Package: dehydrated Version: 0.7.0-2 Severity: important Dear Maintainer,
I get sporadic failures at different points in the dehydrated process, and I see bug reports over the years reporting similar issues, I don't see any current bugs. I found one bug report that talked about changing dehydrated to use the curl --retry options once curl supports them, so maybe upstream isn't ready to add them yet, but at least this report might help those with problems. Adding the folowing to /etc/dehydrated/conf.d/retry.sh helped make my system always be able to renew a certificate successfully. CURL_OPTS="--retry 3 --retry-all-errors" The documentation explicitly doesn't recommend using --retry-all-errors in a script such as this, but do better error handling, so I don't think it is probably right to set it as the default, but maybe putting this in the documentation or somewhere will be useful to others. Without this fix, I get errors like: ERROR: Problem connecting to server (get for https://acme-v02.api.letsencrypt.org/directory; curl returned with 35) and ERROR: Problem connecting to server (post for https://acme-v02.api.letsencrypt.org/acme/authz-v3/1370####; curl returned with 35) EXPECTED value GOT EOF Interestingly enough, using curl manually to those URLs always works fine, just not when called through dehydrated, so I'm not sure what the difference is. I compared /etc/ssl/certs/* to a working system (I have another system on the same network that always works perfectly fine running the same version of Debian; so it took a while to track this down, I assumed it was an SSL connection issue. -- System Information: Debian Release: 11.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-13-amd64 (SMP w/4 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages dehydrated depends on: ii ca-certificates 20210119 ii curl 7.74.0-1.3+deb11u2 ii openssl 1.1.1n-0+deb11u3 dehydrated recommends no packages. dehydrated suggests no packages. -- no debconf information
