acme.sh Timeout when trying to issue or renew

Hello

I previously successfully installed my certificate using acme.sh. After 3 month, there was no automatic update (I don't know why), but now I'm trying to manually renew or issue a new certificate.

But I'm getting a timeout, and I can't figure out why. Someone maybe already faced such issue ?

Here are the logs :

Debug log

[root@SRV .acme.sh]# acme.sh --issue -d sub.domain.eu -w /var/www/sub.domain.eu/          
[Tue Jun 21 16:19:41 CEST 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Jun 21 16:19:41 CEST 2022] Creating domain key
[Tue Jun 21 16:19:41 CEST 2022] The domain key is here: /root/.acme.sh/sub.domain.eu/sub.domain.eu.key
[Tue Jun 21 16:19:41 CEST 2022] Single domain='sub.domain.eu'
[Tue Jun 21 16:19:41 CEST 2022] Getting domain auth token for each domain
[Tue Jun 21 16:20:00 CEST 2022] Getting webroot for domain='sub.domain.eu'
[Tue Jun 21 16:20:00 CEST 2022] Verifying: sub.domain.eu
[Tue Jun 21 16:20:06 CEST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Jun 21 16:20:18 CEST 2022] Processing, The CA is processing your order, please just wait. (2/30)
[Tue Jun 21 16:20:21 CEST 2022] Processing, The CA is processing your order, please just wait. (3/30)
[Tue Jun 21 16:20:34 CEST 2022] Processing, The CA is processing your order, please just wait. (4/30)
[Tue Jun 21 16:20:48 CEST 2022] Processing, The CA is processing your order, please just wait. (5/30)
[...]
[Tue Jun 21 16:25:03 CEST 2022] Processing, The CA is processing your order, please just wait. (25/30)
[Tue Jun 21 16:25:17 CEST 2022] Processing, The CA is processing your order, please just wait. (26/30)
[Tue Jun 21 16:25:30 CEST 2022] Processing, The CA is processing your order, please just wait. (27/30)
[Tue Jun 21 16:25:44 CEST 2022] Processing, The CA is processing your order, please just wait. (28/30)
[Tue Jun 21 16:25:59 CEST 2022] Processing, The CA is processing your order, please just wait. (29/30)
[Tue Jun 21 16:26:03 CEST 2022] sub.domain.eu:Timeout
[Tue Jun 21 16:26:03 CEST 2022] Please check log file for more details: /root/.acme.sh/acme.sh.log
[root@SRV .acme.sh]#

The output doesn't help, here is the head of the log file :

