!MthpOIxqJhTgrMNxDS:nixos.org

NixOS ACME / LetsEncrypt

86 Members
Another day, another cert renewal39 Servers

Load older messages


SenderMessageTime
7 Feb 2024
@netpleb:matrix.orgnetplebyes, I can ping that domain name no problem21:50:12
@netpleb:matrix.orgnetpleb
[root@netpleb-public-services:~]# systemctl status acme-netpleb.com.service
○ acme-netpleb.com.service - Renew ACME certificate for netpleb.com
     Loaded: loaded (/etc/systemd/system/acme-netpleb.com.service; linked; preset: enabled)
     Active: inactive (dead)
TriggeredBy: ● acme-netpleb.com.timer

Feb 07 21:48:41 netpleb-public-services systemd[1]: Dependency failed for Renew ACME certificate for netpleb.com.
Feb 07 21:48:41 netpleb-public-services systemd[1]: acme-netpleb.com.service: Job acme-netpleb.com.service/start failed with result 'dependency'.

[root@netpleb-public-services:~]# ping netpleb.com
PING netpleb.com (38.45.103.128) 56(84) bytes of data.
64 bytes from ns1.netpleb.com (38.45.103.128): icmp_seq=1 ttl=64 time=0.041 ms
64 bytes from ns1.netpleb.com (38.45.103.128): icmp_seq=2 ttl=64 time=0.064 ms
^C
--- netpleb.com ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1064ms
rtt min/avg/max/mdev = 0.041/0.052/0.064/0.011 ms
21:51:06
@k900:0upti.meK900Not that 21:51:36
@k900:0upti.meK900acme-v02.api.letsencrypt.org21:51:46
@k900:0upti.meK900Can you ping that? 21:51:49
@netpleb:matrix.orgnetplebhmm, nope! wtf, I can ping google.com just fine though. What is going on?21:53:15
@k900:0upti.meK900You have a DNS problem 21:55:01
@k900:0upti.meK900Have fun 21:55:03
@netpleb:matrix.orgnetplebI am obviously not an expert in these things (though getting to know/learn Nix, both the language and the OS has been overall a rewarding experience). How is it possible that I can ping google but not letsencrypt?21:58:24
@netpleb:matrix.orgnetpleb * ... 21:59:26
@k900:0upti.meK900Something about your DNS config is broken 22:01:14
@k900:0upti.meK900That's not really a NixOS problem 22:01:23
@k900:0upti.meK900More of a general networking problem 22:01:28
@netpleb:matrix.orgnetpleb

ok, sorry, i fixed the dns issue already. I am now able to ping it:

[root@netpleb-public-services:~]# ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248: icmp_seq=1 ttl=59 time=94.5 ms
64 bytes from 172.65.32.248: icmp_seq=2 ttl=59 time=93.1 ms
64 bytes from 172.65.32.248: icmp_seq=3 ttl=59 time=108 ms
64 bytes from 172.65.32.248: icmp_seq=4 ttl=59 time=100 ms

22:02:04
@k900:0upti.meK900Now you can restart the ACME service 22:03:14
@k900:0upti.meK900And maybe it'll actually succeed22:03:18
@netpleb:matrix.orgnetpleb
In reply to @k900:0upti.me
Now you can restart the ACME service
ok, is there a "parent" acme service i should restart that will redo all of them? i have one for a subdomain and one for the tld
22:04:03
@k900:0upti.meK900No 22:04:24
@netpleb:matrix.orgnetpleb
[root@netpleb-public-services:~]# systemctl restart acme-netpleb.com.service
A dependency job for acme-netpleb.com.service failed. See 'journalctl -xe' for details.

[root@netpleb-public-services:~]# journalctl -xeu acme-netpleb.com.service
Feb 07 21:59:35 netpleb-public-services systemd[1]: Dependency failed for Renew ACME certificate for netpleb.com.
░░ Subject: A start job for unit acme-netpleb.com.service has failed
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ A start job for unit acme-netpleb.com.service has finished with a failure.
░░ 
░░ The job identifier is 73 and the job result is dependency.
Feb 07 21:59:35 netpleb-public-services systemd[1]: acme-netpleb.com.service: Job acme-netpleb.com.service/start failed with result 'dependency'.

22:05:20
@netpleb:matrix.orgnetpleb

the subdomain got further along it seems:

[root@netpleb-public-services:~]# systemctl status acme-jitsi.netpleb.com
× acme-jitsi.netpleb.com.service - Renew ACME certificate for jitsi.netpleb.com
     Loaded: loaded (/etc/systemd/system/acme-jitsi.netpleb.com.service; linked; preset: enabled)
     Active: failed (Result: exit-code) since Wed 2024-02-07 22:06:08 UTC; 17s ago
TriggeredBy: ● acme-jitsi.netpleb.com.timer
    Process: 1244 ExecStart=/nix/store/miwhrhajjh9n1pz8zlb5vywnl6qczfad-unit-script-acme-jitsi.netpleb.com-start/bin/acme-jitsi.netpleb.com-start (code=exited, status=10)
   Main PID: 1244 (code=exited, status=10)
        CPU: 94ms

Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1247]: 2024/02/07 22:06:08 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/312750532087
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1247]: 2024/02/07 22:06:08 Could not obtain certificates:
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1247]:         error: one or more domains had a problem:
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1247]: [jitsi.netpleb.com] [jitsi.netpleb.com] acme: error presenting token: rfc2136: failed to insert: DNS update failed: server replied: SERVFAIL
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1244]: + echo Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1244]: Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1244]: + exit 10
Feb 07 22:06:08 netpleb-public-services systemd[1]: acme-jitsi.netpleb.com.service: Main process exited, code=exited, status=10/n/a
Feb 07 22:06:08 netpleb-public-services systemd[1]: acme-jitsi.netpleb.com.service: Failed with result 'exit-code'.
Feb 07 22:06:08 netpleb-public-services systemd[1]: Failed to start Renew ACME certificate for jitsi.netpleb.com.

