Renew just dies with no error (sometimes it says EOF)

[oliverjanik]

run command works fine, renew fails silently for me

This is my cron that's been working for months

/usr/local/bin/lego [email protected] -d=example.com -d=d1.example.com -d=d2.example.com --path=/etc/lego --dns=route53

This is the output I get (sometimes the EOF line is missing)

2017/01/08 23:28:49 [INFO][example.com] acme: Trying renewal with 1408 hours remaining
2017/01/08 23:28:49 [INFO][example.com, d1.example.com, d2.example.com] acme: Obtaining bundled SAN certificate
2017/01/08 23:28:51 EOF

Only started happening in Dec I believe. Any ideas?

[xenolf]

Hey!

How often does your cron job run? I noticed you are not using the --days switch.

[oliverjanik]

once a month,

What's the --days switch? I can't see it documented.

[mholt]

The log message could be improved, to be sure, but I usually see EOF (in general, not necessarily in lego) when the network connection is flaky or the remote is having issues. Is it a consistent EOF error?

[oliverjanik]

not sure what to do here, any points to debug this further? Sometimes the EOF message is missing and the process just finishes.

I'll try the master branch and see if it's any different

[aaronb-cg]

We've started seeing this too. Everything was working fine until we came to renew on 25th Jan, now renew sometimes works fine but other times just exits with no output, error or cert generated.

$ AWS_REGION='us-east-1' AWS_ACCESS_KEY_ID='...' AWS_SECRET_ACCESS_KEY='...' /usr/local/bin/lego --email='...' --dns="route53" --path='/tmp/lego' --accept-tos  --domains="..." renew 2>&1
2017/02/01 17:12:51 [INFO] acme: Trying renewal with 466 hours remaining
2017/02/01 17:12:51 [INFO] acme: Obtaining bundled SAN certificate
$

We run our cron once a week but we check for certs expiring within 30 days to renew.

[tmacro]

I seem to have also encountered this error. It fails in the same spot, however mine spit out a panic.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0xc8 pc=0x7fb1a3f5f935]

goroutine 18 [running]:
panic(0x7fb1a48ae740, 0xc420012070)
	/usr/lib/go/src/runtime/panic.go:500 +0x1a5
github.com/xenolf/lego/acme.(*Client).getChallenges.func1(0xc4204182a0, 0xc420408840, 0xc4204087e0, 0xc420429300, 0xf)
	/go/src/github.com/xenolf/lego/acme/client.go:529 +0x195
created by github.com/xenolf/lego/acme.(*Client).getChallenges
	/go/src/github.com/xenolf/lego/acme/client.go:542 +0x115

[danielflippance]

I'm also seeing this EOF when using lego via Sabayon - dmathieu/sabayon#42. The error happens every time I attempt to get the certificate:

$ heroku run bin/sabayon -a sabayon-for-my-app

Running bin/sabayon on ⬢ sabayon-for-my-app... up, run.1834 (Hobby)
2017/01/30 17:14:22 cert.create email='[email protected]' domains='[www.domain1.com www.domain2.com]'
2017/01/30 17:14:23 [INFO] acme: Registering account for [email protected]
2017/01/30 17:14:23 [INFO][www.domain1.com, www.domain2.com] acme: Obtaining bundled SAN certificate
2017/01/30 17:14:24 EOF

$

[mtimofiiv]

I have the exact same situation as @danielflippance, same log as well. The EOF appears right after the note about Obtaining bundled SAN certificate. No error message, just does not work.

I also tried this with sabayon --force, which should provision the cert no matter what the expiry date of the current one is, and yet it still prematurely quits.

