I am using a custom domain and it seems from the logs that my certificate renewal is running into a rate limit error right now. If I understand correctly I can only wait and in the meantime I can’t access my syncloud form internet.
But what I don’t understand is the following :
What does “Real” mean ?
Does it mean that in 56 days the renewal will happen again, with the same rate limit error ? (this is not acceptable as the interruption is lasting days, hours would be ok for me)
or is the rate limit error due to the fact that a new app was added (I thought I read that somewhere in one of Boris posts…) ?
can this be related to the fact that my syncloud is behind a service provider internet box which public IP address changes from time to time ? but it seems to me that certificate are linked to domain, not IP addresses…
This is the error in the log :
Jan 25 08:03:41 raspberrypi3 platform.backend[14939]: cert/generator.go:66 unable to generate certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/ {"category": "certificate"}
Probably one of the past platform upgrades did not properly migrate certificates to the new location.
The best way is to remove and install platform:
snap remove platform
snap install platform
Then activate again.
When you choose activation mode, consider that Custom mode is more for developers and it does not allow simple Certificate renewal and needs port 80 to be visible form internet and uses HTTP Certificate validation process (it is not impossible).
Premium mode is much easier and does not have such a requirement as it uses DNS validation process.
What does “Real” mean ?
Issued by Let’s Encrypt Authority and publicly trusted.
Does it mean that in 56 days the renewal will happen again, with the same rate limit error ? (this is not acceptable as the interruption is lasting days, hours would be ok for me)
Usually renewal happens with almost no down time before that date.
or is the rate limit error due to the fact that a new app was added (I thought I read that somewhere in one of Boris posts…) ?
Rate limit happens when device asks too many times Let’s Encrypt to validate that domain belongs to device but something prevents the validation. Premium does not have such a problem.
can this be related to the fact that my syncloud is behind a service provider internet box which public IP address changes from time to time ? but it seems to me that certificate are linked to domain, not IP addresses…
Certificate is not linked to IP but to get it you need your device IP and port 80 to be open to the Internet for validation (by Let’s Encrypt Authority).
That is one the main problem with Custom activation mode, it needs your device to be accessible by port 80. Again Premium mode does not have this issue as it uses DNS validation
I understand the benefits of premium mode though I like and have been using a custom domain since I started using Syncloud maybe two years ago. This is also a way for me to learn things. So I thank you again for taking time to explain and answer these kind of questions.
Also after reactivating the device will everything be working like before (configs and data) ?
Removing and reinstalling does not sound like a small procedure…
I have the same problem - but if I check the certificate search (on let’s encrypt), there are not that many requests. In my log I get another error before the rate limit:
Jan 25 14:19:51 odroid-xu3and4 platform.backend[22460]: cert/generator.go:66 unable to generate certificate: domain is not set {“category”: “certificate”}
Problem started just today
Best Regards
Peter
Additional Info: I just got the rate limit after updating the system because I was hoping to resolve certificate problems with the update. The rate-limit error appeared just after updating - here the logs:
Jan 25 14:39:22 odroid-xu3and4 platform.backend[2974]: cert/generator.go:66 unable to generate certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-acct :: urn:ietf:params:acme:error:rateLimited :: Error creating new account :: too many registrations for this IP: see https://letsencrypt.org/docs/rate-limits/ {"category": "certificate"}
Jan 25 14:39:21 odroid-xu3and4 platform.backend[2974]: cert/generator.go:80 certificate info {"category": "certificate", "valid days": 59, "real": false}
Jan 25 14:35:42 odroid-xu3and4 platform.backend[2327]: {"category": "certificate"}
Jan 25 14:35:39 odroid-xu3and4 platform.backend[2327]: cert/generator.go:80 certificate info {"category": "certificate", "valid days": 59, "real": false}
Jan 25 14:30:39 odroid-xu3and4 platform.backend[2327]: {"category": "certificate"}
Jan 25 14:30:37 odroid-xu3and4 platform.backend[2327]: cert/generator.go:80 certificate info {"category": "certificate", "valid days": 59, "real": false}
Jan 25 14:25:37 odroid-xu3and4 platform.backend[2327]: {"category": "certificate"}
Jan 25 14:25:35 odroid-xu3and4 platform.backend[2327]: cert/generator.go:80 certificate info {"category": "certificate", "valid days": 59, "real": false}
Jan 25 14:19:51 odroid-xu3and4 platform.backend[22460]: cert/generator.go:66 unable to generate certificate: domain is not set {"category": "certificate"}
platform remove/install should fix the problem but it may take time (few days) to recover from rate limit still.
Also after reactivating the device will everything be working like before (configs and data) ?
Removing and reinstalling does not sound like a small procedure…
It may sound drastic, but platform reinstall will only do this:
reset additional users so you have to create them again with the same login/password so they do not experience any change in other apps.
reset certificate
It will not affect install apps or change any apps data
Thanks for the quick answer - although I do not fully understand I will try and report results
I did remove and install - now I cannot connect to the website because of Fehlercode: SEC_ERROR_REUSED_ISSUER_AND_SERIAL and I can’t get arround it
I am on a custom domain - systemversion is System 1227, Installer 300
ON a different computer I can get on the site and I could activate it again - but I have certificate issues on that device to but can accept the risk
ok, for activation you need to accept but after activation you should get the real certificate.
