Can't test renew certificat


#1

Hi,

When I tried to renew my certificat I got a timeout error
MY config is in webroot
the message after ‘$ certbot renew --dryrun’ command is

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/cos.gdts.eu.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for cos.gdts.eu
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (cos.gdts.eu) from /etc/letsencrypt/renewal/cos.gdts.eu.conf produced an unexpected error: Failed authorization procedure. cos.gdts.eu (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cos.gdts.eu/.well-known/acme-challenge/bBhpFw2i9UD6KZ3srby1SHlB4w8MajciSBHJpBdW_Gk: Timeout. Skipping.

 - The following errors were reported by the server:

   Domain: cos.gdts.eu
   Type:   connection
   Detail: Fetching
   http://cos.gdts.eu/.well-known/acme-challenge/bBhpFw2i9UD6KZ3srby1SHlB4w8MajciSBHJpBdW_Gk:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

 And In my web server I have an ok (200) answer.
66.133.109.36 - - [12/Nov/2017:21:19:22 +0100] t=0 v=www.gdts.eu V=cos.gdts.eu "GET /.well-known/acme-challenge/bBhpFw2i9UD6KZ3srby1SHlB4w8MajciSBHJpBdW_Gk HP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
13.58.30.69 - - [12/Nov/2017:21:19:22 +0100] t=0 v=www.gdts.eu V=cos.gdts.eu "GET /.well-known/acme-challenge/bBhpFw2i9UD6KZ3srby1SHlB4w8MajciSBHJpBdW_Gk HTT1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I don’t understand why I have a bad dry-run renew certbot

Can you help me

Thanks
JB


#2

Hi @jume,

It might be a routing glitch because the Let’s Encrypt server now tries checking from multiple different locations.

@cpu, could you take a look at this? The log files suggest that the challenge file was successfully downloaded from two locations, but there was still a Timeout error.


#3

There’s not much additional context from our end. I see that on another occasion 2 remote VA’s (one in the US and one in EU) timed out.

It seems like the origin server takes >5s to respond when multiple requests arrive in parallel.


#4

Hi CPU,
Thanks for the answers

With VA’s Would you say ‘Let’s Encrypt validation server’ ?

Who Is the Origin Server ?
My Server ?

Bu
JB


#5

Hi Cpu,
Do you want the log file of Certbot ?
JB


#6

Yes. VA is short for Validation Authority. It’s the term used for Let’s Encrypt’s validation server software.

Yes, the server for http://cos.gdts.eu/.well-known/acme-challenge/bBhpFw2i9UD6KZ3srby1SHlB4w8MajciSBHJpBdW_Gk.


#7

Hi Matt Nordhoff , Hi CPU

So yesterday (for me)
I tried a tress test and my web server answered within 300 -400 ms

It’s not 5 s !

I Saw in the server log many “let’s encrypt” test resquest

Perhapts , your test’s colluegue CPU

If You Want, I can send to You the log of certbot.

Thanks for You Help

Have a good day
Julien

Envoyé depuis un mobile…


#8

CPU,

So yesterday (for me)
I tried a tress test and my web server answered within 300 -400 ms

It’s not 5 s !
for testing, If you want, I can write a file in my …well-known/acme-challenge web server ?
Thanks
JB


#9

I try again, renew it’s not ok
I send you my log server
I don’t have any problem with file wih no type,
<location /.well-known/acme-challenge/ >
ForceType text/plain

if i create a file in .well-known/acme-challenge/ I get it !
I test all domain with dig it’s ok
I wrote a test.txt file test in http://www.gdts.eu/.well-known/acme-challenge/test.txt
I don’t understand