[mtimofiiv]

So what I did was a tried deploying an identical copy of the sabayon app (which uses lego) to see what would happen. I ran the sabayon job and on first run, I got a panic, before from that moment on, receiving EOF errors once again (@tmacro had a similar result in a comment above). Here is the panic:

panic: runtime error: slice bounds out of range

goroutine 74 [running]:
panic(0x717ee0, 0xc4200100e0)
	/app/tmp/cache/go1.7.5/go/src/runtime/panic.go:500 +0x1a1
github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme.(*jws).Nonce(0xc42038eb00, 0xc4203a0500, 0x1, 0xc4201183f0, 0x1)
	/tmp/tmp.Q2359EFByl/.go/src/github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme/jws.go:105 +0xd4
github.com/dmathieu/sabayon/vendor/gopkg.in/square/go-jose%2ev1.(*genericSigner).Sign(0xc420308a50, 0xc4203a0460, 0x7d, 0x9d, 0x7f487012e1e8, 0xc420308a50, 0x0)
	/tmp/tmp.Q2359EFByl/.go/src/github.com/dmathieu/sabayon/vendor/gopkg.in/square/go-jose.v1/signing.go:157 +0x64f
github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme.(*jws).signContent(0xc42038eb00, 0xc4203a0460, 0x7d, 0x9d, 0xc42018acf0, 0x99, 0x100)
	/tmp/tmp.Q2359EFByl/.go/src/github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme/jws.go:70 +0x100
github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme.(*jws).post(0xc42038eb00, 0xc42038f380, 0x33, 0xc4203a0460, 0x7d, 0x9d, 0x0, 0x88, 0x88)
	/tmp/tmp.Q2359EFByl/.go/src/github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme/jws.go:35 +0x67
github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme.postJSON(0xc42038eb00, 0xc42038f380, 0x33, 0x7511a0, 0xc42018acf0, 0x6f1f80, 0xc42018ac60, 0x0, 0x0, 0x0)
	/tmp/tmp.Q2359EFByl/.go/src/github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme/http.go:96 +0x153
github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme.(*Client).getChallenges.func1(0xc4200821b0, 0xc4200e6360, 0xc4200e6060, 0xc42001415a, 0x1d)
	/tmp/tmp.Q2359EFByl/.go/src/github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme/client.go:408 +0x1c6
created by github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme.(*Client).getChallenges
	/tmp/tmp.Q2359EFByl/.go/src/github.com/dmathieu/sabayon/vendor/github.com/xenolf/lego/acme/client.go:421 +0x113

Perhaps this will help debug the issue!

[xenolf]

@mtimofiiv Thanks for the stack trace! Sabayon seems to use a version of lego which did not check for a certain condition in the Nonce() function. This has since been resolved and should no longer pop up - I don't think it is related to this issue though.

[xenolf]

I've added some better logging to where I assume this is happening. Would be great if any of you could test it.

[oliverjanik]

I built lego from master/HEAD last week and that fixed the problem for me. Time for a new release?

[petrm]

I have rebuilt from HEAD and now I am getting instead of just EOF:
acme: Error 429 - -
During one try I got:
- package: github.com/Masterminds/cookoo
version: 1.1.0
- package: github.com/kylelemons/go-gypsy
EOF

[mtimofiiv]

Latest version also gives me the same unexplained 429 error. I suspect this one is also a duplicate:

#356

[LukeHandle]

429 is hitting a rate limit on the endpoint, surely related/fixed in #357? Is someone able to test to see if that resolves it?

[Wonderfall]

I tried #357 with no success. I don't see 429 error anymore but it just dies as described here...

[mtimofiiv]

It may be some kind of wrongful 429. To me it happened in the scenario where I was requesting a single cert with multiple additional domains. I requested the http-01 verification, and one of the domains did not correctly resolve to its destination.

So I saw a bunch of approvals of the verifications, and then all of a sudden 429 on the bad domain, despite the fact that it was probably more of a 400 or the like.

[xenolf]

I tried #357 with no success. I don't see 429 error anymore but it just dies as described here...

@Wonderfall Have you tried editing the RPS const to a lower value to see if that helps?

[Wonderfall]

@xenolf Yep I tried 15, 10... Same problem.

[xenolf]

This should be solved since #390