22:07:52
@netpleb:matrix.orgnetpleb *

the subdomain got further along it seems (also, thank you in advance for your help, I have been struggling with this for days before reaching out here):

[root@netpleb-public-services:~]# systemctl status acme-jitsi.netpleb.com
× acme-jitsi.netpleb.com.service - Renew ACME certificate for jitsi.netpleb.com
     Loaded: loaded (/etc/systemd/system/acme-jitsi.netpleb.com.service; linked; preset: enabled)
     Active: failed (Result: exit-code) since Wed 2024-02-07 22:06:08 UTC; 17s ago
TriggeredBy: ● acme-jitsi.netpleb.com.timer
    Process: 1244 ExecStart=/nix/store/miwhrhajjh9n1pz8zlb5vywnl6qczfad-unit-script-acme-jitsi.netpleb.com-start/bin/acme-jitsi.netpleb.com-start (code=exited, status=10)
   Main PID: 1244 (code=exited, status=10)
        CPU: 94ms

Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1247]: 2024/02/07 22:06:08 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/312750532087
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1247]: 2024/02/07 22:06:08 Could not obtain certificates:
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1247]:         error: one or more domains had a problem:
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1247]: [jitsi.netpleb.com] [jitsi.netpleb.com] acme: error presenting token: rfc2136: failed to insert: DNS update failed: server replied: SERVFAIL
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1244]: + echo Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1244]: Failed to fetch certificates. This may mean your DNS records are set up incorrectly. Selfsigned certs are in place and dependant services will still start.
Feb 07 22:06:08 netpleb-public-services acme-jitsi.netpleb.com-start[1244]: + exit 10
Feb 07 22:06:08 netpleb-public-services systemd[1]: acme-jitsi.netpleb.com.service: Main process exited, code=exited, status=10/n/a
Feb 07 22:06:08 netpleb-public-services systemd[1]: acme-jitsi.netpleb.com.service: Failed with result 'exit-code'.
Feb 07 22:06:08 netpleb-public-services systemd[1]: Failed to start Renew ACME certificate for jitsi.netpleb.com.

22:08:25
@k900:0upti.meK900Your DNS server said no 22:10:12
@k900:0upti.meK900You should now go look at the logs for that22:10:24
@netpleb:matrix.orgnetpleb
In reply to @k900:0upti.me
You should now go look at the logs for that

ok. Progress finally! See this:

Feb 07 22:01:03 netpleb-public-services named[524]: client @0x7f186e0f4768 127.0.0.1#40626/key rfc2136key.netpleb.com: signer "rfc2136key.netpleb.com" approved
Feb 07 22:01:03 netpleb-public-services named[524]: client @0x7f186e0f4768 127.0.0.1#40626/key rfc2136key.netpleb.com: updating zone 'netpleb.com/IN': deleting rrset at '_acme-challenge.jitsi.netpleb.com' TXT
Feb 07 22:01:03 netpleb-public-services named[524]: client @0x7f186e0f4768 127.0.0.1#40626/key rfc2136key.netpleb.com: updating zone 'netpleb.com/IN': adding an RR at '_acme-challenge.jitsi.netpleb.com' TXT "JMV6KVjVQtGlCFKSucMcbbCN8RqGY9_ZBZC3sVr9NW0"
Feb 07 22:01:03 netpleb-public-services named[524]: client @0x7f186e0f4768 127.0.0.1#40626/key rfc2136key.netpleb.com: updating zone 'netpleb.com/IN': error: journal open failed: unexpected error
Feb 07 22:01:03 netpleb-public-services named[524]: client @0x7f186c582368 127.0.0.1#50260/key rfc2136key.netpleb.com: signer "rfc2136key.netpleb.com" approved

22:13:24
@netpleb:matrix.orgnetplebit is unclear to me which journal it is talking about. I also did this setup verbatim from the nixos manual, but originally I did have NSD installed. Maybe that is related? 22:20:02
@netpleb:matrix.orgnetpleb * it is unclear to me which journal it is talking about?22:51:26
@netpleb:matrix.orgnetpleb how do you guys install your zone? do you use something like environment.etc."bind/zones/example.com.zone".source = ./example.com.zone where ./example.com.zone is in the git repo (I am using flakes) 23:29:36
@netpleb:matrix.orgnetpleb * how do you guys install your zone? do you use something like environment.etc."bind/zones/example.com.zone".source = ./example.com.zone; where ./example.com.zone is in the git repo (I am using flakes) 23:29:50
8 Feb 2024
@netpleb:matrix.orgnetpleb finally fixed it...had to make a oneshot service that chmod --recursive named:named /etc/bind/zones so that named has permission to load some .jnl file which apparently it needs to do the acme stuff. 01:09:16
@symys:dailyaslbot.twilightparadox.comsymys joined the room.18:51:42

Show newer messages


Back to Room ListRoom Version: 6