Letsencrypt drives me crazy!

I have provisioned production server with trellis and deployed bedrock with letsencrypt without issues!
It´s up and running!

But when trying to provision a staging server it breaks. I have done the following

  1. Created a new server
  2. Created a new IP for stage server
  3. Added new DNS stage.mydomain.tld
  4. Tested connection by pinging stage.mydomain.tld with correct IP as result
  5. Ssh into the new machine works just fine

BUT THIS IS WHAT I GET!!!

All letsencrypt tasks go thru without issues, until the task for creating the cert, then it breaks!

TASK [letsencrypt : Create directories and set permissions] *************************************************************************************
changed: [35.228.223.142] => (item={u’path’: u’/var/lib/letsencrypt’, u’mode’: u’0700’})
changed: [35.228.223.142] => (item={u’path’: u’/var/lib/letsencrypt/csrs’})
changed: [35.228.223.142] => (item={u’path’: u’/usr/local/letsencrypt’})
changed: [35.228.223.142] => (item={u’path’: u’/srv/www/letsencrypt’})
changed: [35.228.223.142] => (item={u’path’: u’/etc/nginx/ssl/letsencrypt’, u’mode’: u’0700’})

TASK [letsencrypt : Clone acme-tiny repository] *************************************************************************************************
changed: [35.228.223.142]

TASK [letsencrypt : Copy Lets Encrypt account key source file] **********************************************************************************
skipping: [35.228.223.142]

TASK [letsencrypt : Copy Lets Encrypt account key source contents] ******************************************************************************
skipping: [35.228.223.142]

TASK [letsencrypt : Generate a new account key] *************************************************************************************************
changed: [35.228.223.142]

TASK [letsencrypt : Create Nginx conf for challenges location] **********************************************************************************
changed: [35.228.223.142]

TASK [letsencrypt : Get list of hosts in current Nginx conf] ************************************************************************************
ok: [35.228.223.142] => (item=eci.nu)

TASK [letsencrypt : Create needed Nginx confs for challenges] ***********************************************************************************
changed: [35.228.223.142] => (item=eci.nu)

TASK [letsencrypt : Enable Nginx sites] *********************************************************************************************************
changed: [35.228.223.142] => (item=eci.nu)

TASK [letsencrypt : reload nginx] ***************************************************************************************************************
changed: [35.228.223.142]

TASK [letsencrypt : perform nginx reload] *******************************************************************************************************
changed: [35.228.223.142]

TASK [letsencrypt : Create test Acme Challenge file] ********************************************************************************************
changed: [35.228.223.142]

TASK [letsencrypt : Test Acme Challenges] *******************************************************************************************************
ok: [35.228.223.142] => (item=eci.nu)

TASK [letsencrypt : Notify of challenge failures] ***********************************************************************************************
skipping: [35.228.223.142] => (item=eci.nu)

TASK [letsencrypt : Generate private keys] ******************************************************************************************************
changed: [35.228.223.142] => (item=eci.nu)

TASK [letsencrypt : Ensure correct permissions on private keys] *********************************************************************************
changed: [35.228.223.142] => (item=eci.nu)

TASK [letsencrypt : Generate Lets Encrypt certificate IDs] **************************************************************************************
ok: [35.228.223.142] => (item=eci.nu)

TASK [letsencrypt : Generate CSRs] **************************************************************************************************************
changed: [35.228.223.142] => (item=eci.nu)

TASK [letsencrypt : Generate certificate renewal script] ****************************************************************************************
changed: [35.228.223.142]

TASK [letsencrypt : Generate the certificates] **************************************************************************************************
System info:
Ansible 2.8.4; Darwin
Trellis version (per changelog): “Support Ansible 2.9”

non-zero return code
fatal: [35.228.223.142]: FAILED! => {“changed”: false, “cmd”: ["./renew-certs.py"], “delta”: “0:00:24.500132”, “end”: “2020-04-27 22:49:21.383233”, “rc”: 1, “start”: “2020-04-27 22:48:56.883101”, “stderr”: “”, “stderr_lines”: [], “stdout”: “Generating certificate for eci.nu\nError while generating certificate for eci.nu\nTraceback (most recent call last):\n File “/usr/local/letsencrypt/acme_tiny.py”, line 198, in \n main(sys.argv[1:])\n File “/usr/local/letsencrypt/acme_tiny.py”, line 194, in main\n signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)\n File “/usr/local/letsencrypt/acme_tiny.py”, line 156, in get_crt\n _send_signed_request(order[‘finalize’], {“csr”: _b64(csr_der)}, “Error finalizing order”)\n File “/usr/local/letsencrypt/acme_tiny.py”, line 52, in _send_signed_request\n new_nonce = _do_request(directory[‘newNonce’])[2][‘Replay-Nonce’]\n File “/usr/local/letsencrypt/acme_tiny.py”, line 46, in _do_request\n raise ValueError(”{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))\nValueError: Error:\nUrl: https://acme-v02.api.letsencrypt.org/acme/new-nonce\nData: None\nResponse Code: None\nResponse: <urlopen error [Errno 104] Connection reset by peer>", “stdout_lines”: [“Generating certificate for eci.nu”, “Error while generating certificate for eci.nu”, “Traceback (most recent call last):”, " File “/usr/local/letsencrypt/acme_tiny.py”, line 198, in “, " main(sys.argv[1:])”, " File “/usr/local/letsencrypt/acme_tiny.py”, line 194, in main", " signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)", " File “/usr/local/letsencrypt/acme_tiny.py”, line 156, in get_crt", " _send_signed_request(order[‘finalize’], {“csr”: _b64(csr_der)}, “Error finalizing order”)", " File “/usr/local/letsencrypt/acme_tiny.py”, line 52, in _send_signed_request", " new_nonce = _do_request(directory[‘newNonce’])[2][‘Replay-Nonce’]", " File “/usr/local/letsencrypt/acme_tiny.py”, line 46, in _do_request", " raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))", “ValueError: Error:”, “Url: https://acme-v02.api.letsencrypt.org/acme/new-nonce”, “Data: None”, “Response Code: None”, “Response: <urlopen error [Errno 104] Connection reset by peer>”]}

RUNNING HANDLER [common : disable temporary challenge sites] ************************************************************************************
changed: [35.228.223.142] => (item=eci.nu)

I have two other sites based on trellis + bedrock + letsencrypt that don’t suffer this issue
Please help me with this before a loose it and go all “falling-down” on my mac

Just a stab, but maybe it is caused by this?:


IPv6 DNS issues?

This topic was automatically closed after 42 days. New replies are no longer allowed.