You are here
Reposted from account approval/welcome thread
I would like to use the Tunrkey Nextcloud LCX on my Webserver.
As my webserver can only serve the domains with a public IPv6 addresses (no public IPv4 addresses availabe), I use cloudflare DNS proxy, to get a valid pubic Ipv4 address for my nextcloud instance. This works great and I am able to run nextcloud, get updates and installing apps.
But I've come over one problem with renewing the certificates for my domain. For the first three month all was good, and the nextcloud was secured with a cloudflare edge-certificate, but this ran out today and I was not able to renew the certificate.
Openconfconsole shows me an error:
dehydrated-wrapper: FATAL: │ │ dehydrated exited with a non-zero exit code.
In short, I would like to get some help, to solve this issue and learn how to get valid certificates with the use of cloudflares proxy DNS function.
If this forum could help me, would be great!
Thanks for approving me!
Thanks for approving me!
If you need some logfiles, please let me know how I can provide you with necessary information.
Apologies I'm a bit slow getting back to you.
Apologies I'm a bit slow getting back to your issue. I got sidetracked with some priority stuff.
Also FYI, if you sign in with your website account, you can post without needing for me to approve it. So even if I'm a little slow, someone else might jump in to help you in the meantime. You'll also be able to start a new thread if have a different issue in the future. ("guest" users can only post comments on existing threads).
Anyway, to your current issue...
I'm 99% sure that the issue is Cloudflare related. I'm pretty sure that they redirect http to https by default, so even if you have port 80 open, Let's Encrypt won't be able to connect to your server, so the challenge (domain validation) will fail. Although if that is the issue, it's weird that it worked the first time. Although perhaps that was before you configured Cloudflare? Or changed some settings in Cloudflare since?
Regardless, I know it can work as this site is running on a TurnKey server and also uses Cloudflare. Obviously HTTPS is working here. I do vaguely recall needing to adjust something in Cloudflare setting to make it work though.
I'm pretty sure that the change needed does have implications, but I wouldn't expect it to have any impact on the IPv6 IP.
Unfortunately I can't log into Cloudflare at the moment so can't give you specifics. If you want to continue with HTTP-01 validation you'll need to have a poke around in the Cloudflare settings yourself. As I say, it should be something to do with disabling the HTTP to HTTPS redirection. If you can't find it, have a google for "lets encrypt cloudflare http-01 fails" or similar and you should get some helpful results - probably either on the Let's Encrypt or Cloudflare forums. If you go that way and find a solution, it'd be great if you could post back with the info to make it easier for other TurnKey users who might hit the same issue.
Alternatively, if your server is a relatively recent TurnKey server (which it sounds like it is) then you could use "DNS-01" validation instead. Make sure that your TurnKey server is v18.x like this:
And look for 18.x in the line that returns. E.g. if it's v18.1 you'll get this:
So long as it's v18.x then make sure that you have the latest Confconsole version:
Then run confconsole:
Select Advanced >> Get certificate >> DNS-01 and follow the prompts.
You will need to provide authentication details so your server can create (and destroy) the DNS records that are needed to validate your domain. IIRC there is some basic Cloudflare config included by default, but you will still need to check what is required for Cloudflare and enter the relevant details into Confconsole. If need be, you can check the Cloudflare docs too.
If I'm wrong and it doesn't already included some basic/example config, please let me know and I'll check it out myself and tell you exactly what you need to do - and include it in future releases of Confconsole.
Good luck and please let me know how it goes regardless.
No apologies needed at all. I
No apologies needed at all. I am glad that you take the time to help me to fix the issue.
How do I sign in with an website account, or how do I get one? The nextcloud is not running on my own domain, so I can not share the domain easily name without permission.
I am on
turnkey-nextcloud-18.1-bookworm-amd64
confconsole is already the newest version (2.1.6+2+ge808780).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
As said the domain on proxmox is only hosted with a public IPv6 and an internat IPv4. Cloudflares proxy option turns it into an publich cloudflare IPv6 plus public IPv4.
I will try to pause cloudflare for 24h and see if that helps and then try to reissue the DNS-01 certificate. Maybe it is cloudflare that cached a previous certificate and needs some time to delete it and to accept a new one?
In Cloudlfare I genereated a DNS token and put it into confonconole setttings, also the domainname + wilcard for the domain with *.
Looks like this works on other LXC turnkey nextcloud containers I use in combination with the domain also hosted on a plesk server with Cloudflares origin certificate there. There only the DNS for the subdomain to the nextcloud has an IPv6, like the domain mentioned above.
