Bug 50883 – Traceback generating letsencrypt certificate

Bug 50883 - Traceback generating letsencrypt certificate


Summary:	Traceback generating letsencrypt certificate

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Let's Encrypt
Version:	UCS 4.4
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-02-28 14:45 CET by Christina Scheinig
Modified:	2021-02-01 13:37 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.057
Enterprise Customer affected?:
School Customer affected?:	Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:	Yes
Ticket number:	2020013021000409
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christina Scheinig

2020-02-28 14:45:51 CET

In a customer environment we came accross the following traceback in the logfile. This causes a new certificate not to be generated for two times. Third time the certificate was already expired

So 1. Dez 03:30:05 CET 2019
Refreshing certificate for following domains:
cloud.schule-irgendwo.it

Parsing account key...
Parsing CSR...
Found domains: cloud.schule-irgendwo.it
Getting directory...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 197, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 193, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 105, in get_crt
    directory, _, _ = _do_request(directory_url, err_msg="Error getting directory")
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 45, in _do_request
    raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting directory:
Url: https://acme-v02.api.letsencrypt.org/directory
Data: None
Response Code: None
Response: <urlopen error [Errno 104] Connection reset by peer>
Setting letsencrypt/status
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//apache2
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//dovecot
run-parts: executing /etc/univention/letsencrypt/post-refresh.d//postfix

Comment 1 Michel Smidt 2020-03-18 23:09:35 CET

How do you fixed the issue?

Comment 2 Ingo Steuwer

2020-03-30 13:13:04 CEST

Looking at the connected support case this seems to be a temporary issue while trying to connect, root cause is either in the customer environment or let's encrypt itself.

The error should be handeled more gracefully, i.e. with more retries and a descriptive message by mail or monitoring.

Comment 3 Dirk Ahrnke

2020-04-06 10:13:41 CEST

There have been multiple reports with the same symptoms during Nov/Dec in the froum and also by partners. 

My suggestion was to change "letsencrypt/cron" and I havent seen any further reports from the sites after that. 
It might be a good idea to use "jitter" fron the refresh.

Comment 4 Dirk Ahrnke

2021-02-01 13:37:57 CET

This topic was discussed during the 2021 UCS barcamp session. 

In addition to my suggestions in comment 3 it would also be an option to make the renewal itself more fail-safe, like trying again if the first attempt was not successful.