-
20.09.2016, 06:55
#1
Junior Member
- Регистрация
- 20.09.2016
- Сообщений
- 5
Не удается получить сертификат Let’s Encrypt
При попытке получения сертификата Let’s Encrypt для любого домена через некоторое время возникает ошибка 429.
Журнал событий
Код:
Запрос на выдачу нового сертифика завершился неудачей return code:429 Details:Error creating new cert :: Too many certificates already issued for exact set of domains: домен.ру,www.домен.ру
-
20.09.2016, 13:05
#2
Senior Member
- Регистрация
- 09.04.2013
- Адрес
- Москва
- Сообщений
- 2,103
У lets encrypt есть ограничения на количество выпусков сертификата за промежуток времени
В ошибке это указано
5 сертификатов за 7 дней
Это касается одного домена
-
20.09.2016, 16:06
#3
Junior Member
- Регистрация
- 20.09.2016
- Сообщений
- 5
-
21.09.2016, 00:40
#4
Senior Member
- Регистрация
- 09.04.2013
- Адрес
- Москва
- Сообщений
- 2,103
-
21.09.2016, 01:29
#5
Junior Member
- Регистрация
- 20.09.2016
- Сообщений
- 5
Я тоже так думаю. Но вот как понять — в чем же проблема с доставкой?
-
21.09.2016, 01:35
#6
Junior Member
- Регистрация
- 20.09.2016
- Сообщений
- 5
Вот пример полного лога
Код:
2016-09-20 01:07:38 Процесс получения сертификата начат 2016-09-20 01:14:02 Попытка регистрации 2016-09-20 01:14:03 Учетная запись существует 2016-09-20 01:14:03 Попытка авторизации 2016-09-20 01:14:05 Авторизация успешна для домена for domain домен.ру 2016-09-20 01:14:06 Авторизация успешна для домена for domain www.домен.ру 2016-09-20 01:14:06 Начало процедуры подтверждения владения доменом 2016-09-20 01:14:06 Токен для проверки создан 2016-09-20 01:14:07 Запрос для проверки владения доменом успешно отправлен. Ожидание подтверждения. 2016-09-20 01:14:07 Проверка владения доменом прошла успешно 2016-09-20 01:14:07 Начало процедуры подтверждения владения доменом 2016-09-20 01:14:07 Токен для проверки создан 2016-09-20 01:14:08 Запрос для проверки владения доменом успешно отправлен. Ожидание подтверждения. 2016-09-20 01:14:09 Проверка владения доменом прошла успешно 2016-09-20 01:14:09 Отправка запроса на выдачу нового сертификата
А потом ошибка 429. Пытался получить сертификат для свежезареганного домена.
-
21.09.2016, 03:14
#7
Senior Member
- Регистрация
- 09.04.2013
- Адрес
- Москва
- Сообщений
- 2,103
логи панели в этот момент нужно смотреть наверное
-
21.09.2016, 04:35
#8
Junior Member
- Регистрация
- 20.09.2016
- Сообщений
- 5
Порылся в логах панели.
Вот этот кусок кажется подозрительным:
Код:
Sep 20 23:26:03 [26408:11691] sslcert [1;33mDEBUG plugin_letsencrypt.cpp:972 Acme response '{ "type": "urn:acme:error:malformed", "detail": "Registration key is already in use", "status": 409 }
-
22.09.2016, 14:32
#9
Senior Member
- Регистрация
- 16.05.2014
- Сообщений
- 1,557
Напишите в поддержку с доступами.