So do I need to take some steps to download and install the cloudflare certificate into the turnkey-container if I'd like to use cloudflares origin certificate, which lasts for 15 years?
It would be nice if you could pinpoint me to a manual how to do so, if this is possible.
Otherwise, if auto renewing with Letsencryt would work, I do not have a problem to authenticate the domain with this type of SSL.
I will report back, if pausing cloudflare will do the trick.
Thanks so far. If you have any other input and ideas, please let me know!
You already have a website/forums account and it's enabled :)
You have a website/forums account already and I just double checked and it is approved/activated already. :)
Log in using your email and the password you set when you signed up ~3 days ago. If you don't recall your password, then you can reset it. Please let me know if you have any issues.
Back to your cert issue. My initial thought was that something had changed on your end between you initially (successfully) getting the cert and renewal. As you may be aware, LE certs are only valid 90 days. Is there anything that you can think of that you (or someone else) have changed since you initially got the cert? In particular I'm thinking firewall config, networking & routing config, Cloudflare config, etc. Although please share any server and/or environment changes you can think of between the successful cert and the failure. Even if it doesn't seem relevant, who knows, perhaps it might be?
Regardless, rereading your posts and thinking about it a bit more I wonder if there is some edge case bug/issue with Confconsole that for whatever reason we aren't seeing. TBH I'm fairly confident because as I mentioned we have a number servers getting renewing certs fine - but perhaps?
Assuming that the IPv6 config has existed right from the start, I highly doubt that'd a factor. If that has changed since you launched then perhaps?
Probably the first thing I should have asked for was the log file. I.e. the output of:
And the contents of the Confconsole LE config:
One final thing to check is the permissions of the cron job (what triggers the cert renewal). Given what you've reported (TurnKey server & confconsole versions) I expect it to be ok, but just in case...:
Hopefully that will help us sort it out...
Hi, basically the only thing
Debian GNU/Linux 12 cloud-example.xy tty1 cloud-example.xy login: root Password: Welcome to cloud-example.xy, TurnKey GNU/Linux 18.1 (Debian 12/Bookworm) System information for Fri Dec 20 10:52:30 2024 - CET (UTC+0100) System load: 2.72 Memory usage: 8.7% Processes: 29 Swap usage: 0.0% Usage of /: 40.0% of 97.87GB IP address for eth1: 192.168.0.10 TKLBAM (Backup and Migration): NOT INITIALIZED To initialize TKLBAM, run the "tklbam-init" command to link this system to your TurnKey Hub account. For details see the man page or go to: https://www.turnkeylinux.org/tklbam For Advanced commandline config run: confconsole For more info see: https://www.turnkeylinux.org/docs/confconsole Linux cloud-example.xy 6.8.12-2-pve #1 SMP PREEMPT_DYNAMIC PMX 6.8.12-2 (2024-09-05T10:03Z) x86_64 Last login: Fri Dec 20 10:43:57 CET 2024 on pts/1 You have mail. root@cloud-example.xy ~# ping cloud-example.xy PING cloud-example.xy(cloud-example.xy (XXXX:XXX:0:XX::XX)) 56 data bytes 64 bytes from cloud-example.xy (XXXX:XXX:0:XX::XX): icmp_seq=1 ttl=64 time=0.018 ms 64 bytes from xy (XXXX:XXX:0:XX::XX): icmp_seq=2 ttl=64 time=0.024 ms 64 bytes from cloud-example.xy (XXXX:XXX:0:XX::XX): icmp_seq=3 ttl=64 time=0.030 ms 64 bytes from cloud-example.xy (XXXX:XXX:0:XX::XX): icmp_seq=4 ttl=64 time=0.032 ms 64 bytes from cloud-example.xy (XXXX:XXX:0:XX::XX): icmp_seq=5 ttl=64 time=0.027 ms ^X^C --- cloud-example.xy ping statistics --- 5 packets transmitted, 5 received, 0% packet loss, time 4127ms rtt min/avg/max/mdev = 0.018/0.026/0.032/0.005 ms root@cloud-example.xy ~# cat /etc/dehydrated/confconsole.config ######################################################## # This is the config file for dehydrated when launched # # via confconsole on TurnKey GNU/Linux. # # # # It is loaded by the dehydrated-wrapper script. # # # # For more information about the confconsole Let's # # Encrypt plugin and/or the dehydrated-wrapper please # # see: # # /usr/share/doc/confconsole/docs/Lets_Encrypt.rst # # or: # # https://www.turnkeylinux.org/docs/letsencrypt # # # # For more comprehensive example conf, see # # /usr/share/doc/dehydrated/examples/config # ######################################################## BASEDIR=/var/lib/dehydrated WELLKNOWN="${BASEDIR}/acme-challenges" DOMAINS_TXT="/etc/dehydrated/confconsole.domains.txt" HOOK="/etc/dehydrated/confconsole.hook.sh" CHALLENGETYPE="http-01" # required for DNS-01 only - ignored by HTTP-01 challenge PROVIDER="cloudflare" LEXICON_CONFIG_DIR='/etc/dehydrated' # staging server for testing - leave commented for production #CA="https://acme-staging-v02.api.letsencrypt.org/directory" root@cloud-example.xy ~# ls -l /etc/cron.daily/confconsole-dehydrated -rwxr-xr-x 1 root root 889 Sep 18 10:49 /etc/cron.daily/confconsole-dehydrated root@cloud-example.xy ~# # root@cloud-example.xy ~# cat /var/log/confconsole/letsencrypt.log [2024-12-17 10:08:16] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-17 10:08:16] dehydrated-wrapper: INFO: found apache2 listening on port 80 [2024-12-17 10:08:16] dehydrated-wrapper: INFO: stopping apache2 [2024-12-17 10:08:17] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy with alternative names: *.cloud-example.xy + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for cloud-example.xy ERROR: Validating this certificate is not possible using http-01. Possible validation methods are: dns-01 [2024-12-17 10:08:20] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2024-12-17 10:08:20] dehydrated-wrapper: WARNING: Python is still listening on