TLS Certificate Auto-Renewal

I’m saying that when I changed the URL in the python script to use the staging server (per the directions earlier in this thread from Ben), it still didn’t work. Isn’t that odd? Can you get it to talk to staging server yourself?

Also when you say “Because validation failed” - doesn’t it seem like a bug in the ACME client that not validating the cert would result in the “rate limited” error coming back? The source code for the client looks for specific language before it raises the rate limit error message, if I’m reading it correctly.

Did all my package versions seem ok? What did you specifically look for in those lists?

Thanks so much for helping by the way.

@backpackhasjetz
The staging server will never provide a valid ssl certificate.

MIAB only asks for a new certificate if the currently saved certificate is old or invalid. If you had either the ubuntu package installed (which is old and buggy) OR an older version of pyOpenSSL installed (which is also buggy), MIAB could not validate the totally valid SSL cert provided by letsencrypt. MIAB did not save that new cert because MIAB was using old buggy python ssl libraries that couldn’t validate it. So, every day, when MIAB checked to see if it should get a new cert, it appeared that the cert currently installed was old and needed to be renewed, thus MIAB tried to renew the cert, couldn’t validate it, and didn’t save it, and the cycle continued. From LetsEncrypt’s perspective, though, MIAB has requested a certificate every day for the past month, thus exceeding LetsEncrypt’s rate limit.

Even after you upgraded your python SSL libraries, you still were suffering the rate limit from the LetsEncryt side of things, which is why it took some time for you to be offered a new, valid cert from LetsEncrypt.

Yes, your packages seemed OK. I was looking to see:

  1. if you have the ubuntu python openssl package installed (which probably would have broken things)
  2. if your python libraries installed by pip3 were up to date, specifically, those related to SSL and Crypto, particularly pyOpenSSL.

The staging server will never provide a valid ssl certificate.

Yes, I understand that, but when I tried to modify the code earlier to talk to the staging server, I was getting the same error as I got on production (the rate limited error). Doesn’t that seem odd/a bug?

Thanks so much. Your explanation makes sense to me. You’ve been very helpful!

I see now. Huh. No clue. My guess is a bug in the underlying pyOpenSSL library or the free_tls_certificates.

The issue described by @cromulus above is exactly right. I’ve resolved this by commenting out the line in daily_tasks.sh that would request the new certificate, waited until I was outside of the rate limit, and have just successfully provisioned a new certificate manually using the admin interface. I’ve uncommented the line and am now back to a functional machine.

Thanks everyone for troubleshooting and figuring out the issue!

Hi guys,

First the solution with updating pip was a success, now it seems that ngix, dovecot and postfix using also the old certs now and then. This results in HTTPS, IMAP and SMTPS failures…

Does anybody have a clue to fix this?

Cheers.

in addition, this is the error message that the email client gets:

Mail was unable to connect to server “mail.domain.com” using SSL on port 993. Verify that this server supports SSL and that your account settings are correct.

I already removed the old certs in /home/user-data/ssl/ as I saw in the HTTPS request give an old cert. Now HTTPS is behaving like it should be :slight_smile:
Now I don’t know why it is behaving like this and the symlink seems to be pointing to the correct cert… perhaps a minor thing… reinstalling via script the MIAB didn’t fix the issue…

Please see also this error from Dovecot:


I think it is related to the issue.

Cheers