-
27.09.2016, 12:42
#10
Senior Member
- Регистрация
- 27.08.2008
- Адрес
- MGNHost.ru
- Сообщений
- 3,277
Аналогичная проблема у одного из клиентов, только в конце выдаёт код 400:
Код:
return code:400 Details:Error creating new cert :: policy forbids issuing for: *.domain.ru
Не удается получить сертификат Let’s Encrypt
What happened:
odh/keycloak-https failed with : 429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
What you expected to happen:
Openshift route should be accessible over valid https certificate
How to reproduce it (as minimally and precisely as possible):
oc apply -fhttps://raw.githubusercontent.com/tnozicka/openshift-acme/master/deploy/cluster-wide/{clusterrole,serviceaccount,issuer-letsencrypt-live,deployment}.yaml
oc create clusterrolebinding openshift-acme --clusterrole=openshift-acme --serviceaccount="$( oc project -q ):openshift-acme" --dry-run -o yaml | oc apply -f -
apiVersion: v1
kind: Route
metadata:
name: keycloak-https
annotations:
kubernetes.io/tls-acme: "true"
labels:
application: keycloak
namespace: odh
spec:
host: keycloak-odh.apps.acorvin.dev.datahub.redhat.com
to:
kind: Service
name: keycloak
weight: 100
tls:
termination: edge
oc create -f keycloak-https.yaml
- Check logs of openshift-acme pod
- oc get route
Anything else we need to know?:
Environment:
- OpenShift/Kubernetes version (use
oc/kubectl version):
Openshift 4.5.8
OpenShift route yaml
apiVersion: v1
kind: Route
metadata:
name: keycloak-https
annotations:
kubernetes.io/tls-acme: "true"
labels:
application: keycloak
namespace: odh
spec:
host: keycloak-odh.apps.acorvin.dev.datahub.redhat.com
to:
kind: Service
name: keycloak
weight: 100
tls:
termination: edge
wildcardPolicy: None
OpenShift output
# oc get route
NAME HOST/PORT PATH SERVICES PORT TERMINATION WILDCARD
jupyterhub jupyterhub-odh.apps.acorvin.dev.datahub.redhat.com jupyterhub 8080-tcp edge/Redirect None
keycloak-https keycloak-odh.apps.acorvin.dev.datahub.redhat.com keycloak <all> edge None
spark-operator-metrics spark-operator-metrics-odh.apps.acorvin.dev.datahub.redhat.com spark-operator-metrics <all> None
# oc get po | grep -i acme
openshift-acme-65567cb7cd-bnkt8 1/1 Running 0 7m41s
openshift-acme-65567cb7cd-r7v5j 1/1 Running 0 7m49s
Full logs here
I1209 17:54:06.232140 1 openshift-acme-controller.go:192] No kubeconfig specified, using InClusterConfig.
I1209 17:54:06.235432 1 openshift-acme-controller.go:236] Managing namespaces: []string{"", "odh"}
I1209 17:54:06.236812 1 openshift-acme-controller.go:272] Leaderelection ID is "openshift-acme-65567cb7cd-r7v5j_c80b935c-aa48-40aa-a302-1796d389ec06"
I1209 17:54:06.236909 1 leaderelection.go:242] attempting to acquire leader lease odh/acme-controller-locks...
I1209 17:54:06.276011 1 leaderelection.go:252] successfully acquired lease odh/acme-controller-locks
I1209 17:54:06.276123 1 openshift-acme-controller.go:329] Acquired leaderelection
I1209 17:54:06.276152 1 openshift-acme-controller.go:335] loglevel is set to "4"
I1209 17:54:06.276486 1 acme.go:89] Setting up kube informers for namespace ""
I1209 17:54:06.276882 1 acme.go:89] Setting up kube informers for namespace "odh"
I1209 17:54:06.277020 1 route.go:136] Setting up route informers for namespace ""
I1209 17:54:06.277054 1 route.go:136] Setting up route informers for namespace "odh"
I1209 17:54:06.277071 1 route.go:153] Setting up kube informers for namespace ""
I1209 17:54:06.277129 1 route.go:153] Setting up kube informers for namespace "odh"
I1209 17:54:06.277304 1 acme.go:114] Starting Account controller
I1209 17:54:06.277322 1 shared_informer.go:197] Waiting for caches to sync for account controller
