604800 ' [Wed Sep 6 00:20:11 UTC 2023] code='200' [Wed Sep 6 00:20:11 UTC 2023] original='{ "identifier": { "type": "dns", "value": "devforum.spinalcordmri.org" }, "status": "invalid", "expires": "2023-09-13T00:20:08Z", "challenges": [ { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:dns", "detail": "DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg", "token": "qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU", "validated": "2023-09-06T00:20:09Z" } ] }' [Wed Sep 6 00:20:11 UTC 2023] response='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"invalid","expires":"2023-09-13T00:20:08Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU","validated":"2023-09-06T00:20:09Z"}]}' [Wed Sep 6 00:20:11 UTC 2023] original='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"invalid","expires":"2023-09-13T00:20:08Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU","validated":"2023-09-06T00:20:09Z"}]}' [Wed Sep 6 00:20:11 UTC 2023] response='{"identifier":{"type":"dns","value":"devforum.spinalcordmri.org"},"status":"invalid","expires":"2023-09-13T00:20:08Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg","token":"qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU","validated":"2023-09-06T00:20:09Z"}]}' [Wed Sep 6 00:20:11 UTC 2023] status='invalid invalid' [Wed Sep 6 00:20:11 UTC 2023] error='"error":{"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain","status": 400' [Wed Sep 6 00:20:11 UTC 2023] errordetail='DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain' [Wed Sep 6 00:20:11 UTC 2023] Invalid status, devforum.spinalcordmri.org:Verify error detail:DNS problem: NXDOMAIN looking up A for devforum.spinalcordmri.org - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for devforum.spinalcordmri.org - check that a DNS record exists for this domain [Wed Sep 6 00:20:11 UTC 2023] pid [Wed Sep 6 00:20:11 UTC 2023] No need to restore nginx, skip. [Wed Sep 6 00:20:11 UTC 2023] _clearupdns [Wed Sep 6 00:20:11 UTC 2023] dns_entries [Wed Sep 6 00:20:11 UTC 2023] skip dns. [Wed Sep 6 00:20:11 UTC 2023] _on_issue_err [Wed Sep 6 00:20:11 UTC 2023] Please check log file for more details: /shared/letsencrypt/acme.sh.log [Wed Sep 6 00:20:11 UTC 2023] _chk_vlist='devforum.spinalcordmri.org#qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA#https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg#http-01#/var/www/discourse/public#https://acme-v02.api.letsencrypt.org/acme/authz-v3/261748262206,' [Wed Sep 6 00:20:11 UTC 2023] start to deactivate authz [Wed Sep 6 00:20:11 UTC 2023] Trigger domain validation. [Wed Sep 6 00:20:11 UTC 2023] _t_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg' [Wed Sep 6 00:20:11 UTC 2023] _t_key_authz='qNJ6DLba-lHB89H7DHLhoHAZ0d2ogpR_lOmo5VqTjCU.0FPvkK7pyOtmxOjlrSxF9CI-3nqUYbQ8YLp4V0JozaA' [Wed Sep 6 00:20:11 UTC 2023] _t_vtype [Wed Sep 6 00:20:11 UTC 2023] =======Begin Send Signed Request======= [Wed Sep 6 00:20:11 UTC 2023] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg' [Wed Sep 6 00:20:11 UTC 2023] payload='{}' [Wed Sep 6 00:20:11 UTC 2023] Use cached jwk for file: /shared/letsencrypt/ca/acme-v02.api.letsencrypt.org/directory/account.key [Wed Sep 6 00:20:11 UTC 2023] Use _CACHED_NONCE='5x-p0dvMwk7_mCPD6AmGMGZz4c0MYJmuBf9Qskbrw1GHanFLe0A' [Wed Sep 6 00:20:11 UTC 2023] nonce='5x-p0dvMwk7_mCPD6AmGMGZz4c0MYJmuBf9Qskbrw1GHanFLe0A' [Wed Sep 6 00:20:11 UTC 2023] POST [Wed Sep 6 00:20:11 UTC 2023] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/261748262206/r5eKMg' [Wed Sep 6 00:20:11 UTC 2023] body='{"protected": "eyJub25jZSI6ICI1eC1wMGR2TXdrN19tQ1BENkFtR01HWno0YzBNWUptdUJmOVFza2JydzFHSGFuRkxlMEEiLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2NoYWxsLXYzLzI2MTc0ODI2MjIwNi9yNWVLTWciLCAiYWxnIjogIlJTMjU2IiwgImtpZCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hY2N0Lzg3MTQ0MjI3NyJ9", "payload": "e30", "signature": "nWooiq4my-1EjVQvmynP8BKlH_GKjngA_LlNykkscjGfVIVwfCKypGuN5UbW5iFdWb2G8gMeF8R_9UF0dtYE7itrAEnjKUP32TvbrNrZ_3k3RryEIHD9PH1Lxfp_ZSP_C4aOpR9t70xqVOnNsD-yJe6Y_x8-iDhN5NzQHELhDlXrXKjNtfeTo8r7z0zOEyOEbnUPfLkHbGr8FqgCSx9NIMnyntpzrBRzQ4MPSjyCicGFzy997pR4uDNMbb7F-w97OvwnkZgw2P4668WTqgkdYX8rj45hprjctT6MrPyHuhfhVsZz2h5GWk9a6M6mrT83g57vld8im6VS1fKlbENssw"}' [Wed