Certificates do not renew automatically

[wartek69]

Hello, Thank you for this repository, saved me a lot of time setting this up from scratch! I have an api hosted with flask that has to be ssl secured and it has been running for months using your docker file. However, some months ago I received an email that my certificates were about to expire and they actually did expire. I looked at letsnecrypt service status and at that time there were some issues with their server, so I thought that caused the issue. For safety I did restart the docker contains using. After that the certificate was renewed and the service was working as expected. Now, 3 months later, I get the same message. Letsencrypt status indicates that all their servers are running without issues, this forced me to take a look into the logs and I've noticed the same warning as before.

{"log":"2022/01/02 11:29:03 [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: \"/etc/letsencrypt/live/<redacted>/fullchain.pem\"\n","stream":"stderr","time":"2022-01-02T11:29:03.124774422Z"}

Going back into the logs I saw that this warning was being thrown since the day I restarted the service and before that as well, so basically this warning was always around. After restarting the docker containers today the logs indicated that the certificates were renewed correctly.

{"log":"2022/01/02 15:47:25 [warn] 22#22: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: \"/etc/letsencrypt/live/pahara.ddns.net/fullchain.pem\"\n","stream":"stderr","time":"2022-01-02T15:47:25.579117575Z"}
{"log":"Renewing an existing certificate for pahara.ddns.net\n","stream":"stdout","time":"2022-01-02T15:55:59.361556466Z"}
{"log":" - Congratulations! Your certificate and chain have been saved at:\n","stream":"stdout","time":"2022-01-02T15:56:07.301918728Z"}
{"log":"   Your certificate will expire on 2022-04-02. To obtain a new or\n","stream":"stdout","time":"2022-01-02T15:56:07.301943105Z"}
{"log":"   tweaked version of this certificate in the future, simply run\n","stream":"stdout","time":"2022-01-02T15:56:07.301963223Z"}
{"log":"   certbot again. To non-interactively renew *all* of your\n","stream":"stdout","time":"2022-01-02T15:56:07.301968674Z"}
{"log":"   certificates, run \"certbot renew\"\n","stream":"stdout","time":"2022-01-02T15:56:07.301972165Z"}
{"log":"2022/01/02 15:56:07 [warn] 10#10: no resolver defined to resolve r3.o.lencr.org while requesting certificate status, responder: r3.o.lencr.org, certificate: \"/etc/letsencrypt/live/pahara.ddns.net/fullchain.pem\"\n","stream":"stderr","time":"2022-01-02T15:56:07.650200804Z"}

But the same warning appears right after the message that the certificates been renewed correctly. After googling some around I came to this comment: https://community.letsencrypt.org/t/no-resolver-defined-to-resolve-r3-o-lencr-org-while-requesting-certificate-status-responder-r3-o-lencr-org-certificate/148762/4, but that would indicate that all the other users of this repo would have the same warning as this configuration is inside your docker files. Could you maybe help me out answering the following questions?

1. Why do my certificates do not renew automatically and how to fix this?
2. Is the warning related to this issue and if not does it have any other consequence?

Looking forward to your reply! Kind regard Alex

[smallwat3r]

@wartek69 that is a really good spot, thanks for raising this.

Indeed it seems I'm also getting the same warnings after performing some testing. But it only seems intermittent. I guess this has slipped out of my control as the LetsEncrypt certs are available for ~3 months, and I usually push updates or rebuild my servers before then...

I've merge https://github.com/smallwat3r/docker-nginx-gunicorn-flask-letsencrypt/pull/25 that should hopefully get rid of this. It's indeed recommended when using ssl_stapling. It should also (hopefully) resolve the automatic renewal of certificates. But I will continue investigating to make sure it does.

Please let me know if that has fixed it from your side, or if you have any other idea of what might be missing.

[wartek69]

@smallwat3r thank you for taking a look into it and merging the new code. I'll deploy this code asap and will come back to you if more issues arise!

[wartek69]

My certificates still expire unfrotunately, I'm restarting each 3 months to get across the issue. I'll share the server logs later on.

[smallwat3r]

Thanks for letting me know @wartek69

It's a shame than adding resolver configs didn't solve this. I will have a closer look at this when I got a chance.

If you could share the server logs, that would be amazing.

Thanks!

[Dophy6]

Hi guys! Thanks @smallwat3r for this useful repo, I'm encountering the same issue of @wartek69. I'm not sure (still testing because restarting the nginx docker renew my certificates as you know) but I find that the problem is in crond service that doesn't start automatically at boot, neither the entrypoint script can start it so what I'm doing is simply comment last line in entrypoint.sh: /usr/sbin/crond -f -d 8 & became #/usr/sbin/crond -f -d 8 & and add to docker file at line 5 as follow: RUN apk add --no-cache certbot became RUN apk add --no-cache certbot openrc busybox-initscripts

based on this SO solution: https://stackoverflow.com/questions/58577707/alpine-service-crond-does-not-exist

to see if crond is running: rc-service --list | grep -i crond

to see if your cron is correctly scheduled: run-parts --test /etc/periodic/weekly

[smallwat3r]

Thanks @Dophy6, this is an interesting finding!

Please keep me updated with your testing, and if this fixes it, please feel free to submit a PR 👍

I will try to have a look at this issue once I've got a bit more time.