[Tue Jun 21 16:16:54 CEST 2022] Diagnosis versions: 
openssl:openssl
OpenSSL 1.1.1k  FIPS 25 Mar 2021
apache:
apache doesn't exist.
nginx:
nginx version: nginx/1.14.1
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-3) (GCC) 
built with OpenSSL 1.1.1k  FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-http_auth_request_module --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -Wl,-E'
socat:
socat by Gerhard Rieger and contributors - see www.dest-unreach.org
socat version 1.7.4.1 on Apr 21 2021 15:36:49
   running on Linux version #1 SMP PVE 5.4.174-2 (Thu, 10 Mar 2022 15:58:44 +0100), release 5.4.174-2-pve, machine x86_64
features:
  #define WITH_STDIO 1
  #define WITH_FDNUM 1
  #define WITH_FILE 1
  #define WITH_CREAT 1
  #define WITH_GOPEN 1
  #define WITH_TERMIOS 1
  #define WITH_PIPE 1
  #define WITH_UNIX 1
  #define WITH_ABSTRACT_UNIXSOCKET 1
  #define WITH_IP4 1
  #define WITH_IP6 1
  #define WITH_RAWIP 1
  #define WITH_GENERICSOCKET 1
  #define WITH_INTERFACE 1
  #define WITH_TCP 1
  #define WITH_UDP 1
  #define WITH_SCTP 1
  #define WITH_LISTEN 1
  #define WITH_SOCKS4 1
  #define WITH_SOCKS4A 1
  #define WITH_VSOCK 1
  #define WITH_PROXY 1
  #define WITH_SYSTEM 1
  #define WITH_EXEC 1
  #define WITH_READLINE 1
  #define WITH_TUN 1
  #define WITH_PTY 1
  #define WITH_OPENSSL 1
  #undef WITH_FIPS
  #undef WITH_LIBWRAP
  #define WITH_SYCLS 1
  #define WITH_FILAN 1
  #define WITH_RETRY 1
  #define WITH_MSGLEVEL 0 /*debug*/
[Tue Jun 21 16:19:34 CEST 2022] Running cmd: issue
[Tue Jun 21 16:19:34 CEST 2022] _main_domain='sub.domain.eu'
[Tue Jun 21 16:19:34 CEST 2022] _alt_domains='no'
[Tue Jun 21 16:19:34 CEST 2022] Using config home:/root/.acme.sh
[Tue Jun 21 16:19:34 CEST 2022] default_acme_server
[Tue Jun 21 16:19:34 CEST 2022] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Tue Jun 21 16:19:34 CEST 2022] DOMAIN_PATH='/root/.acme.sh/sub.domain.eu'
[Tue Jun 21 16:19:34 CEST 2022] Using ACME_DIRECTORY: https://acme.zerossl.com/v2/DV90
[Tue Jun 21 16:19:34 CEST 2022] _init api for server: https://acme.zerossl.com/v2/DV90
[Tue Jun 21 16:19:34 CEST 2022] GET
[Tue Jun 21 16:19:34 CEST 2022] url='https://acme.zerossl.com/v2/DV90'
[Tue Jun 21 16:19:34 CEST 2022] timeout=
[Tue Jun 21 16:19:34 CEST 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Jun 21 16:19:41 CEST 2022] ret='0'
[Tue Jun 21 16:19:41 CEST 2022] ACME_KEY_CHANGE='https://acme.zerossl.com/v2/DV90/keyChange'
[Tue Jun 21 16:19:41 CEST 2022] ACME_NEW_AUTHZ
[Tue Jun 21 16:19:41 CEST 2022] ACME_NEW_ORDER='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Jun 21 16:19:41 CEST 2022] ACME_NEW_ACCOUNT='https://acme.zerossl.com/v2/DV90/newAccount'
[Tue Jun 21 16:19:41 CEST 2022] ACME_REVOKE_CERT='https://acme.zerossl.com/v2/DV90/revokeCert'
[Tue Jun 21 16:19:41 CEST 2022] ACME_AGREEMENT='https://secure.trust-provider.com/repository/docs/Legacy/20201020_Certificate_Subscriber_Agreement_v_2_4_click.pdf'
[Tue Jun 21 16:19:41 CEST 2022] ACME_NEW_NONCE='https://acme.zerossl.com/v2/DV90/newNonce'
[Tue Jun 21 16:19:41 CEST 2022] Using CA: https://acme.zerossl.com/v2/DV90
[Tue Jun 21 16:19:41 CEST 2022] _on_before_issue
[Tue Jun 21 16:19:41 CEST 2022] _chk_main_domain='sub.domain.eu'
[Tue Jun 21 16:19:41 CEST 2022] _chk_alt_domains
[Tue Jun 21 16:19:41 CEST 2022] Le_LocalAddress
[Tue Jun 21 16:19:41 CEST 2022] d='sub.domain.eu'
[Tue Jun 21 16:19:41 CEST 2022] Check for domain='sub.domain.eu'
[Tue Jun 21 16:19:41 CEST 2022] _currentRoot='/var/www/sub.domain.eu/'
[Tue Jun 21 16:19:41 CEST 2022] d
[Tue Jun 21 16:19:41 CEST 2022] _saved_account_key_hash is not changed, skip register account.
[Tue Jun 21 16:19:41 CEST 2022] Read key length:2048
[Tue Jun 21 16:19:41 CEST 2022] Creating domain key
[Tue Jun 21 16:19:41 CEST 2022] Using config home:/root/.acme.sh
[Tue Jun 21 16:19:41 CEST 2022] ACME_DIRECTORY='https://acme.zerossl.com/v2/DV90'
[Tue Jun 21 16:19:41 CEST 2022] Use length 2048
[Tue Jun 21 16:19:41 CEST 2022] Using RSA: 2048
[Tue Jun 21 16:19:41 CEST 2022] The domain key is here: /root/.acme.sh/sub.domain.eu/sub.domain.eu.key
[Tue Jun 21 16:19:41 CEST 2022] _createcsr
[Tue Jun 21 16:19:41 CEST 2022] Single domain='sub.domain.eu'
[Tue Jun 21 16:19:41 CEST 2022] Getting domain auth token for each domain