I1209 17:54:06.277358 1 reflector.go:153] Starting reflector *v1.ConfigMap (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277371 1 reflector.go:153] Starting reflector *v1.LimitRange (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277385 1 reflector.go:188] Listing and watching *v1.ConfigMap from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277358 1 reflector.go:153] Starting reflector *v1.ReplicaSet (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277412 1 reflector.go:188] Listing and watching *v1.ReplicaSet from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277406 1 reflector.go:153] Starting reflector *v1.Route (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277423 1 reflector.go:188] Listing and watching *v1.Route from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277449 1 reflector.go:153] Starting reflector *v1.Service (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277459 1 reflector.go:188] Listing and watching *v1.Service from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277402 1 reflector.go:153] Starting reflector *v1.Secret (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277718 1 reflector.go:188] Listing and watching *v1.Secret from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277720 1 reflector.go:153] Starting reflector *v1.Route (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277729 1 reflector.go:188] Listing and watching *v1.Route from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277753 1 reflector.go:153] Starting reflector *v1.ConfigMap (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277766 1 reflector.go:188] Listing and watching *v1.ConfigMap from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277717 1 reflector.go:153] Starting reflector *v1.ReplicaSet (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277803 1 reflector.go:188] Listing and watching *v1.ReplicaSet from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277843 1 route.go:1347] Starting Route controller
I1209 17:54:06.277851 1 shared_informer.go:197] Waiting for caches to sync for route controller
I1209 17:54:06.277375 1 reflector.go:153] Starting reflector *v1.Service (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277910 1 reflector.go:188] Listing and watching *v1.Service from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277925 1 reflector.go:153] Starting reflector *v1.LimitRange (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277386 1 reflector.go:188] Listing and watching *v1.LimitRange from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277904 1 reflector.go:153] Starting reflector *v1.Secret (0s) from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277966 1 reflector.go:188] Listing and watching *v1.Secret from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.277945 1 reflector.go:188] Listing and watching *v1.LimitRange from k8s.io/client-go@v0.17.0/tools/cache/reflector.go:108
I1209 17:54:06.282394 1 acme.go:180] Adding ConfigMap odh/letsencrypt-live UID=5c85abde-1acc-472b-a6ca-1d5e9ccfbc61 RV=65400090
I1209 17:54:06.361664 1 route.go:214] Adding Route odh/jupyterhub RV=65372599 UID=a2560df4-c976-4096-b49d-5aeb6e09a432
I1209 17:54:06.361715 1 route.go:214] Adding Route odh/keycloak-https RV=65408594 UID=555d7462-aa05-40f6-adeb-bcf831e91af6
I1209 17:54:06.395087 1 route.go:214] Adding Route odh/jupyterhub RV=65372599 UID=a2560df4-c976-4096-b49d-5aeb6e09a432
I1209 17:54:06.395127 1 route.go:214] Adding Route odh/keycloak-https RV=65408594 UID=555d7462-aa05-40f6-adeb-bcf831e91af6
I1209 17:54:06.437466 1 request.go:565] Throttling request took 159.219974ms, request: GET:https://172.30.0.1:443/api/v1/limitranges?limit=500&resourceVersion=0
I1209 17:54:06.637152 1 request.go:565] Throttling request took 280.219969ms, request: PUT:https://172.30.0.1:443/api/v1/namespaces/odh/configmaps/acme-controller-locks
I1209 17:54:07.060026 1 acme.go:180] Adding ConfigMap odh/letsencrypt-live UID=5c85abde-1acc-472b-a6ca-1d5e9ccfbc61 RV=65400090
I1209 17:54:07.677578 1 shared_informer.go:227] caches populated
I1209 17:54:07.677621 1 shared_informer.go:204] Caches are synced for account controller
