Certficiate does not renew automatically
Published 9 months ago
Published 9 months ago
kekw
Updated 9 months ago
0
Hi 🙂
automatic renew of some certificates failed.
See error message below:
1error: one or more domains had a problem: [example.domain] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 85.209.55.235: Fetching http://example.domain/.well-known/acme-challenge/UT0b0KzUPqjOu21__1DO5gL0A2y18Z0s4Y4BnPMF58Q: Timeout during connect (likely firewall problem)
I investigated the nginx/sites-enabled/IF_backend_N and there is no directive for .acme-challenge configured.
Do I have to add this manually to the domain.conf or what am I missing?
Thanks in advance 🙂
Carrie
Updated 9 months ago
Sometimes certificate auto-renewal may fail, and you’ll need to renew it manually.
From the error message, it seems that the ACME validation server timed out when trying to access http://example.domain/.well-known/acme-challenge/.
The validation request couldn’t reach the correct directory in Nginx (possibly due to network issues, WAF blocking, or .acme-challenge path not being properly forwarded).
Please check if Nginx is correctly handling the .acme-challenge path and if any firewall or intermediate layer is blocking access to port 80.
kekw
Updated 9 months ago
0
Appreciate your fast reply!
I validated the open port via nc -vz example.domain 80
The .acme-challenge path is what I wonder about.
Normally, I used to configure it like following:
1 location ^~ /.well-known/acme-challenge { 2 root /var/www/share; 3 4 allow all; 5 auth_basic off; 6 }
But I can not find any corresponding config in nginx/sites-enabled/IF_backend_N
Carrie
Updated 9 months ago
0
Which version are you using?
The automatic renewal error messages can be found in mgt_ssl_cert -> acme_message
Is the error message you provided from a manual renewal attempt?
error: one or more domains had a problem: [example.domain] acme: error: 400 :: urn:ietf:params:acme:error:connection :: 85.209.55.235: Fetching http://example.domain/.well-known/acme-challenge/UT0b0KzUPqjOu21__1DO5gL0A2y18Z0s4Y4BnPMF58Q: Timeout during connect (likely firewall problem)
Regarding the missing config in nginx/sites-enabled/IF_backend_N, the acme-challenge path is auto- generated and then removed after the process is complete, so you won’t see it. But you can see it during the renewal process.
kekw
Updated 9 months ago
0
I am using the lastest version 9.2.4
Yep, its copied from the UI under Settings -> SSL Cert -> Auto renew failed
Under mgt_ssl_cert -> acme_messageis the same error msg like the UI apperantely.
Safeline is atm behind a firewall which allows only couple of ips to pass through and access safeline.
Thats why I made sure, I opened the corresponding firewall rule to let any access the network.
Ok interesting.
Unfortunately, I don't see any changes during renewal process.
docker exec -it safeline-tengine; grep -A5 -n acme-challenge /etc/nginx/sites-enabled_IF_backend_*
Carrie
Updated 9 months ago
0
Try capturing traffic on port 80 to see if any requests are coming through during the renewal process.
Is there any other proxy in front of SafeLine?
kekw
Updated 9 months ago
0
Unfortunately, I could not record any traffic on port 80 which I could identify as acme-challenge relevant.
To record incoming traffic on port 80 I used cpdump -ni vtnet0 tcp port 80 on my firewall directly.
Nope. The Firewall is exposed to WAN and just does NAT to Safeline.
What I could imagine after several tries now, my certificate limit is exhausted and thats what causes the trouble.
Is there a way to disallow automatic renewal of specific certificates?
Carrie
Updated 9 months ago
It means the traffic didn’t reach SafeLine, so you need to find the external causes.
Currently, there’s no feature to disallow automatic certificate renewal, but you can submit https://discord.com/channels/1243085666485534830/1243120292822253598
Our product manager will check and consider them.
kekw
Updated 8 months ago
0
today my certificates got renewed automatically 🙂 i think the problem was due to the limit of letsencrypt acme-challenge