Dehydrated Service returns errors

[fabianhauser]

We currently get some error-mails from the dehydrated-TLS -service:

● studentenportal-dehydrated.service - Run dehydrated update for studentenportal
   Loaded: loaded (/etc/systemd/system/studentenportal-dehydrated.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2020-09-15 00:00:56 CEST; 16ms ago
  Process: 20939 ExecStart=/usr/bin/docker exec -i web_nginx_1 dehydrated --cron (code=exited, status=1/FAILURE)
 Main PID: 20939 (code=exited, status=1/FAILURE)

Sep 15 00:00:56 vshsr01 docker[20939]:         "5.148.180.58"
Sep 15 00:00:56 vshsr01 docker[20939]:       ],
Sep 15 00:00:56 vshsr01 docker[20939]:       "addressUsed": "5.148.180.58"
Sep 15 00:00:56 vshsr01 docker[20939]:     }
Sep 15 00:00:56 vshsr01 docker[20939]:   ]
Sep 15 00:00:56 vshsr01 docker[20939]: })
Sep 15 00:00:56 vshsr01 systemd[1]: studentenportal-dehydrated.service: Main process exited, code=exited, status=1/FAILURE
Sep 15 00:00:56 vshsr01 systemd[1]: studentenportal-dehydrated.service: Failed with result 'exit-code'.
Sep 15 00:00:56 vshsr01 systemd[1]: Failed to start Run dehydrated update for studentenportal.
Sep 15 00:00:56 vshsr01 systemd[1]: studentenportal-dehydrated.service: Triggering OnFailure= dependencies.

[dbrgn]

Note: I've migrated my personal servers to acmed which seems to work quite nicely so far (with a deamon, as opposed to cronjobs). If you're interested, I can share my Ansible setup.

[The-Compiler]

Here's the actual error from journalctl -u studentenportal-dehydrated.service -e:

Sep 15 00:00:56 vshsr01 docker[20939]:  + Challenge validation has failed :(
Sep 15 00:00:56 vshsr01 docker[20939]: ERROR: Challenge is invalid! (returned: invalid) (result: {
Sep 15 00:00:56 vshsr01 docker[20939]:   "type": "http-01",
Sep 15 00:00:56 vshsr01 docker[20939]:   "status": "invalid",
Sep 15 00:00:56 vshsr01 docker[20939]:   "error": {
Sep 15 00:00:56 vshsr01 docker[20939]:     "type": "urn:ietf:params:acme:error:dns",
Sep 15 00:00:56 vshsr01 docker[20939]:     "detail": "During secondary validation: DNS problem: networking error looking up CAA for studentenportal.ch",
Sep 15 00:00:56 vshsr01 docker[20939]:     "status": 400
Sep 15 00:00:56 vshsr01 docker[20939]:   },
[...]

I've only found this: Unable to obtain certificates in production mode (succesfull in staging) - Help - Let's Encrypt Community Support

The issue there (misconfigured nameservers) doesn't apply to us, but this still seems more of a DNS issue rather than an issue with dehydrated.

[dbrgn]

Is it related to the switch to the newer ACME protocol version? Is dehydrated up to date?

[The-Compiler]

Is it related to the switch to the newer ACME protocol version?

I doubt it. If it was, I suppose we'd find more information about it, either in the Let's Encrypt forum or in the dehydrated issues.

From the thread and the error message, it sounds more like a DNS issue between Let's Encrypt's severs and nine. I have no idea what exactly, though... Maybe @thde or @lroellin have an idea what could be going on there?

Is dehydrated up to date?

Yes: Dockerfile, releases. Though there are quite some changes since then. Still, I don't believe this to be a dehydrated issue.

[fabianhauser]

Hmm, since the renewal succeeded on the 16.08., the messages have stopped. While looking trough the logs, I notice various slightly different errors which seem to stem more from the let's encrypt network infrastructure or our DNS Servers (which is provided by nine...)

Closing this issue for the moment, as the error messages have stopped. If the error occurs again, we'd have to investigate further.

[thde]

Heyo, feel free to mail support@nine.ch if the issues occurs again. I only look at my Github notifications rarely.