What do you see on Settings - Certificate page and what certificate logs show after reinstall?
How can I change to free mode?
The certificate page shows Valid: yes, valid days 59 and Real: ! (no?)
in the log I get the Info: to many registrations for this IP - but this happens for the first time 45 Minutes after changing IP and repeats every five minutes from then on
Update: I changed to free mode - now the address can’t be resolved
free mode gives you a free domain at syncloud.it
are you saying that your free domain [name].syncloud.it cannot be resolved?
usually it takes few minutes to propagate dns changes
this may mean your local dns is not working correctly: Unable to access device from local network · syncloud/platform Wiki · GitHub
Can you send logs from Settings - Support (include support)?
Hi Boris, I think you are right, because I can see that the box registered on syncloud with it’s IP if I log in. Therefore the local DNS resolving should be the problem - although I can not imagine why… I will see. UPDATE: Problem was with DNS-Rebind-Protection - that’s solved.
I just tried to switch back to custom mode, because I prefer that (Using nextcloud for such a long time leads to a lot of computers using the usual URL - nextcloud is not only used by myself).
Is there a way to start the certificate generation with let’s encrypt and watch in more detail what exactly the problem is? Currently the old certificate for [name].syncloud.it is used and valid - but after reactivating I need a certificate for my domain
Jan 26 07:00:30 odroid-xu3and4 platform.backend[466]: cert/generator.go:83 not regenerating real certificate {"category": "certificate"}
Jan 26 07:00:30 odroid-xu3and4 platform.backend[466]: cert/generator.go:80 certificate info {"category": "certificate", "valid days": 89, "real": true}
On the certificate transfered is the one for syncloud.it - so I would like to restart the process of getting a certificate manually and observe what happens
Now I also see the SEC_ERROR_REUSED_ISSUER_AND_SERIAL certificate error in my browser (Firefox) and can’t get around it.
I tried to activate the device but strangely I don’t see it with the app (it says “no device found”) even though I can correctly see it on my local network and connect to it via ssh for example. Is there any other way to activate it ?
In the app log I see :
[ 01-27 09:35:36.714 21809:21851 I/EventToDeviceConverter ]
service found syncloud on raspberrypi3
[ 01-27 09:35:36.714 21809:21851 I/EventToDeviceConverter ]
starting resolving service syncloud on raspberrypi3
[ 01-27 09:35:36.728 21809:21851 I/Resolver ]
service: syncloud on raspberrypi3 resovled
[ 01-27 09:35:36.730 21809:21851 I/WebService ]
calling: https://192.168.1.148/rest/id
[ 01-27 09:35:36.772 21809:21851 E/WebService ]
Failed to get response
javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:288)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:294)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:260)
at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:131)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:314)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:373)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:225)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:186)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
at org.syncloud.android.core.common.WebService.getResponse(WebService.java:99)
at org.syncloud.android.core.common.WebService.execute(WebService.java:61)
at org.syncloud.android.core.common.WebService.execute(WebService.java:43)
at org.syncloud.android.core.platform.Internal.getId(Internal.java:38)
at org.syncloud.android.ui.DevicesDiscoveryActivity$DiscoveryTask$1.added(DevicesDiscoveryActivity.java:180)
at org.syncloud.android.discovery.nsd.Resolver.deviceFound(Resolver.java:62)
at org.syncloud.android.discovery.nsd.Resolver.access$200(Resolver.java:15)
at org.syncloud.android.discovery.nsd.Resolver$ResolveListener.onServiceResolved(Resolver.java:85)
at android.net.nsd.NsdManager$ServiceHandler.handleMessage(NsdManager.java:427)
at android.os.Handler.dispatchMessage(Handler.java:107)
at android.os.Looper.loop(Looper.java:214)
at android.os.HandlerThread.run(HandlerThread.java:67)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7e38243548: Failure in SSL library, usually a protocol error
error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/tls_record.cc:587 0x7e38139e48:0x00000001)
error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/handshake.cc:580 0x7e28962e6b:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 24 more
[ 01-27 09:35:36.773 21809:21851 E/Internal ]
Unable to get identification response
org.syncloud.android.core.common.SyncloudException: Failed to get response
at org.syncloud.android.core.common.WebService.getResponse(WebService.java:107)
at org.syncloud.android.core.common.WebService.execute(WebService.java:61)
at org.syncloud.android.core.common.WebService.execute(WebService.java:43)
at org.syncloud.android.core.platform.Internal.getId(Internal.java:38)
at org.syncloud.android.ui.DevicesDiscoveryActivity$DiscoveryTask$1.added(DevicesDiscoveryActivity.java:180)
at org.syncloud.android.discovery.nsd.Resolver.deviceFound(Resolver.java:62)
at org.syncloud.android.discovery.nsd.Resolver.access$200(Resolver.java:15)
at org.syncloud.android.discovery.nsd.Resolver$ResolveListener.onServiceResolved(Resolver.java:85)
at android.net.nsd.NsdManager$ServiceHandler.handleMessage(NsdManager.java:427)
at android.os.Handler.dispatchMessage(Handler.java:107)
at android.os.Looper.loop(Looper.java:214)
at android.os.HandlerThread.run(HandlerThread.java:67)
[ 01-27 09:35:57.282 21809:21836 I/DiscoveryManager ]
stopping discovery
Also @peter how did you manage to “accept the risk” and get around the certificate error ?