hello,
since several week it is impossible to renew some certificate with more than 100 nale inside it.
During verificatio process, one or more subdomain are not validated because of timeout.
the servers do received the requests with the challenges et do reply to the requests with a 200 Ok and the challenge.
but i do have a lot of this things:
Attempting to renew cert (fr.front.recette9.vpglabs.site) from /etc/letsencrypt/renewal/fr.front.recette9.vpglabs.site.conf produced an unexpected error: Failed authorization procedure. it.frontadmin.recette9.vpglabs.site (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://it.frontadmin.recette9.vpglabs.site/.well-known/acme-challenge/SM2pLWfz_s3GSjRiBlLKWttK0elg62zBw7qbcJUFlb4: Timeout during connect (likely firewall problem)http://it.provider.recette9.vpglabs.site/.well-known/acme-challenge/C59r6lP1yWkWjWQqz-fqBG12O8kh4qkcw0W7UaMpl98: Timeout during connect (likely firewall problem)
as saif befor i can see all incoming connection, and my server reply to the challenge with 200 OK.
Sometime it works, sometimes not (but most of the time is is not)
i checkd wether it was google banned because a bad contents but it is not. no AAAA records.
It used to work very fine before.
problem is either on test server or prod server from lets encrypt
any idea?
Hi @denisall
Can not renew certificat with more than 100 name
100 domain names are the maximum, so you can’t create a certificate with more then 100 domain names.
You have 84:
CN=be.front.recette9.vpglabs.site
29.10.2018
27.01.2019
be.booking.recette9.vpglabs.site,
... skipped ...
- 84 entries
Is it possible that your server has a timeout?
Or is it possible that you add a sleep or something else between the confirmation of two challenges?
Your main configuration looks ok, fetching a not existing file via /.well-known/acme-challenge sends a 404.
yep you are right about the number of domain. 84 is what i request.
on test server i always received 2 requests for each challenge, and i always reply to them with the right challenge and my logs always show a 200 OK for both requests
So that is why i do not understand why i do have this timeout error. if i reply 200 OK to every requests, it should not give me any timeout i guess.
for examples for this error:
Domain: pl.frontadmin.recette9.vpglabs.sitehttp://pl.frontadmin.recette9.vpglabs.site/.well-known/acme-challenge/--_M_KpO4tMfj4rozI8OPy50OaBNy6nCssemqNO9vMk:
I do have that onto my logs:
13.58.30.69 - - [07/Jan/2019:16:08:32 +0100] “GET /.well-known/acme-challenge/–_M_KpO4tMfj4rozI8OPy50OaBNy6nCssemqNO9vMk HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)”
Let’s Encrypt tried to make three requests. The fact that you got two shows that one timed out.
OK, but does not explain why i do not received the third request obviously. checking my logs again and putting the verbose mode to see wether i can find out some trouble somewhere.
Denis
Perhaps your hoster blocks. Or this is a ddos-protection or something else.
Or it's a regional problem.
Checking be.front.recette9.vpglabs.site with
https://www.uptrends.com/de/tools/uptime
there is a problem: Some instances see your site after 13 or 15 seconds. That may be a timeout.
.
system
February 6, 2019, 4:30pm
7
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