I1209 17:54:07.677709 1 acme.go:271] Started syncing Account "odh/letsencrypt-live"
I1209 17:54:07.679226 1 acme.go:273] Finished syncing Account "odh/letsencrypt-live"
I1209 17:54:07.679384 1 shared_informer.go:227] caches populated
I1209 17:54:07.679398 1 shared_informer.go:204] Caches are synced for route controller
I1209 17:54:07.679528 1 route.go:496] Started syncing Route "odh/keycloak-https"
I1209 17:54:07.679620 1 route.go:563] Route "odh/keycloak-https" needs new certificate: Route is missing CertKey
I1209 17:54:07.679854 1 route.go:607] Using ACME client with DirectoryURL "https://acme-v02.api.letsencrypt.org/directory"
I1209 17:54:07.681847 1 route.go:496] Started syncing Route "odh/jupyterhub"
I1209 17:54:07.682096 1 route.go:563] Route "odh/jupyterhub" needs new certificate: Route is missing CertKey
I1209 17:54:07.682119 1 route.go:573] route odh/jupyterhub, now: 2020-12-09 17:54:07.682102693 +0000 UTC m=+1.461431953, EarliestAttemptAt: 2020-12-09 17:14:09.493042439 +0000 UTC, delay: -39m58.189060044s
I1209 17:54:07.682380 1 route.go:607] Using ACME client with DirectoryURL "https://acme-v02.api.letsencrypt.org/directory"
I1209 17:55:07.679992 1 route.go:498] Finished syncing Route "odh/keycloak-https"
E1209 17:55:07.680197 1 route.go:1308] odh/keycloak-https failed with : 429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
I1209 17:55:07.682896 1 route.go:498] Finished syncing Route "odh/jupyterhub"
E1209 17:55:07.682986 1 route.go:1308] odh/jupyterhub failed with : 429 urn:ietf:params:acme:error:rateLimited: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/
I1209 17:55:07.685478 1 route.go:496] Started syncing Route "odh/keycloak-https"
I1209 17:55:07.685949 1 route.go:563] Route "odh/keycloak-https" needs new certificate: Route is missing CertKey
I1209 17:55:07.686881 1 route.go:607] Using ACME client with DirectoryURL "https://acme-v02.api.letsencrypt.org/directory"
I1209 17:55:07.688123 1 route.go:496] Started syncing Route "odh/jupyterhub"
I1209 17:55:07.688399 1 route.go:563] Route "odh/jupyterhub" needs new certificate: Route is missing CertKey
I1209 17:55:07.688438 1 route.go:573] route odh/jupyterhub, now: 2020-12-09 17:55:07.688408679 +0000 UTC m=+61.467738058, EarliestAttemptAt: 2020-12-09 17:14:09.493042439 +0000 UTC, delay: -40m58.195365914s
I1209 17:55:07.688878 1 route.go:607] Using ACME client with DirectoryURL "https://acme-v02.api.letsencrypt.org/directory"
@tnozicka
Приветствую. Кто подсказать может, на VDS s ISP панелью установил расширения для Let’s Encrypt, активирую для домена процесс получения сертификата.
И в журнале 403 forbidden (на скрине лог журнала)
https://drive.google.com/file/d/0Bxm39J7oREDPTXJ2bHRVZlFjQzA/view?usp=sharing
в error логе
[Sun Apr 30 21:33:08.031514 2017] [core:error] [pid 18678] (13)Permission denied: [client 66.133.109.36:56546] AH00132: file permissions deny server access: /usr/local/mgr5/www/letsencrypt/ttTT_kNvxRb7aX45qLnNiW14qgzcU4V4zoyHfrHg_Sw
Похожие вопросы
Ошибка: DeprecationWarning: use options instead of chrome_options
Здравствуйте! У меня не хочет работать скрипт,
выдает ошибку: DeprecationWarning: use options instead of chrome_options
В коде появились строчки:
options = webdriver.ChromeOptions()
options.add_argument(‘headless’)
options.add_argument(f’window-size={1920},{1080}’)
options.add_argument(‘hide-scrollbars’)…
Yung
23 окт в 2022
339
SSH: ошибка «sudo: 1 incorrect password attempt».
При вводе команды «sudo apt install python-pip» в SSH консоле Ubanty на сайте TimeWeb, у меня требует ввести какой-то пароль. Я пытался вводить пароль от моего аккаунта в TimeWeb, но это бесполезно. Какой пароль требует от…
Как настроить VPS для размещения TG бота на C#
Народ, подскажите, пожалуйста, как настроить сервер, что бы разместить туда ТГ бота на C#.
Как и что надо устанавливать? (Можно ограничиться что, как — разберусь)
У меня там уже крутится сайт, конфигурация:
— 1 CPU • 1 ГБ RAM • 15…