Letsencrypt fails to renew certificates

yolkhovyy · January 24, 2024, 9:04pm

enabled le staging, back to the original error

yolkhovyy · January 24, 2024, 9:05pm

yeah, this host is a manager
just constraining by hostname

yolkhovyy · January 24, 2024, 9:06pm

ah, i see, trying manager constraint

yolkhovyy · January 24, 2024, 9:28pm

acme.json looks good

what does this mean?

acme: error: 400 :: urn:ietf:params:acme:error:tls :: XX.XX.XX.XX: remote error: tls: unrecognized name

bluepuma77 · January 25, 2024, 6:52am

You redacted it, is that a domain or IP? Does the domain exist in DNS? Is it an internal or external IP? You have labels with Host(`<ip>`) on any of your services?

yolkhovyy · January 25, 2024, 7:38am

That was IP address of my domain, which resolves successfully

There is something with tls handshaking I guess , will try to get more info on that

I have a new internet provider and a modem since about a month ago, are there any reasons that could be causing this - in the modem, or on we provider side?

bluepuma77 · January 25, 2024, 12:01pm

The nice thing about Traefik is its open-source nature, so you can look at the source code in ./pkg/tls/tlsmanager.go

if certificate == nil {
    log.Debug().Msgf("TLS: no certificate for TLSALPN challenge: %s", domainToCheck)
    // We want the user to eventually get the (alertUnrecognizedName) "unrecognized name" error.
    // Unfortunately, if we returned an error here,
    // since we can't use the unexported error (errNoCertificates) that our caller (config.getCertificate in crypto/tls) uses as a sentinel,
    // it would report an (alertInternalError) "internal error" instead of an alertUnrecognizedName.
    // Which is why we return no error, and we let the caller detect that there's actually no certificate,
    // and fall back into the flow that will report the desired error.
    // https://cs.opensource.google/go/go/+/dev.boringcrypto.go1.17:src/crypto/tls/common.go;l=1058
    return nil, nil
}

Then you can search the Internet or ask ChatGPT about alertUnrecognizedName.

It seems like the server does not know the domain. Are you sure your domain is pointing to the right IP? Internally and externally? I am not even sure if it is about a domain or if it thinks an IP should be a domain. But you can't get a TLS cert for an IP.

yolkhovyy · January 26, 2024, 6:45am

I think the error might come from this direction:

github.com

traefik/traefik/blob/master/pkg/tls/tlsmanager.go#L13


      
          import (
          	"context"
          	"crypto/tls"
          	"crypto/x509"
          	"errors"
          	"fmt"
          	"strings"
          	"sync"
          
          	"github.com/go-acme/lego/v4/challenge/dns01"
          	"github.com/go-acme/lego/v4/challenge/tlsalpn01"
          	"github.com/rs/zerolog/log"
          	"github.com/traefik/traefik/v3/pkg/logs"
          	"github.com/traefik/traefik/v3/pkg/tls/generate"
          	"github.com/traefik/traefik/v3/pkg/types"
          )
          
          const (
          	// DefaultTLSConfigName is the name of the default set of options for configuring TLS.
          	DefaultTLSConfigName = "default"
          	// DefaultTLSStoreName is the name of the default store of TLS certificates.

Here is this thing on Github:

These two, in quotes, are discussed on forums quite a lot:

"urn:ietf:params:acme:error:tls"
"remote error: tls: unrecognized name"

Here is what ChatGPT "says":

The error messages you mentioned are related to the ACME (Automated Certificate Management Environment) protocol, which is used by Let's Encrypt to automate the process of obtaining and renewing SSL/TLS certificates.

urn:ietf:params:acme:error:tls:
This error indicates a problem with the TLS (Transport Layer Security) connection during the ACME protocol exchange. It typically means there was an issue with the TLS handshake or communication between the client (your server) and the ACME server.
remote error: tls: unrecognized name:
This error suggests that the ACME server received a TLS certificate request for a domain name that it does not recognize or is not associated with the account making the request.

Common causes for these errors could include:

DNS Configuration Issues: The domain for which you're trying to obtain a certificate might not be properly configured in DNS or may not be resolving to the correct IP address.
Firewall or Network Issues: There could be firewall rules or network restrictions preventing proper communication between your server and the Let's Encrypt ACME server.
Server Configuration: There might be an issue with your server's TLS configuration, such as mismatched or incorrect certificates, or the server is not presenting the correct SNI (Server Name Indication) during the TLS handshake.

To troubleshoot these issues, you can:

Verify that your domain's DNS records are correctly configured.
Check your server's firewall settings to ensure it allows communication with the Let's Encrypt ACME server.
Review your server's TLS configuration to make sure it's correct and up-to-date.
Check for any logs or additional error messages that provide more details about the specific issue.

If you provide more context or specific logs, I might be able to offer more targeted assistance.

Checking my new router firewall settings

yolkhovyy · January 27, 2024, 11:26am

continuing this discussion on go-acme support, thanks a lot for your comments @bluepuma77 !

Topic		Replies	Views
Traefik v2.8 letsencrypt renewal fails Traefik v2 docker , letsencrypt-acme	5	919	October 27, 2022
Error renewing certificate from LE: NS returned REFUSED for _acme-challenge Traefik v2 docker , letsencrypt-acme	1	796	March 9, 2022
Let's Encrypt certificates not renewing Traefik v3 (latest) docker , letsencrypt-acme	5	96	October 21, 2024
Error renewing certificate from LE (not Docker) Traefik v2 letsencrypt-acme	0	457	March 25, 2021
Error on letsencrypt certificate renewal Traefik v2 docker , letsencrypt-acme	7	589	September 29, 2023

Letsencrypt fails to renew certificates

Related topics