-
Notifications
You must be signed in to change notification settings - Fork 370
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Failed download certificate not detected. #784
Comments
As further background to this error the LE system was having problems. From history at November 11, 2022 05:21 UTC[Resolved] We have resolved the issue and traffic patterns have returned to normal. November 11, 2022 02:32 UTC[Identified] We are aware of elevated http 503 error rates to our API endpoint in one of our datacenters. We have triaged the problem and the rates have decreased but continue to troubleshoot and monitor. |
@webservicebe Thanks for reporting this. I had a similar problem with one of my calls to LetsEncrypt, but fortunately that failed less catastrophically. I'll add a check for return status 503 to all of the curl checks to fix, and I'll also do the openssl final check you suggest as well |
As I had the same problem this night I changed some things in getssl I didnot change added 503 to the action taken when you get a 500 from LE, because I don't see any use in hitting a webserver that is busy over and over again. |
Last night one of my certficates on a webserver was renewed.
In the last step (downloading the certficate) it went wrong due to a busy webserver at Let's Encrypt.
This was not detected by getssl, I presume the code from Let's Encrypt was not 500 but 503, so the error was saved as .crt.
Resulting in a crash of apache at our webserver, so all sites went down due to a buggy certificate.
Solution:
Just add a final check (like openssl x509 -in <new_crt> -text -noout) between cert_archive and cert_install.
In that case the bad certficate is still in the archive and checks can be done afterwards.
Alternative: raise an error if http status code from Let's Encrypt is not 200
Log from getssl:
cat /usr/local/nginx/conf/letsencrypt/mydomain.crt
{"type": "urn:ietf:params:acme:error:rateLimited", "detail": "Service busy; retry later."}
Apache logs where it went down:
The text was updated successfully, but these errors were encountered: