Can not renew certificat with more than 100 name


#1

hello,

since several week it is impossible to renew some certificate with more than 100 nale inside it.

During verificatio process, one or more subdomain are not validated because of timeout.

the servers do received the requests with the challenges et do reply to the requests with a 200 Ok and the challenge.

but i do have a lot of this things:

Attempting to renew cert (fr.front.recette9.vpglabs.site) from /etc/letsencrypt/renewal/fr.front.recette9.vpglabs.site.conf produced an unexpected error: Failed authorization procedure. it.frontadmin.recette9.vpglabs.site (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://it.frontadmin.recette9.vpglabs.site/.well-known/acme-challenge/SM2pLWfz_s3GSjRiBlLKWttK0elg62zBw7qbcJUFlb4: Timeout during connect (likely firewall problem)
it.provider.recette9.vpglabs.site (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://it.provider.recette9.vpglabs.site/.well-known/acme-challenge/C59r6lP1yWkWjWQqz-fqBG12O8kh4qkcw0W7UaMpl98: Timeout during connect (likely firewall problem)

as saif befor i can see all incoming connection, and my server reply to the challenge with 200 OK.

Sometime it works, sometimes not (but most of the time is is not)

i checkd wether it was google banned because a bad contents but it is not. no AAAA records.

It used to work very fine before.

problem is either on test server or prod server from lets encrypt

any idea?


#2

Hi @denisall

Can not renew certificat with more than 100 name

100 domain names are the maximum, so you can’t create a certificate with more then 100 domain names.

You have 84:

CN=be.front.recette9.vpglabs.site
	29.10.2018
	27.01.2019
	be.booking.recette9.vpglabs.site, 
... skipped ...
- 84 entries

Is it possible that your server has a timeout?

Or is it possible that you add a sleep or something else between the confirmation of two challenges?

Your main configuration looks ok, fetching a not existing file via /.well-known/acme-challenge sends a 404.


#3

yep you are right about the number of domain. 84 is what i request.

on test server i always received 2 requests for each challenge, and i always reply to them with the right challenge and my logs always show a 200 OK for both requests

So that is why i do not understand why i do have this timeout error. if i reply 200 OK to every requests, it should not give me any timeout i guess.

for examples for this error:

Domain: pl.frontadmin.recette9.vpglabs.site
Type: connection
Detail: Fetching
http://pl.frontadmin.recette9.vpglabs.site/.well-known/acme-challenge/--_M_KpO4tMfj4rozI8OPy50OaBNy6nCssemqNO9vMk:
Timeout during connect (likely firewall problem)

I do have that onto my logs:

13.58.30.69 - - [07/Jan/2019:16:08:32 +0100] “GET /.well-known/acme-challenge/–_M_KpO4tMfj4rozI8OPy50OaBNy6nCssemqNO9vMk HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
34.213.106.112 - - [07/Jan/2019:16:08:32 +0100] “GET /.well-known/acme-challenge/–_M_KpO4tMfj4rozI8OPy50OaBNy6nCssemqNO9vMk HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”


#4

Let’s Encrypt tried to make three requests. The fact that you got two shows that one timed out.


#5

OK, but does not explain why i do not received the third request obviously. checking my logs again and putting the verbose mode to see wether i can find out some trouble somewhere.

Denis


#6

Perhaps your hoster blocks. Or this is a ddos-protection or something else.

Or it’s a regional problem.

Checking be.front.recette9.vpglabs.site with

https://www.uptrends.com/de/tools/uptime

there is a problem: Some instances see your site after 13 or 15 seconds. That may be a timeout.

.