[Tue Jun 21 16:19:41 CEST 2022] d
[Tue Jun 21 16:19:41 CEST 2022] url='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Jun 21 16:19:41 CEST 2022] payload='{"identifiers": [{"type":"dns","value":"sub.domain.eu"}]}'
[Tue Jun 21 16:19:41 CEST 2022] RSA key
[Tue Jun 21 16:19:41 CEST 2022] HEAD
[Tue Jun 21 16:19:41 CEST 2022] _post_url='https://acme.zerossl.com/v2/DV90/newNonce'
[Tue Jun 21 16:19:41 CEST 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g  -I  '
[Tue Jun 21 16:19:47 CEST 2022] _ret='0'
[Tue Jun 21 16:19:47 CEST 2022] POST
[Tue Jun 21 16:19:47 CEST 2022] _post_url='https://acme.zerossl.com/v2/DV90/newOrder'
[Tue Jun 21 16:19:47 CEST 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Jun 21 16:19:54 CEST 2022] _ret='0'
[Tue Jun 21 16:19:54 CEST 2022] code='201'
[Tue Jun 21 16:19:54 CEST 2022] Le_LinkOrder='https://acme.zerossl.com/v2/DV90/order/G4-PazirnP9aA5EsZc50fQ'
[Tue Jun 21 16:19:54 CEST 2022] Le_OrderFinalize='https://acme.zerossl.com/v2/DV90/order/G4-PazirnP9aA5EsZc50fQ/finalize'
[Tue Jun 21 16:19:54 CEST 2022] url='https://acme.zerossl.com/v2/DV90/authz/E8N7WVkbGGV5Nt07pz_bYQ'
[Tue Jun 21 16:19:54 CEST 2022] payload
[Tue Jun 21 16:19:54 CEST 2022] POST
[Tue Jun 21 16:19:54 CEST 2022] _post_url='https://acme.zerossl.com/v2/DV90/authz/E8N7WVkbGGV5Nt07pz_bYQ'
[Tue Jun 21 16:19:54 CEST 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Jun 21 16:20:00 CEST 2022] _ret='0'
[Tue Jun 21 16:20:00 CEST 2022] code='200'
[Tue Jun 21 16:20:00 CEST 2022] d='sub.domain.eu'
[Tue Jun 21 16:20:00 CEST 2022] Getting webroot for domain='sub.domain.eu'
[Tue Jun 21 16:20:00 CEST 2022] _w='/var/www/sub.domain.eu/'
[Tue Jun 21 16:20:00 CEST 2022] _currentRoot='/var/www/sub.domain.eu/'
[Tue Jun 21 16:20:00 CEST 2022] entry='"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A","status":"pending","token":"Gj2GDH-_Xh7qrbHfX13-A2BjSM"'
[Tue Jun 21 16:20:00 CEST 2022] token='Gj2GDH-_Xh7qrbHfX13-A2BjSM'
[Tue Jun 21 16:20:00 CEST 2022] uri='https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A'
[Tue Jun 21 16:20:00 CEST 2022] keyauthorization='Gj2GDH-_Xh7lqkd-sdf.sldkfhjdslkf-kjdsMxpZyo5hJA'
[Tue Jun 21 16:20:00 CEST 2022] dvlist='sub.domain.eu#Gj2GDH-_Xh7lqkd-sdf.sldkfhjdslkf-kjdsMxpZyo5hJA#https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A#http-01#/var/www/sub.domain.eu/'
[Tue Jun 21 16:20:00 CEST 2022] d
[Tue Jun 21 16:20:00 CEST 2022] vlist='sub.domain.eu#Gj2GDH-_Xh7lqkd-sdf.sldkfhjdslkf-kjdsMxpZyo5hJA#https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A#http-01#/var/www/sub.domain.eu/,'
[Tue Jun 21 16:20:00 CEST 2022] d='sub.domain.eu'
[Tue Jun 21 16:20:00 CEST 2022] ok, let's start to verify
[Tue Jun 21 16:20:00 CEST 2022] Verifying: sub.domain.eu
[Tue Jun 21 16:20:00 CEST 2022] d='sub.domain.eu'
[Tue Jun 21 16:20:00 CEST 2022] keyauthorization='Gj2GDH-_Xh7lqkd-sdf.sldkfhjdslkf-kjdsMxpZyo5hJA'
[Tue Jun 21 16:20:00 CEST 2022] uri='https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A'
[Tue Jun 21 16:20:00 CEST 2022] _currentRoot='/var/www/sub.domain.eu/'
[Tue Jun 21 16:20:00 CEST 2022] wellknown_path='/var/www/sub.domain.eu//.well-known/acme-challenge'
[Tue Jun 21 16:20:00 CEST 2022] writing token:Gj2GDH-_Xh7qrbHfX13-A2BjSM to /var/www/sub.domain.eu//.well-known/acme-challenge/Gj2GDH-_Xh7qrbHfX13-A2BjSM
[Tue Jun 21 16:20:00 CEST 2022] Changing owner/group of .well-known to apache:apache
[Tue Jun 21 16:20:00 CEST 2022] url='https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A'
[Tue Jun 21 16:20:00 CEST 2022] payload='{}'
[Tue Jun 21 16:20:00 CEST 2022] POST
[Tue Jun 21 16:20:00 CEST 2022] _post_url='https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A'
[Tue Jun 21 16:20:00 CEST 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Jun 21 16:20:06 CEST 2022] _ret='0'
[Tue Jun 21 16:20:06 CEST 2022] code='200'
[Tue Jun 21 16:20:06 CEST 2022] trigger validation code: 200
[Tue Jun 21 16:20:06 CEST 2022] Processing, The CA is processing your order, please just wait. (1/30)
[Tue Jun 21 16:20:06 CEST 2022] sleep 2 secs to verify again
[Tue Jun 21 16:20:09 CEST 2022] checking
[Tue Jun 21 16:20:09 CEST 2022] url='https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A'
[Tue Jun 21 16:20:09 CEST 2022] payload
[Tue Jun 21 16:20:09 CEST 2022] POST