port 80 [2024-12-17 10:08:20] dehydrated-wrapper: INFO: attempting to kill add-water server [2024-12-17 10:08:20] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-17 10:08:20] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-17 10:08:20] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-17 10:08:22] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 09:32:47] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 09:32:47] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 09:32:47] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy with alternative names: *.cloud-example.xy + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for cloud-example.xy + Handling authorization for cloud-example.xy + 2 pending challenge(s) + Deploying challenge tokens... [2024-12-20 09:32:52] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy. [2024-12-20 09:32:52] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare. RESULT ------ True [2024-12-20 09:33:26] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy. [2024-12-20 09:33:26] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare. RESULT ------ True + Responding to challenge for cloud-example.xy authorization... [2024-12-20 09:34:30] confconsole.hook.sh: FATAL: Challenge response for *.cloud-example.xy failed: ["type"] "dns-01" ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/1953129806/446179525055/mITcAg" ["status"] "invalid" ["validated"] "2024-12-20T08:33:58Z" ["error","type"] "urn:ietf:params:acme:error:dns" ["error","detail"] "DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy" ["error","status"] 400 ["error"] {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy","status":400} ["token"] "6PKWRNaaXCgd-cLWnlCdpB7dnJrT9a70Pk40eweXey8". ERROR: invalid_challenge hook returned with non-zero exit code [2024-12-20 09:34:30] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2024-12-20 09:34:30] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 09:34:30] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 09:34:32] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 09:34:35] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 09:55:45] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 09:55:46] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 09:55:46] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 09:55:47] confconsole.hook.sh: INFO: cert for cloud-example.xy is unchanged - nothing to do [2024-12-20 09:55:47] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 09:55:47] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 09:55:47] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 09:55:47] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 09:55:49] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 09:56:36] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 09:56:36] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 09:56:36] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 09:56:37] confconsole.hook.sh: INFO: cert for cloud-example.xy is unchanged - nothing to do [2024-12-20 09:56:37] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 09:56:37] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 09:56:37] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 09:56:37] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 09:56:40] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 09:58:48] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 09:58:49] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 09:58:49] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 09:58:50] confconsole.hook.sh: INFO: cert for cloud-example.xy is unchanged - nothing to do [2024-12-20 09:58:50] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 09:58:50] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 09:58:50] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 09:58:50] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 09:58:51] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 10:36:25] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 10:36:26] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 10:36:26] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 10:36:27] confconsole.hook.sh: INFO: cert for cloud-example.xy is unchanged - nothing to do [2024-12-20 10:36:27] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 10:36:27] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 10:36:27] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 10:36:28] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 10:36:30] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 10:39:45] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 10:39:46] dehydrated-wrapper: INFO: found apache2 listening on port 80 [2024-12-20 10:39:46] dehydrated-wrapper: INFO: stopping apache2 [2024-12-20 10:39:46] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 10:39:47] confconsole.hook.sh: INFO: cert for cloud-example.xy is unchanged - nothing to do [2024-12-20 10:39:47] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 10:39:47] dehydrated-wrapper: WARNING: Python is still listening on port 80 [2024-12-20 10:39:47] dehydrated-wrapper: INFO: attempting to kill add-water server [2024-12-20 10:39:47] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 10:39:47] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 10:39:47] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 10:39:48] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.BASEDIR=/var/lib/dehydrated WELLKNOWN="${BASEDIR}/acme-challenges" DOMAINS_TXT="/etc/dehydrated/confconsole.domains.txt" HOOK="/etc/dehydrated/confconsole.hook.sh" CHALLENGETYPE="http-01" # required for DNS-01 only - ignored by HTTP-01 challenge PROVIDER="cloudflare" LEXICON_CONFIG_DIR='/etc/dehydrated' # staging server for testing - leave commented for production #CA="https://acme-staging-v02.api.letsencrypt.org/directory"If I use the dns-01 challenge