2600:3000:2710:300::1d - - [18/Nov/2017:22:53:16 +0100] t=0 v=iga.gdts.eu V=iga.gdts.eu “GET /.well-known/acme-challenge/VDySKvDNNFG9Ht1n
lxANIVZH8PnzDZ5Rs6kYsjDICsk HTTP/1.1” 302 274 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org
)"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [18/Nov/2017:22:53:16 +0100] t=0 v=iga.gdts.eu V=iga.gdts.eu “GET /.well-known/acme-challenge/
VDySKvDNNFG9Ht1nlxANIVZH8PnzDZ5Rs6kYsjDICsk HTTP/1.1” 302 274 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www
.letsencrypt.org)"
2600:3000:2710:300::1d - - [18/Nov/2017:22:53:19 +0100] t=0 v=gab.gdts.eu V=gab.gdts.eu “GET /.well-known/acme-challenge/DobgMc6IwwICXWoZ
MWEgCu-fHGSuCv6ywyxjLv4T3YM HTTP/1.1” 302 274 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org
)"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [18/Nov/2017:22:53:19 +0100] t=0 v=gab.gdts.eu V=gab.gdts.eu “GET /.well-known/acme-challenge/
DobgMc6IwwICXWoZMWEgCu-fHGSuCv6ywyxjLv4T3YM HTTP/1.1” 302 274 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www
.letsencrypt.org)"
2600:3000:2710:300::1d - - [18/Nov/2017:22:53:22 +0100] t=0 v=www.gdts.eu V=cos.gdts.eu “GET /.well-known/acme-challenge/GC00FE7hUDGsorTG
lIEOXR6ySiDOCY5_DcTT83OIYTY HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)
"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [18/Nov/2017:22:53:22 +0100] t=0 v=www.gdts.eu V=cos.gdts.eu “GET /.well-known/acme-challenge/
GC00FE7hUDGsorTGlIEOXR6ySiDOCY5_DcTT83OIYTY HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.
letsencrypt.org)"
2600:3000:2710:300::1d - - [18/Nov/2017:22:53:29 +0100] t=3 v=www.gdts.eu V=zeus.gdts.eu “GET /.well-known/acme-challenge/tBqiJH7jpL4VIee
i1_EV2FQ9qIpnsq0ZHeVa6Lx8Q80 HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org
)"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [18/Nov/2017:22:53:29 +0100] t=0 v=www.gdts.eu V=zeus.gdts.eu “GET /.well-known/acme-challenge
/tBqiJH7jpL4VIeei1_EV2FQ9qIpnsq0ZHeVa6Lx8Q80 HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www
.letsencrypt.org)"
2600:3000:2710:300::1d - - [18/Nov/2017:22:53:36 +0100] t=1 v=www.gdts.eu V=gdts.eu “GET /.well-known/acme-challenge/BhLPA8UGmXfimULN-hiS
LUFuMbhHL8VM-1pgT6lGW10 HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [18/Nov/2017:22:53:36 +0100] t=0 v=www.gdts.eu V=gdts.eu “GET /.well-known/acme-challenge/BhLP
A8UGmXfimULN-hiSLUFuMbhHL8VM-1pgT6lGW10 HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.lets
encrypt.org)"
2600:3000:2710:300::1d - - [18/Nov/2017:22:53:36 +0100] t=0 v=www.gdts.eu V=www.gdts.eu “GET /.well-known/acme-challenge/1lIvTLVcN6tR6gGk
t_QxzCm_6Y-RYhI-LIRl0tcIPhU HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)
"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [18/Nov/2017:22:53:36 +0100] t=0 v=www.gdts.eu V=www.gdts.eu “GET /.well-known/acme-challenge/
1lIvTLVcN6tR6gGkt_QxzCm_6Y-RYhI-LIRl0tcIPhU HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.
letsencrypt.org)"
195.43.67.34 - - [18/Nov/2017:23:00:06 +0100] t=0 v=dom2.gdts.eu V=dom2.gdts.eu “GET / HTTP/1.1” 400 347 “-” "curl/7.17.1 (mips-unknown-l
inux-gnu) libcurl/7.17.1 OpenSSL/0.9.8i zlib/1.2.3"
2600:3000:2710:300::1d - - [19/Nov/2017:00:25:00 +0100] t=17 v=iga.gdts.eu V=iga.gdts.eu “GET /.well-known/acme-challenge/JvVpEMPZsrETpr8
Tg3UusDEfuNUD7k9ZF7qA56o7kJM HTTP/1.1” 302 274 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.or
g)"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [19/Nov/2017:00:25:00 +0100] t=10 v=iga.gdts.eu V=iga.gdts.eu “GET /.well-known/acme-challenge
/JvVpEMPZsrETpr8Tg3UusDEfuNUD7k9ZF7qA56o7kJM HTTP/1.1” 302 274 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://ww
w.letsencrypt.org)"
2600:3000:2710:300::1d - - [19/Nov/2017:00:25:04 +0100] t=0 v=gab.gdts.eu V=gab.gdts.eu “GET /.well-known/acme-challenge/Ivd2dXnGzPOEbZBL
C_EWeQmJ-gva5SKl0l5anVRbhwY HTTP/1.1” 302 274 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org
)"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [19/Nov/2017:00:25:04 +0100] t=0 v=gab.gdts.eu V=gab.gdts.eu “GET /.well-known/acme-challenge/
Ivd2dXnGzPOEbZBLC_EWeQmJ-gva5SKl0l5anVRbhwY HTTP/1.1” 302 274 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www
.letsencrypt.org)"
2600:3000:2710:300::1d - - [19/Nov/2017:00:25:07 +0100] t=74 v=www.gdts.eu V=cos.gdts.eu “GET /.well-known/acme-challenge/441Lg1mpI0-4dlr
TDkBXpC03ricj5cUtlewx6Yqz66c HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org
)"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [19/Nov/2017:00:25:07 +0100] t=28 v=www.gdts.eu V=cos.gdts.eu “GET /.well-known/acme-challenge
/441Lg1mpI0-4dlrTDkBXpC03ricj5cUtlewx6Yqz66c HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www
.letsencrypt.org)"
2600:3000:2710:300::1d - - [19/Nov/2017:00:25:14 +0100] t=14 v=www.gdts.eu V=zeus.gdts.eu “GET /.well-known/acme-challenge/-6k3H46HEMcgx8
zMID9eOTd00imAzu9gD5R9XEYC8kc HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.or
g)"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [19/Nov/2017:00:25:14 +0100] t=15 v=www.gdts.eu V=zeus.gdts.eu “GET /.well-known/acme-challeng
e/-6k3H46HEMcgx8zMID9eOTd00imAzu9gD5R9XEYC8kc HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://ww
w.letsencrypt.org)"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [19/Nov/2017:00:25:21 +0100] t=21 v=www.gdts.eu V=gdts.eu “GET /.well-known/acme-challenge/-LT
3wYgw6bHlOpurvAhwLhzL_l7YyJeEiOKo4l9wOlA HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.let
sencrypt.org)"
2600:3000:2710:300::1d - - [19/Nov/2017:00:25:21 +0100] t=225 v=www.gdts.eu V=gdts.eu “GET /.well-known/acme-challenge/-LT3wYgw6bHlOpurvA
hwLhzL_l7YyJeEiOKo4l9wOlA HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.org)"
2600:1f16:185:3210:fa10:3caa:9df7:9ce9 - - [19/Nov/2017:00:25:21 +0100] t=0 v=www.gdts.eu V=www.gdts.eu “GET /.well-known/acme-challenge/
RhMjjS3FQsmlq6Zxf9XZv85Z0lvHaX6hKW0r37N6sq0 HTTP/1.1” 200 87 “-” "Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.
letsencrypt.org)"
2600:3000:2710:300::1d - - [19/Nov/2017:00:25:21 +0100] t=135 v=www.gdts.eu V=www.gdts.eu “GET /.well-known/acme-challenge/RhMjjS3FQsmlq6
Zxf9XZv85Z0lvHaX6hKW0r37N6sq0 HTTP/1.1” 200 87 “-” “Mozilla/5.0 (compatible; Let’s Encrypt validation server; +https://www.letsencrypt.or
g)”