and tail of logs for /root/.acme.sh/acme.sh.log :

[Tue Jun 21 16:25:47 CEST 2022] _post_url='https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A'
[Tue Jun 21 16:25:47 CEST 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Jun 21 16:25:59 CEST 2022] _ret='0'
[Tue Jun 21 16:25:59 CEST 2022] code='200'
[Tue Jun 21 16:25:59 CEST 2022] Processing, The CA is processing your order, please just wait. (29/30)
[Tue Jun 21 16:25:59 CEST 2022] sleep 2 secs to verify again
[Tue Jun 21 16:26:02 CEST 2022] checking
[Tue Jun 21 16:26:02 CEST 2022] url='https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A'
[Tue Jun 21 16:26:02 CEST 2022] payload
[Tue Jun 21 16:26:02 CEST 2022] POST
[Tue Jun 21 16:26:02 CEST 2022] _post_url='https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A'
[Tue Jun 21 16:26:02 CEST 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Jun 21 16:26:03 CEST 2022] _ret='0'
[Tue Jun 21 16:26:03 CEST 2022] code='200'
[Tue Jun 21 16:26:03 CEST 2022] sub.domain.eu:Timeout
[Tue Jun 21 16:26:03 CEST 2022] pid
[Tue Jun 21 16:26:03 CEST 2022] No need to restore nginx, skip.
[Tue Jun 21 16:26:03 CEST 2022] _clearupdns
[Tue Jun 21 16:26:03 CEST 2022] dns_entries
[Tue Jun 21 16:26:03 CEST 2022] skip dns.
[Tue Jun 21 16:26:03 CEST 2022] _on_issue_err
[Tue Jun 21 16:26:03 CEST 2022] Please check log file for more details: /root/.acme.sh/acme.sh.log
[Tue Jun 21 16:26:03 CEST 2022] url='https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A'
[Tue Jun 21 16:26:03 CEST 2022] payload='{}'
[Tue Jun 21 16:26:03 CEST 2022] POST
[Tue Jun 21 16:26:03 CEST 2022] _post_url='https://acme.zerossl.com/v2/DV90/chall/DITXhdJu2DCqPiFeI3N94A'
[Tue Jun 21 16:26:03 CEST 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Tue Jun 21 16:26:16 CEST 2022] _ret='0'
[Tue Jun 21 16:26:16 CEST 2022] code='200'

