Understanding certificate renewal with custom domain

Hi,

I am using a custom domain and it seems from the logs that my certificate renewal is running into a rate limit error right now. If I understand correctly I can only wait and in the meantime I can’t access my syncloud form internet.

But what I don’t understand is the following :

Capture d’écran de 2022-01-25 08-54-54

  • What does “Real” mean ?
  • Does it mean that in 56 days the renewal will happen again, with the same rate limit error ? (this is not acceptable as the interruption is lasting days, hours would be ok for me)
  • or is the rate limit error due to the fact that a new app was added (I thought I read that somewhere in one of Boris posts…) ?
  • can this be related to the fact that my syncloud is behind a service provider internet box which public IP address changes from time to time ? but it seems to me that certificate are linked to domain, not IP addresses…

This is the error in the log :

Jan 25 08:03:41 raspberrypi3 platform.backend[14939]: cert/generator.go:66 unable to generate certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/ {"category": "certificate"}

Thanks

Probably one of the past platform upgrades did not properly migrate certificates to the new location.
The best way is to remove and install platform:

snap remove platform
snap install platform

Then activate again.
When you choose activation mode, consider that Custom mode is more for developers and it does not allow simple Certificate renewal and needs port 80 to be visible form internet and uses HTTP Certificate validation process (it is not impossible).
Premium mode is much easier and does not have such a requirement as it uses DNS validation process.

What does “Real” mean ?

Issued by Let’s Encrypt Authority and publicly trusted.

Does it mean that in 56 days the renewal will happen again, with the same rate limit error ? (this is not acceptable as the interruption is lasting days, hours would be ok for me)

Usually renewal happens with almost no down time before that date.

or is the rate limit error due to the fact that a new app was added (I thought I read that somewhere in one of Boris posts…) ?

Rate limit happens when device asks too many times Let’s Encrypt to validate that domain belongs to device but something prevents the validation. Premium does not have such a problem.

can this be related to the fact that my syncloud is behind a service provider internet box which public IP address changes from time to time ? but it seems to me that certificate are linked to domain, not IP addresses…

Certificate is not linked to IP but to get it you need your device IP and port 80 to be open to the Internet for validation (by Let’s Encrypt Authority).
That is one the main problem with Custom activation mode, it needs your device to be accessible by port 80. Again Premium mode does not have this issue as it uses DNS validation

Thanks @boris for your clear explanations.

I understand the benefits of premium mode though I like and have been using a custom domain since I started using Syncloud maybe two years ago. This is also a way for me to learn things. So I thank you again for taking time to explain and answer these kind of questions.

Also after reactivating the device will everything be working like before (configs and data) ?
Removing and reinstalling does not sound like a small procedure…

I have the same problem - but if I check the certificate search (on let’s encrypt), there are not that many requests. In my log I get another error before the rate limit:
Jan 25 14:19:51 odroid-xu3and4 platform.backend[22460]: cert/generator.go:66 unable to generate certificate: domain is not set {“category”: “certificate”}

Problem started just today :frowning:
Best Regards
Peter

Additional Info: I just got the rate limit after updating the system because I was hoping to resolve certificate problems with the update. The rate-limit error appeared just after updating - here the logs:

Jan 25 14:39:22 odroid-xu3and4 platform.backend[2974]: cert/generator.go:66 unable to generate certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/ {"category": "certificate"}

Jan 25 14:39:21 odroid-xu3and4 platform.backend[2974]: cert/generator.go:80 certificate info {"category": "certificate", "valid days": 59, "real": false}

Jan 25 14:35:42 odroid-xu3and4 platform.backend[2327]: {"category": "certificate"}

Jan 25 14:35:39 odroid-xu3and4 platform.backend[2327]: cert/generator.go:80 certificate info {"category": "certificate", "valid days": 59, "real": false}

Jan 25 14:30:39 odroid-xu3and4 platform.backend[2327]: {"category": "certificate"}

Jan 25 14:30:37 odroid-xu3and4 platform.backend[2327]: cert/generator.go:80 certificate info {"category": "certificate", "valid days": 59, "real": false}

Jan 25 14:25:37 odroid-xu3and4 platform.backend[2327]: {"category": "certificate"}

Jan 25 14:25:35 odroid-xu3and4 platform.backend[2327]: cert/generator.go:80 certificate info {"category": "certificate", "valid days": 59, "real": false}

Jan 25 14:19:51 odroid-xu3and4 platform.backend[22460]: cert/generator.go:66 unable to generate certificate: domain is not set {"category": "certificate"}

platform remove/install should fix the problem but it may take time (few days) to recover from rate limit still.