#10

Hi CPU,

How can you say the origin server takes >5s to respond when multiple request arrive in parallel ?
Best regards,
Julien


#11

That’s what the validation authority logs showed.


#12

Hi CPU,
I maked a script to test the respond time of my server and I didn’t got this time response.

So, I maked a certbot --dry-run renew test at 2017-11-28 21:14:50,050.
Can you send me your log file for my web site ?

After that, I can compare my certbot and web log with your logs.

Thanks for your help.
Julien


#13

Hi @jume,

Here’s what the Validation Authority (VA) logged from our side for this attempt at 28/11/17 21:14:50. Recall that we perform validations from multiple vantage points for the staging environment. There are three remote VAs and one primary VA. For this example we’ll call the remote instances RVA_1 through RVA_3 and PVA_1 for the primary instance.

  • 21:15:12 - RVA_1 starts a HTTP-01 validation
  • 21:15:12 - RVA_2 starts a HTTP-01 validation
  • 21:15:12 - RVA_3 starts a HTTP-01 validation
  • 21:15:12 - RVA_1 registers a successful validation :tada:
  • 21:15:12.467314 - PVA_1 starts a HTTP-01 validation
  • 21:15:17 - RVA_2 times out - note that 21:15:17 - 21:15:12 = 5 seconds - the expected timeout.
  • 21:15:17 - RVA_3 times out
  • 21:15:17.719444 - P_VA1 times out.

Since three of the four validations timed-out, the overall validation is declared a failure due to timeout.

There’s no mystery from my side - it seems definitive that your challenge server is timing out on some (if not all!) of the challenge requests.

I hope this information makes it possible for you to figure out the timeout.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.