Sep 6 00:20:11 UTC 2023] _postContentType='application/jose+json' [Wed Sep 6 00:20:11 UTC 2023] Http already initialized. [Wed Sep 6 00:20:11 UTC 2023] _CURL='curl --silent --dump-header /shared/letsencrypt/http.header -L -g ' [Wed Sep 6 00:20:11 UTC 2023] _ret='0' [Wed Sep 6 00:20:11 UTC 2023] responseHeaders='HTTP/2 400 server: nginx date: Wed, 06 Sep 2023 00:20:11 GMT content-type: application/problem+json content-length: 144 boulder-requester: 871442277 cache-control: public, max-age=0, no-cache link: ;rel="index" replay-nonce: 2zuXfv7ZmdJ1aITBu-9JoimxbfxdN3k-uj5F6YrfNzNmBZCk3AE ' [Wed Sep 6 00:20:11 UTC 2023] code='400' [Wed Sep 6 00:20:11 UTC 2023] original='{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Unable to update challenge :: authorization must be pending", "status": 400 }' [Wed Sep 6 00:20:11 UTC 2023] response='{ "type": "urn:ietf:params:acme:error:malformed", "detail": "Unable to update challenge :: authorization must be pending", "status": 400 }' [Wed Sep 6 00:20:11 UTC 2023] '/var/www/discourse/public' does not contain 'dns' [Wed Sep 6 00:20:11 UTC 2023] Return code: 1 [Wed Sep 6 00:20:11 UTC 2023] Error renew devforum.spinalcordmri.org_ecc. [Wed Sep 6 00:20:11 UTC 2023] di='/shared/letsencrypt/forum.spinalcordmri.org/' [Wed Sep 6 00:20:11 UTC 2023] d='forum.spinalcordmri.org' [Wed Sep 6 00:20:11 UTC 2023] _renewServer [Wed Sep 6 00:20:11 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:11 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:11 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:11 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:11 UTC 2023] DOMAIN_PATH='/shared/letsencrypt/forum.spinalcordmri.org' [Wed Sep 6 00:20:12 UTC 2023] Renew: 'forum.spinalcordmri.org' [Wed Sep 6 00:20:12 UTC 2023] Le_API='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:12 UTC 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory [Wed Sep 6 00:20:12 UTC 2023] initpath again. [Wed Sep 6 00:20:12 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:12 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:12 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:12 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:12 UTC 2023] Skip, Next renewal time is: 2023-09-07T00:03:16Z [Wed Sep 6 00:20:12 UTC 2023] Add '--force' to force to renew. [Wed Sep 6 00:20:12 UTC 2023] Return code: 2 [Wed Sep 6 00:20:12 UTC 2023] Skipped forum.spinalcordmri.org [Wed Sep 6 00:20:12 UTC 2023] di='/shared/letsencrypt/forum.spinalcordmri.org_ecc/' [Wed Sep 6 00:20:12 UTC 2023] d='forum.spinalcordmri.org_ecc' [Wed Sep 6 00:20:12 UTC 2023] _renewServer [Wed Sep 6 00:20:12 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:12 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:12 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:12 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:12 UTC 2023] DOMAIN_PATH='/shared/letsencrypt/forum.spinalcordmri.org_ecc' [Wed Sep 6 00:20:12 UTC 2023] Renew: 'forum.spinalcordmri.org' [Wed Sep 6 00:20:12 UTC 2023] Le_API='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:12 UTC 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory [Wed Sep 6 00:20:12 UTC 2023] initpath again. [Wed Sep 6 00:20:12 UTC 2023] Using config home:/shared/letsencrypt [Wed Sep 6 00:20:12 UTC 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Wed Sep 6 00:20:12 UTC 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Wed Sep 6 00:20:12 UTC 2023] _ACME_SERVER_PATH='directory' [Wed Sep 6 00:20:12 UTC 2023] Skip, Next renewal time is: 2023-09-07T00:03:19Z [Wed Sep 6 00:20:12 UTC 2023] Add '--force' to force to renew. [Wed Sep 6 00:20:12 UTC 2023] Return code: 2 [Wed Sep 6 00:20:12 UTC 2023] Skipped forum.spinalcordmri.org_ecc [Wed Sep 6 00:20:12 UTC 2023] _error_level='1' [Wed Sep 6 00:20:12 UTC 2023] _set_level='2' [Wed Sep 6 00:20:12 UTC 2023] The NOTIFY_HOOK is empty, just return. [Wed Sep 6 00:20:12 UTC 2023] ===End cron=== ```