Also after reactivating the device will everything be working like before (configs and data) ?
Removing and reinstalling does not sound like a small procedure…

It may sound drastic, but platform reinstall will only do this:

  • reset additional users so you have to create them again with the same login/password so they do not experience any change in other apps.
  • reset certificate

It will not affect install apps or change any apps data

Thanks for the quick answer - although I do not fully understand I will try and report results :wink:
I did remove and install - now I cannot connect to the website because of Fehlercode: SEC_ERROR_REUSED_ISSUER_AND_SERIAL and I can’t get arround it

What type of domain do you have free/premium/custom?
What system version are you on (Settings - Updates)?

I am on a custom domain - systemversion is System 1227, Installer 300
ON a different computer I can get on the site and I could activate it again - but I have certificate issues on that device to but can accept the risk

ok, for activation you need to accept but after activation you should get the real certificate.
What do you see on Settings - Certificate page and what certificate logs show after reinstall?

but in general we cannot do much for custom domain mode, please consider free or premium modes as they use super easy certificate renewal process.

How can I change to free mode?
The certificate page shows Valid: yes, valid days 59 and Real: ! (no?)
in the log I get the Info: to many registrations for this IP - but this happens for the first time 45 Minutes after changing IP and repeats every five minutes from then on
Update: I changed to free mode - now the address can’t be resolved :frowning:

free mode gives you a free domain at syncloud.it
are you saying that your free domain [name].syncloud.it cannot be resolved?
usually it takes few minutes to propagate dns changes
this may mean your local dns is not working correctly: Unable to access device from local network · syncloud/platform Wiki · GitHub

Can you send logs from Settings - Support (include support)?

Hi Boris, I think you are right, because I can see that the box registered on syncloud with it’s IP if I log in. Therefore the local DNS resolving should be the problem - although I can not imagine why… I will see. UPDATE: Problem was with DNS-Rebind-Protection - that’s solved.

I just tried to switch back to custom mode, because I prefer that (Using nextcloud for such a long time leads to a lot of computers using the usual URL - nextcloud is not only used by myself).

Is there a way to start the certificate generation with let’s encrypt and watch in more detail what exactly the problem is? Currently the old certificate for [name].syncloud.it is used and valid - but after reactivating I need a certificate for my domain

Custom activation should still get you a certificate if you have port 80 open, you can see the details ion Certificate Log pagem

On Cert-Log Page I get repeatedly

Jan 26 07:00:30 odroid-xu3and4 platform.backend[466]: cert/generator.go:83 not regenerating real certificate {"category": "certificate"}
Jan 26 07:00:30 odroid-xu3and4 platform.backend[466]: cert/generator.go:80 certificate info {"category": "certificate", "valid days": 89, "real": true}

On the certificate transfered is the one for syncloud.it - so I would like to restart the process of getting a certificate manually and observe what happens

ok, can you try this:

mv /var/snap/platform/current/syncloud.crt /var/snap/platform/current/syncloud.crt.bak
snap run platform.cli cert

That seems to do what I wanted,

cert/generator.go:111	unable to read certificate file: open /var/snap/platform/current/syncloud.crt: no such file or directory	{"category": "certificate"}
cert/generator.go:80	certificate info	{"category": "certificate", "valid days": 0, "real": false}
2022/01/26 11:24:49 [INFO] acme: Registering account for [user]@[domain]
2022/01/26 11:24:50 [INFO] [[domain], *.[domain]] acme: Obtaining bundled SAN certificate
2022/01/26 11:24:50 [INFO] [*.[domain]] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/72068834490
2022/01/26 11:24:50 [INFO] [[domain]] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/72068834500
2022/01/26 11:24:50 [INFO] [*.[domain]] acme: Could not find solver for: dns-01
2022/01/26 11:24:50 [INFO] [[domain]] acme: Could not find solver for: tls-alpn-01
2022/01/26 11:24:50 [INFO] [[domain]] acme: use http-01 solver
2022/01/26 11:24:50 [INFO] [[domain]] acme: Trying to solve HTTP-01
2022/01/26 11:24:51 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/72068834490
2022/01/26 11:24:51 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/72068834500
cert/generator.go:66	unable to generate certificate: error: one or more domains had a problem:
[*.[domain]] [*.[domain]] acme: could not determine solvers
[[domain]] [[domain]] acme: error presenting token: open /var/snap/platform/current/certbot/www/.well-known/acme-challenge/2j6jcHgGjl9NQIeQCp2D8Osgx3dKL8u2_7-VQhAWtsk: no such file or directory
	{"category": "certificate"}
cert/generator.go:111	unable to read certificate file: open /var/snap/platform/current/syncloud.crt: no such file or directory	{"category": "certificate"}
cert/fake.go:50	generating fake certificate	{"category": "certificate"}
2022/01/26 11:24:51 reloading platform.nginx-public
2022/01/26 11:24:51 systemctl output: 

Probably you could quickly give me a hint what exactly the problem is with: could not determine solvers

Ok, looks like custom certificate is broken as we try to issue a wildcard certificate using http and Let’s Encrypt does not support that.

