问题描述
执行命令 certbot renew 返回如下错误:
2020-06-23 16:46:12,224:DEBUG:certbot._internal.main:certbot version: 1.5.0
2020-06-23 16:46:12,226:DEBUG:certbot._internal.main:Arguments: []
2020-06-23 16:46:12,227:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-dns-aliyun:dns-aliyun,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-06-23 16:46:12,252:DEBUG:certbot._internal.log:Root logging level set at 20
2020-06-23 16:46:12,253:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-06-23 16:46:12,305:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7fd6da256400> and installer <certbot._internal.cli.cli_utils._Default object at 0x7fd6da256400>
2020-06-23 16:46:12,356:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
2020-06-23 16:46:22,369:INFO:certbot.ocsp:OCSP check failed for /etc/letsencrypt/archive/harbor.example.com/cert3.pem (are we offline?)
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 421, in _make_request
six.raise_from(e, None)
File "<string>", line 3, in raise_from
File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 416, in _make_request
httplib_response = conn.getresponse()
File "/usr/lib64/python3.6/http/client.py", line 1346, in getresponse
response.begin()
File "/usr/lib64/python3.6/http/client.py", line 307, in begin
version, status, reason = self._read_status()
File "/usr/lib64/python3.6/http/client.py", line 268, in _read_status
line = str(self.fp.readline(_MAXLINE + 1), "iso-8859-1")
File "/usr/lib64/python3.6/socket.py", line 586, in readinto
return self._sock.recv_into(b)
socket.timeout: timed out
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 438, in send
timeout=timeout
File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 720, in urlopen
method, url, error=e, _pool=self, _stacktrace=sys.exc_info()[2]
File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/util/retry.py", line 400, in increment
raise six.reraise(type(error), error, _stacktrace)
File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
raise value
File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 672, in urlopen
chunked=chunked,
File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 423, in _make_request
self._raise_timeout(err=e, url=url, timeout_value=read_timeout)
File "/usr/lib/python3.6/site-packages/requests/packages/urllib3/connectionpool.py", line 331, in _raise_timeout
self, url, "Read timed out. (read timeout=%s)" % timeout_value
requests.packages.urllib3.exceptions.ReadTimeoutError: HTTPConnectionPool(host='ocsp.int-x3.letsencrypt.org', port=80): Read timed out. (read timeout=10)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/certbot/ocsp.py", line 187, in _check_ocsp_cryptography
timeout=timeout)
File "/usr/lib/python3.6/site-packages/requests/api.py", line 112, in post
return request('post', url, data=data, json=json, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/api.py", line 58, in request
return session.request(method=method, url=url, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 530, in request
resp = self.send(prep, **send_kwargs)
File "/usr/lib/python3.6/site-packages/requests/sessions.py", line 651, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python3.6/site-packages/requests/adapters.py", line 514, in send
raise ReadTimeout(e, request=request)
requests.exceptions.ReadTimeout: HTTPConnectionPool(host='ocsp.int-x3.letsencrypt.org', port=80): Read timed out. (read timeout=10)
2020-06-23 16:46:22,386:INFO:certbot._internal.renewal:Cert not yet due for renewal
2020-06-23 16:46:22,388:DEBUG:certbot._internal.plugins.selection:Requested authenticator certbot-dns-aliyun:dns-aliyun and installer None
2020-06-23 16:46:22,389:DEBUG:certbot._internal.renewal:no renewal failures
问题原因
The error in your latest screenshot is not fatal. It occurs when Certbot is checking whether the certificate is revoked, but if it times out, renewal will still proceed anyway.
You can see below the error that “all renewals succeeded”.
虽然会显示这些错误信息,但是问题不大,不会影响证书续期。可能是 DNS 污染导致的。
解决办法
两个方法:1)忽略这个错误,2)或者手动添加 HOSTS 配置。3)使用梯子解决(命令 certbot 支持 all_proxy 环境变量,可以指定代理)
我们使用后者,手动添加 /etc/hosts 配置:1)我们在海外服务器 ping ocsp.int-x3.letsencrypt.org 域名,2)将得到的地址写入本地 hosts 文件:
cat >> /etc/hosts <<EOF # https://community.letsencrypt.org/t/ocsp-int-x3-letsencrypt-org-is-not-working-in-china/118552/7 96.17.68.81 ocsp.int-x3.letsencrypt.org EOF
但是,如果 ocsp.int-x3.letsencrypt.org 地址发生修改,我们可能需要再次处理。如果条件允许,可以考虑使用梯子来避免这个问题。
参考文献
WikiNotes/ocsp.int-x3.letsencrypt.org Read timed out
Ocsp.int-x3.letsencrypt.org is not working in China
3544
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