So, the cron job is running, and the renewal check is being skipped (as it should)...

[joshuacwnewton]

If I grep for renew, then scroll back far enough, I see the following:

root@forum-app:/shared/letsencrypt# cat acme.sh.log | grep renew
[Sun Jul  9 00:03:07 UTC 2023] Skip, Next renewal time is: 2023-07-09T18:30:32Z
[Sun Jul  9 00:03:07 UTC 2023] Add '--force' to force to renew.
[Sun Jul  9 00:03:07 UTC 2023] _renewServer
[Sun Jul  9 00:03:07 UTC 2023] Skip, Next renewal time is: 2023-07-09T18:30:36Z
[Sun Jul  9 00:03:07 UTC 2023] Add '--force' to force to renew.
[Mon Jul 10 00:03:01 UTC 2023] _renewServer
[Mon Jul 10 00:03:06 UTC 2023] Error renew devforum.spinalcordmri.org.
[Mon Jul 10 00:03:06 UTC 2023] _renewServer
[Mon Jul 10 00:03:10 UTC 2023] Error renew devforum.spinalcordmri.org_ecc.
[Mon Jul 10 00:03:10 UTC 2023] _renewServer
[Mon Jul 10 00:03:16 UTC 2023] _renewServer
[Tue Jul 11 00:03:02 UTC 2023] _renewServer
[Tue Jul 11 00:03:06 UTC 2023] Error renew devforum.spinalcordmri.org.
[Tue Jul 11 00:03:06 UTC 2023] _renewServer
[Tue Jul 11 00:03:11 UTC 2023] Error renew devforum.spinalcordmri.org_ecc.
[Tue Jul 11 00:03:11 UTC 2023] _renewServer
[Tue Jul 11 00:03:11 UTC 2023] Skip, Next renewal time is: 2023-09-07T00:03:16Z
[Tue Jul 11 00:03:11 UTC 2023] Add '--force' to force to renew.
[Tue Jul 11 00:03:11 UTC 2023] _renewServer
[Tue Jul 11 00:03:11 UTC 2023] Skip, Next renewal time is: 2023-09-07T00:03:19Z
[Tue Jul 11 00:03:11 UTC 2023] Add '--force' to force to renew.

I think we can ignore the errors here (since they relate to the temporarily-named devforum certs that were added when first creating the forum instance in March).

