Forum OpenACS Development: Re: letsencrypt error on renew

Posted by Gustaf Neumann on

I just ran the the letsencrypt script on to renew its certificate, and everything worked fine.

When you run the letsencrypt request, you get a log displayed, starting with something along these lines:

Obtaining a certificate from Let's Encrypt using the Production API:

Let's Encrypt URLs (production API):

Reuse existing account registration at Let's Encrypt (/usr/local/ns/modules/nsssl/letsencrypt-production-account.key)
parseAccountKey /usr/local/ns/modules/nsssl/letsencrypt-production-account.key

These are the interface URLs from letsencrypt. You error message indicates, that these URLs (actually the "key-change" URL) were not set, so i would suspect some earlier error message hinting the cause of the problem.

Can it be, that someone blocks requests from your site to letsencrypt ? I had a few weeks a problem with OCSP stapling on, since the a firewall suddenly blocked the outgoing traffic to letsencrypt, and since a web client requested a stapled certificate, and the cache expired, NaviServer had to issue a request for verification to letsencrypt, which was blocked (due to some blacklist that the firewall used).

all the best -g

Posted by Raul Rodriguez on
I am not seeing a firewall blacklist situation.
I tried to renew on another server running NaviServer/4.99.18 and got the same error. Could it have something to do with acme-v01 instead of acs-v02 in the URLs?:

[24/Apr/2021:14:38:22][644.7fa1f0ff9700][-conn:mysite:2:3115-] Notice: update_object_doc  ::letsencrypt::Client ...
[24/Apr/2021:14:38:22][644.7fa1f0ff9700][-conn:mysite:2:3115-] Notice: letsencrypt: <html lang="en"><head><title>NaviServer Let's Encrypt client</title></head><body>
[24/Apr/2021:14:38:22][644.7fa1f0ff9700][-conn:mysite:2:3115-] Notice: letsencrypt: <h3>Obtaining a certificate from Let's Encrypt using  the Production API:</h3>
[24/Apr/2021:14:38:22][644.7fa1f0ff9700][-conn:mysite:2:3115-] Notice: SockConnect: target host <> has associated multiple IP addresses < 2606:4700:60:0:f
[24/Apr/2021:14:38:22][644.7fa1f0ff9700][-conn:mysite:2:3115-] Notice: async connect to on sock 30 returned EINPROGRESS
[24/Apr/2021:14:38:22][644.7fa1f0ff9700][-conn:mysite:2:3115-] Error: key "key-change" not known in dictionary
    while executing
"dict get ${:apiURLs} $kind"
    (procedure ":URL" line 2)

Posted by Gustaf Neumann on
You should probably update naviserver+lestencrypt. The ACME v1 interface is being phased out in multiple steps, what you are seeing is probably a consequence of this.

Starting with version 0.5 of the letsencrypt interface (released Dec 2019) support ACME v2.

Posted by Raul Rodriguez on
I updated naviserver+letsencrypt. I am now getting this error:
[28/Apr/2021:20:15:26][694.7fcbf574b700][-conn:mysite:default:0:362-] Error: can't connect to port 80: operation now in progress
:        while executing
:    "ns_http run -timeout 5.0 $wellknown_url"
:        (procedure ":authorizeDomain" line 43)
:        invoked from within
:    ":authorizeDomain $auth_url [dict get $id value]"
:        (procedure "getCertificate" line 111)
:        invoked from within
:    "$c getCertificate"
:        ("uplevel" body line 879)
:        invoked from within
:    "uplevel {
:        #
:    # letsencrypt.tcl --
:    #
:    #   A small Let's Encrypt client for NaviServer implemented in Tcl,
:    #   supporting the ACME v2 interface of let..."
:        (procedure "code::tcl::/var/www/mysite//packages/acs-subsite/www/admin/l..." line 2)
:        invoked from within
:    "code::tcl::$__adp_stub"
:        ("uplevel" body line 12)
:        invoked from within
:    "uplevel {
Posted by Gustaf Neumann on
Dear Raul,

have you edited the error message? i wonder because of the use of "". The error message means that the server could not open a connection to the site, sometimes related with DNS problems. If you see this, and you can open the connection to the mentioned URL by other means, it helps sometimes to run the script again.