Univention Bugzilla – Bug 50883
Traceback generating letsencrypt certificate
Last modified: 2021-02-01 13:37:57 CET
In a customer environment we came accross the following traceback in the logfile. This causes a new certificate not to be generated for two times. Third time the certificate was already expired So 1. Dez 03:30:05 CET 2019 Refreshing certificate for following domains: cloud.schule-irgendwo.it Parsing account key... Parsing CSR... Found domains: cloud.schule-irgendwo.it Getting directory... Traceback (most recent call last): File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module> main(sys.argv[1:]) File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact) File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt directory, _, _ = _do_request(directory_url, err_msg="Error getting directory") File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data)) ValueError: Error getting directory: Url: https://acme-v02.api.letsencrypt.org/directory Data: None Response Code: None Response: <urlopen error [Errno 104] Connection reset by peer> Setting letsencrypt/status run-parts: executing /etc/univention/letsencrypt/post-refresh.d//apache2 run-parts: executing /etc/univention/letsencrypt/post-refresh.d//dovecot run-parts: executing /etc/univention/letsencrypt/post-refresh.d//postfix
How do you fixed the issue?
Looking at the connected support case this seems to be a temporary issue while trying to connect, root cause is either in the customer environment or let's encrypt itself. The error should be handeled more gracefully, i.e. with more retries and a descriptive message by mail or monitoring.
There have been multiple reports with the same symptoms during Nov/Dec in the froum and also by partners. My suggestion was to change "letsencrypt/cron" and I havent seen any further reports from the sites after that. It might be a good idea to use "jitter" fron the refresh.
This topic was discussed during the 2021 UCS barcamp session. In addition to my suggestions in comment 3 it would also be an option to make the renewal itself more fail-safe, like trying again if the first attempt was not successful.