root@cloud-example.xy ~# cat /var/log/confconsole/letsencrypt.log [2024-12-17 10:08:16] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-17 10:08:16] dehydrated-wrapper: INFO: found apache2 listening on port 80 [2024-12-17 10:08:16] dehydrated-wrapper: INFO: stopping apache2 [2024-12-17 10:08:17] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy.de with alternative names: *.cloud-example.xy.de + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for cloud-example.xy.de ERROR: Validating this certificate is not possible using http-01. Possible validation methods are: dns-01 [2024-12-17 10:08:20] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2024-12-17 10:08:20] dehydrated-wrapper: WARNING: Python is still listening on port 80 [2024-12-17 10:08:20] dehydrated-wrapper: INFO: attempting to kill add-water server [2024-12-17 10:08:20] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-17 10:08:20] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-17 10:08:20] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-17 10:08:22] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 09:32:47] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 09:32:47] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 09:32:47] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy.de with alternative names: *.cloud-example.xy.de + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for cloud-example.xy.de + Handling authorization for cloud-example.xy.de + 2 pending challenge(s) + Deploying challenge tokens... [2024-12-20 09:32:52] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.de. [2024-12-20 09:32:52] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare. RESULT ------ True [2024-12-20 09:33:26] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.de. [2024-12-20 09:33:26] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare. RESULT ------ True + Responding to challenge for cloud-example.xy.de authorization... [2024-12-20 09:34:30] confconsole.hook.sh: FATAL: Challenge response for *.cloud-example.xy.de failed: ["type"] "dns-01" ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/1953129806/446179525055/mITcAg" ["status"] "invalid" ["validated"] "2024-12-20T08:33:58Z" ["error","type"] "urn:ietf:params:acme:error:dns" ["error","detail"] "DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy.de" ["error","status"] 400 ["error"] {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy.de","status":400} ["token"] "6PKWR***************************************Xey8". ERROR: invalid_challenge hook returned with non-zero exit code [2024-12-20 09:34:30] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2024-12-20 09:34:30] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 09:34:30] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 09:34:32] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 09:34:35] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 09:55:45] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 09:55:46] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 09:55:46] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy.de + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 09:55:47] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do [2024-12-20 09:55:47] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 09:55:47] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 09:55:47] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 09:55:47] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 09:55:49] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 09:56:36] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 09:56:36] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 09:56:36] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy.de + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 09:56:37] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do [2024-12-20 09:56:37] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 09:56:37] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 09:56:37] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 09:56:37] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 09:56:40] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 09:58:48] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 09:58:49] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 09:58:49] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy.de + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 09:58:50] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do [2024-12-20 09:58:50] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 09:58:50] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 09:58:50] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 09:58:50] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 09:58:51] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 10:36:25] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 10:36:26] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 10:36:26] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy.de + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 10:36:27] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do [2024-12-20 10:36:27] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 10:36:27] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 10:36:27] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 10:36:28] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 10:36:30] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 10:39:45] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 10:39:46] dehydrated-wrapper: INFO: found apache2 listening on port 80 [2024-12-20 10:39:46] dehydrated-wrapper: INFO: stopping apache2 [2024-12-20 10:39:46] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy.de + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 10:39:47] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do [2024-12-20 10:39:47] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 10:39:47] dehydrated-wrapper: WARNING: Python is still listening on port 80 [2024-12-20 10:39:47] dehydrated-wrapper: INFO: attempting to kill add-water server [2024-12-20 10:39:47] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 10:39:47] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 10:39:47] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 10:39:48] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 11:14:46] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 11:14:46] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 11:14:46] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy.de + Checking domain name(s) of existing cert... unchanged. + Checking expire date of existing cert... + Valid till Feb 16 04:40:00 2025 GMT (Longer than 30 days). Skipping renew! [2024-12-20 11:14:47] confconsole.hook.sh: INFO: cert for cloud-example.xy.de is unchanged - nothing to do [2024-12-20 11:14:47] dehydrated-wrapper: INFO: dehydrated complete [2024-12-20 11:14:47] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 11:14:47] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 11:14:47] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 11:14:50] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 11:41:55] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 11:41:56] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 11:41:56] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy.de with alternative names: *.cloud-example.xy.de + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for cloud-example.xy.de + Handling authorization for cloud-example.xy.de + 2 pending challenge(s) + Deploying challenge tokens... [2024-12-20 11:42:00] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.de. [2024-12-20 11:42:00] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare. RESULT ------ True [2024-12-20 11:42:34] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.de. [2024-12-20 11:42:34] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare. RESULT ------ True + Responding to challenge for cloud-example.xy.de authorization... [2024-12-20 11:43:39] confconsole.hook.sh: FATAL: Challenge response for *.cloud-example.xy.de failed: ["type"] "dns-01" ["url"] "https://acme-v02.api.letsencrypt.org/acme/chall/1953129806/446179525065/g-1fBA" ["status"] "invalid" ["validated"] "2024-12-20T10:43:07Z" ["error","type"] "urn:ietf:params:acme:error:dns" ["error","detail"] "DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy.de" ["error","status"] 400 ["error"] {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: query timed out looking up TXT for _acme-challenge.cloud-example.xy.de","status":400} ["token"] "6_ECdp1***********************************8Gjhe8". ERROR: invalid_challenge hook returned with non-zero exit code [2024-12-20 11:43:39] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2024-12-20 11:43:39] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 11:43:39] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 11:43:39] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 11:43:41] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully. [2024-12-20 11:44:49] dehydrated-wrapper: INFO: started # INFO: Using main config file /etc/dehydrated/confconsole.config + Account already registered! [2024-12-20 11:44:49] dehydrated-wrapper: INFO: found apache2 listening on port 443 [2024-12-20 11:44:49] dehydrated-wrapper: INFO: running dehydrated # INFO: Using main config file /etc/dehydrated/confconsole.config Processing cloud-example.xy.de with alternative names: *.cloud-example.xy.de + Signing domains... + Generating private key... + Generating signing request... + Requesting new certificate order from CA... + Received 2 authorizations URLs from the CA + Handling authorization for cloud-example.xy.de + Handling authorization for cloud-example.xy.de + 2 pending challenge(s) + Deploying challenge tokens... [2024-12-20 11:44:54] confconsole.hook.sh: INFO: Deploying challenge for cloud-example.xy.de. [2024-12-20 11:44:54] confconsole.hook.sh: INFO: Creating a TXT challenge-record with cloudflare. Traceback (most recent call last): File "/usr/local/src/venv/lexicon/bin/lexicon", line 8, in sys.exit(main()) ^^^^^^ File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/_private/cli.py", line 135, in main results = client.execute() ^^^^^^^^^^^^^^^^ File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/client.py", line 217, in execute return executor.create_record(rtype, name, content) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/client.py", line 36, in create_record return self.provider.create_record(rtype, name, content) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/_private/providers/cloudflare.py", line 94, in create_record payload = self._post(f"/zones/{self.domain_id}/dns_records", data) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/interfaces.py", line 171, in _post return self._request("POST", url, data=data, query_params=query_params) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/lexicon/_private/providers/cloudflare.py", line 218, in _request response.raise_for_status() File "/usr/local/src/venv/lexicon/lib/python3.11/site-packages/requests/models.py", line 1024, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://api.cloudflare.com/client/v4/zones/0c55471829c4b9c5736f1d2e4770623e/dns_records ERROR: deploy_challenge hook returned with non-zero exit code [2024-12-20 11:44:56] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code. [2024-12-20 11:44:56] dehydrated-wrapper: INFO: Cleaning backup cert & key [2024-12-20 11:44:56] dehydrated-wrapper: INFO: (Re)starting apache2 [2024-12-20 11:44:56] dehydrated-wrapper: INFO: (Re)starting webmin.service [2024-12-20 11:44:58] dehydrated-wrapper: INFO: dehydrated-wrapper completed successfully.Add new comment