I'm really stuck^^ Someone is seeing where is the issue ? Thanks :)

Jun 21 '22 14:06 Skip75

Hi - not sure it helps - in my case this was because my client has removed dns record for www.example.com for whatever reason, I kept trying to refresh for both example.com and www.example.com - and ended up with pretty similar error.

Jun 22 '22 10:06 CargoCoder

Thanks for the tips, but no DNS or resolving issue with the impacted domains or with the host running the acme script :/

Jun 22 '22 14:06 Skip75

you might try a different CA - i was having similar issues today (and evidently for the last 4 weeks my renewal continually failed). My error was similar, but timeouts were different because i am using dns api... but after i added --server letsencrypt to the command line my cert was issued without any trouble. something seems to be up w/ zerossl (the default CA).

Jun 28 '22 00:06 yajrendrag

set environment variable export MAX_RETRY_TIMES=9999

the default 30 times is just not enough

Nov 07 '22 07:11 yankeguo

I also tried this... then gave up at : [Sat Nov 26 21:19:14 CET 2022] Processing, The CA is processing your order, please just wait. (6202/9999) lol...

When trying with the option --server letsencrypt I'm getting :

[Sat Nov 26 21:29:12 CET 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Sat Nov 26 21:29:12 CET 2022] Single domain='sub.domain.eu'
[Sat Nov 26 21:29:12 CET 2022] Getting domain auth token for each domain
[Sat Nov 26 21:29:13 CET 2022] Getting webroot for domain='sub.domain.eu'
[Sat Nov 26 21:29:13 CET 2022] Verifying: sub.domain.eu
[Sat Nov 26 21:29:14 CET 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Sat Nov 26 21:29:18 CET 2022] sub.domain.eu:Verify error:78.xxx.xxx.xxx: Invalid response from https://sub.domain.eu/.well-known/acme-challenge/9D8pvie_mON-bSAO9zOTcjwCwpZ7htZBgLGe4IdTr5I: 404
[Sat Nov 26 21:29:18 CET 2022] Please check log file for more details: /root/.acme.sh/acme.sh.log

And of course, nothing interesting in logs. This script is a total fail lol Paid certificates still have a long way to go :)

edit 04/2023: Since I'm stuck with this issue, I've simply removed acme from this server, and am running it from another server without any problem. I keep this issue open just in case someone else also face that issue...

Nov 26 '22 20:11 Skip75

Also having this issue, ran acme.sh --renew -d example.com to update the cert.

Mar 29 '24 21:03 huangruoqi

How is this completed? Someone posted two days ago they are still having this issue.

Apr 01 '24 01:04 nabber00

acme.sh acme.sh copied to clipboard

Timeout when trying to issue or renew

Debug log

acme.sh
acme.sh copied to clipboard