In past we requested a certificate for all apps in the store which was far from ideal as it was breaking all users every time we add a new app.

I must say it is really impossible to drag this feature (http issued certificates for custom mode).

On my side I removed and reinstalled plaform.

Now I also see the SEC_ERROR_REUSED_ISSUER_AND_SERIAL certificate error in my browser (Firefox) and can’t get around it.

I tried to activate the device but strangely I don’t see it with the app (it says “no device found”) even though I can correctly see it on my local network and connect to it via ssh for example. Is there any other way to activate it ?

In the app log I see :

[ 01-27 09:35:36.714 21809:21851 I/EventToDeviceConverter ]
service found syncloud on raspberrypi3


[ 01-27 09:35:36.714 21809:21851 I/EventToDeviceConverter ]
starting resolving service syncloud on raspberrypi3


[ 01-27 09:35:36.728 21809:21851 I/Resolver ]
service: syncloud on raspberrypi3 resovled


[ 01-27 09:35:36.730 21809:21851 I/WebService ]
calling: https://192.168.1.148/rest/id


[ 01-27 09:35:36.772 21809:21851 E/WebService ]
Failed to get response

javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:288)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:294)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:260)
at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:131)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:314)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:373)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:225)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
at org.syncloud.android.core.common.WebService.getResponse(WebService.java:99)
at org.syncloud.android.core.common.WebService.execute(WebService.java:61)
at org.syncloud.android.core.common.WebService.execute(WebService.java:43)
at org.syncloud.android.core.platform.Internal.getId(Internal.java:38)
at org.syncloud.android.ui.DevicesDiscoveryActivity$DiscoveryTask$1.added(DevicesDiscoveryActivity.java:180)
at org.syncloud.android.discovery.nsd.Resolver.deviceFound(Resolver.java:62)
at org.syncloud.android.discovery.nsd.Resolver.access$200(Resolver.java:15)
at org.syncloud.android.discovery.nsd.Resolver$ResolveListener.onServiceResolved(Resolver.java:85)
at android.net.nsd.NsdManager$ServiceHandler.handleMessage(NsdManager.java:427)
at android.os.Handler.dispatchMessage(Handler.java:107)
at android.os.Looper.loop(Looper.java:214)
at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7e38243548: Failure in SSL library, usually a protocol error
error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/tls_record.cc:587 0x7e38139e48:0x00000001)
error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/handshake.cc:580 0x7e28962e6b:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 24 more


[ 01-27 09:35:36.773 21809:21851 E/Internal ]
Unable to get identification response

org.syncloud.android.core.common.SyncloudException: Failed to get response
at org.syncloud.android.core.common.WebService.getResponse(WebService.java:107)
at org.syncloud.android.core.common.WebService.execute(WebService.java:61)
at org.syncloud.android.core.common.WebService.execute(WebService.java:43)
at org.syncloud.android.core.platform.Internal.getId(Internal.java:38)
at org.syncloud.android.ui.DevicesDiscoveryActivity$DiscoveryTask$1.added(DevicesDiscoveryActivity.java:180)
at org.syncloud.android.discovery.nsd.Resolver.deviceFound(Resolver.java:62)
at org.syncloud.android.discovery.nsd.Resolver.access$200(Resolver.java:15)
at org.syncloud.android.discovery.nsd.Resolver$ResolveListener.onServiceResolved(Resolver.java:85)
at android.net.nsd.NsdManager$ServiceHandler.handleMessage(NsdManager.java:427)
at android.os.Handler.dispatchMessage(Handler.java:107)
at android.os.Looper.loop(Looper.java:214)
at android.os.HandlerThread.run(HandlerThread.java:67)


[ 01-27 09:35:57.282 21809:21836 I/DiscoveryManager ]
stopping discovery

Also @peter how did you manage to “accept the risk” and get around the certificate error ?

@raphm I logged in from a different device (tablet) :wink: