acme.sh icon indicating copy to clipboard operation
acme.sh copied to clipboard
verified publisher icon acmesh-official

Transient LE problem - possible case for retrying

Open richardb64 opened this issue 1 year ago • 2 comments

I've hit a transient problem renewing a cert with Let's Encrypt. The following log is from the acme.sh --cron session (mildly redacted):

[Thu Feb 22 00:07:05 UTC 2024] Order status is valid.
[Thu Feb 22 00:07:05 UTC 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/xxxx<certificate_id>xxxx'
[Thu Feb 22 00:07:05 UTC 2024] Downloading cert.
[Thu Feb 22 00:07:05 UTC 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/xxxx<certificate_id>xxxx'
[Thu Feb 22 00:07:05 UTC 2024] =======Begin Send Signed Request=======
[Thu Feb 22 00:07:05 UTC 2024] url='https://acme-v02.api.letsencrypt.org/acme/cert/xxxx<certificate_id>xxxx'
[Thu Feb 22 00:07:05 UTC 2024] payload
[Thu Feb 22 00:07:05 UTC 2024] POST
[Thu Feb 22 00:07:05 UTC 2024] _post_url='https://acme-v02.api.letsencrypt.org/acme/cert/xxxx<certificate_id>xxxx'
[Thu Feb 22 00:07:05 UTC 2024] _CURL='curl --silent --dump-header /path/to/.acme.sh/http.header  -L  -g '
[Thu Feb 22 00:07:05 UTC 2024] _ret='0'
[Thu Feb 22 00:07:05 UTC 2024] code='404'
[Thu Feb 22 00:07:05 UTC 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/xxxx<certificate_id>xxxx'
[Thu Feb 22 00:07:05 UTC 2024] Sign failed:
[Thu Feb 22 00:07:05 UTC 2024] _on_issue_err
[Thu Feb 22 00:07:05 UTC 2024] Please check log file for more details: /path/to/.acme.sh/acme.sh.log
[Thu Feb 22 00:07:05 UTC 2024] Return code: 1
[Thu Feb 22 00:07:05 UTC 2024] Error renew host.domain.tld.

Checking the same URL manually a few minutes later gave me a valid signed cert, so it looks as though the signing succeeded, but the request to actually download the issued cert yielded a 404.

Other renewals in the same cron session worked just fine, and I'm sure next time the cronjob runs, the failed renewal will work too - this seems to be a rare problem. But the cert issued originally is now effectively wasted, as I guess the next run will start again with a fresh key and CSR.

Short of running all renewals with debug on for weeks in the hope that the problem recurs, I don't think I can gather any more useful data than I already have, unfortunately. Also I no longer have the relevant http.header file, as that was immediately overwritten by the next renewal after the failed one.

This is clearly a problem on the LE side, but I wonder if it would help for acme.sh to retry the fetch a few times, rather than give up after a single 404?

richardb64 avatar Feb 22 '24 01:02 richardb64

Please upgrade to the latest code and try again first. Maybe it's already fixed. acme.sh --upgrade If it's still not working, please provide the log with --debug 2, otherwise, nobody can help you.

github-actions[bot] avatar Feb 22 '24 01:02 github-actions[bot]

please enable logs, so that next time you can provide the log file:

acme.sh  --cron --log --log-level 2

Neilpang avatar Feb 25 '24 18:02 Neilpang