Besides that, the other certificates seem to have successfully renewed on July 9th, given that the renewal times were updated to September 7th.

That said, these dates don't line up at all with the expiry dates and forum outages in the past (July+September vs. May+August+October).

[joshuacwnewton]

That said, these dates don't line up at all with the expiry dates and forum outages in the past (July+September vs. May+August+October).

Here is my theory: What if the certificates are renewing just fine (every 60 days, i.e. 30 days before the 90-day expiry date), but the renewed certs aren't being loaded by OpenSMTPD? As far as the timeline goes, the upcoming renewal date (September 7th) is 30 days before the upcoming expiry date (October 7th). And both of these dates were set on July 9th, which is far before the most recent outage occurred.

My thinking here is:

• Restarting OpenSMTPD seems to be a necessary step for fixing the issue, even when manually forcing a renewal.
• OpenSMTPD is the one part of our Discourse set-up that is kind of homegrown (i.e. not part of the official Discourse setup guides), so it would make sense that the problem lies with it, rather than the cert-renewal process itself.
• Plus, in our OpenSTMPD setup steps, we explicitly piggyback off of the existing certs. So, the cert-loading process (introduced by us) is separate from the cert-renewal process (introduced by Discourse).
• This would also explain why we've never received a cert expiry email -- it never actually expires!

This doesn't completely explain the mismatched timeline in https://github.com/spinalcordmri/spinalcordmri.github.io/issues/83#issue-1884543083, but it's a hypothesis we can test, at least:

• Given that the cert is set to renew tomorrow, I can check in on how the renewal goes (and whether the dates on the cert change on disk).
• Then, I can let things be for the next month, and monitor if/when things fail.
• And, if another outage occurs, I can try just restarting the OpenSMTPD service without renewing the certificate (assuming that the certs were already successfully renewed earlier).
• If the issue is fixed purely by restarting OpenSMTPD, then I can add a fix to ensure this happens when the certs are actually renewed. (Easily done by modifying the template YAML file for the Discourse container!)

[joshuacwnewton]

• Given that the cert is set to renew tomorrow, I can check in on how the renewal goes (and whether the dates on the cert change on disk).

Yep! I checked acme.sh.log and the certs were downloaded successfully. Then, I checked the new expiry dates, and got:

root@forum:/var/discourse# cd /var/discourse/shared/standalone/ssl
root@forum:/var/discourse/shared/standalone/ssl# openssl x509 -enddate -noout -in forum.spinalcordmri.org.cer
notAfter=Dec  5 23:20:15 2023 GMT

I expect the forum to experience an outage sometime around the old expiry date (October 7th). I'm going to set a calendar event for this, and watch the site like a hawk. Then, if/when the outage occurs, I'm going to simply restart the OpenSMTPD service. If that fixes the issue, then I'll automate the service-restarting, and the outages should go away entirely.

[joshuacwnewton]

I expect the forum to experience an outage sometime around the old expiry date (October 7th)

Well, what do you know! The emails have begun failing at the predicted time:

I tried my predicted solution of sudo systemctl restart opensmtpd, and hey, what do you know! Emails are sending again.

Now we just need to automate this and we should be good to go. :)

[jcohenadad]

amazing! thank you @joshuacwnewton 😊

[joshuacwnewton]

I've set up a cron job to reload the certificates on the 1st of every month. This should fix the problem, but I'll be watching the forum like a hawk when the next expiry date is coming up (Dec 5 23:20:15 2023 GMT) to make sure.

crontab -e  # nb: ssh logins to the forum server use `root`, so sudo not necessary here
# then, enter in: '01 01 01  *  * systemctl restart opensmtpd'

One quirk that I tried to reason out was: Cron jobs work on a monthly basis ("Day of month"), while automatic cert renewal happens 30 days before the expiry date. This means that the new expiry date drifts a little bit each time (Oct 7 -> Dec 5 -> Feb 3).

So, I was thinking, "if we're reloading the certs on the first of each month, could this ever line up in a way that wouldn't work?" But, because the renewed dates differ by 60 days (90 day validity period - "30-day-before" renewal), reloading certs once a month should always keep things up to date.