soon
October 24, 2023, 12:30am
1
My domain is: myhopeless.life
I ran this command: sudo certbot renew --dry-run
It produced this output:
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for myhopeless.life
http-01 challenge for www.myhopeless.life
Using the webroot path /var/www/myhopeless for all unmatched domains.
Waiting for verification...
Challenge failed for domain myhopeless.life
http-01 challenge for myhopeless.life
Cleaning up challenges
Attempting to renew cert (myhopeless.life) from /etc/letsencrypt/renewal/myhopeless.life.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/myhopeless.life/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/myhopeless.life/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: myhopeless.life
Type: connection
Detail: 172.67.207.242: Fetching
https://www.myhopeless.life/.well-known/acme-challenge/YApGukwx6aGSZsB8c7M8Q5p-_yzF620LUKv6KdBYEaA:
Timeout during connect (likely firewall problem)
My web server is (include version): nginx/1.18.0 (Ubuntu) & xray
The operating system my web server runs on is (include version): Ubuntu 20.04
My hosting provider, if applicable, is: cloudflare(Proxied)
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): 0.40.0
The renew command failed most of the time,not always.
xray(a proxy server) listen on 443,whitch handle the tls connection,fallback normal https to 2443,and nginx listen on 80 and 2443.
I tried "curl https://www.myhopeless.life/.well-known/acme-challenge/YApGukwx6aGSZsB8c7M8Q5p-_yzF620LUKv6KdBYEaA: " on anotther server and got 404(nginx).
rg305
October 24, 2023, 12:58am
2
Hi @soon , and welcome to the LE community forum
I don't see how you can possibly circumvent Cloudlfare
[So, what you are seeing is what Cloudflare is showing you - (very) indirectly from something claiming to be running nginx/1.18.0 (Ubuntu)
]
Are you seeing any of those ACME challenge requests in the local servers' xray
proxy logs?
Are you seeing any of those ACME challenge requests in the local servers' nginx
access logs?
soon:
Certbot): 0.40.0
Please uninstall that old version and follow the recommended installation instructions:
Certbot (eff.org)
[so that you may start using the latest version of certbot
: 2.7.2
]
2 Likes
soon
October 24, 2023, 1:25am
3
rg305:
nginx
access logs
nginx access log after I ran certbot renew
172.70.179.60 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.62 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
108.162.245.189 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.71.151.146 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:01:15:15 +0000] "GET /.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:01:15:16 +0000] "GET /.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/xd6-Y5rKWxfYLOkGmrWzWO0MwEgQxSsyhhKE4fV6NFY" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.58 - - [24/Oct/2023:01:15:25 +0000] "GET /.well-known/acme-challenge/D7TOprLfA7zGA35c3qVkSrJQSR3eOJtcF15ENHbGxVI HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
and the nginx config
server {
listen 127.0.0.1:2443;
server_name www.myhopeless.life;
proxy_cookie_path / "/; secure";
location /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/myhopeless;
}
# root /home/ubuntu/docs/.vitepress/dist/;
location / {
index index.html;
root /home/ubuntu/docs/.vitepress/dist/;
}
}
server {
listen 80;
server_name www.myhopeless.life;
charset utf-8;
proxy_cookie_path / "/; secure";
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 80;
server_name myhopeless.life;
return 301 https://www.myhopeless.life$request_uri;
}
and the 404 was also list on the access log,so It's not cloudflare's fake response.
1 Like
soon
October 24, 2023, 2:38am
5
I update certbot to the latest 2.7.2 and try renew twice.one success and one failure.
the output of the failure.
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: www.myhopeless.life
Type: connection
Detail: 172.67.207.242: Fetching https://www.myhopeless.life/.well-known/acme-challenge/IXi9Xbe0_aQ5ZxjBOkABM_oS1V1SF-0I2DtJAlqsWB0: Timeout during connect (likely firewall problem)
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Failed to renew certificate myhopeless.life with error: Some challenges have failed.
And here is the nginx access log.
172.71.146.90 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.69.58.206 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.69.58.94 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.71.150.188 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.63 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.57 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.71.146.184 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.70.130.211 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
108.162.245.203 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.70.130.202 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.37 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:41 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.62 - - [24/Oct/2023:02:30:50 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
And what about this?
MikeMcQ:
Do you have any kind of IP blocking at the Cloudflare CDN edge? Any kind of location based blocking or "bot" heuristic blocking or anything like that.
Usually if there is a problem with the CF CDN reaching your origin we would see a 502 error or some other gateway failure type code returned by Cloudflare. That you get a distinct timeout with an IP address that belongs to Cloudflare indicates it is blocked at the CDN edge.
And, why do some entries show up as coming from 127.0.0.1? I only know of that happening when one of your server blocks proxies to another. The originating IP is then yourself. But, I don't see any proxy statements to make that happen.
Can you add an access_log in each server block and use a different file name for each one? I think requests are flowing to several server blocks that they shouldn't.
3 Likes
entire site is behind cloudflare: so it's better just use CF origin certificate
4 Likes
I often suggest that myself ! But, there are some restrictions then like not being able to disable the proxy for specialized purposes and some other bits.
3 Likes
he uses xray (anti GFW proxy) on it so it's tunneled
and I don't think he'd able to listen on port 80 from internet if he needed that
4 Likes
MikeMcQ
October 24, 2023, 2:54am
10
Ah, missed that. Still, why are the challenges logging in different patterns? Some we've seen two sets of two getting thru (just secondaries). Then one works. Then another all 3 initial requests get thru but the redirected request does not.
Something is seriously erratic.
3 Likes
there are 3rd hidden server in question: the other side of xray tunnel: do you control that? if you are why not host site there?
if I have to guess this are 2 nested tunnel , cloudflare argo one and xray one, as CF don't talk with : add one mare and now you have a onion
I kinda think the log is xray's x-proxy header as all of them are CF IPs?
4 Likes
MikeMcQ
October 24, 2023, 3:04am
12
Ouch, right. My bad. I got AWS for Let's Encrypt mixed up with Cloudflare Time for bed !
3 Likes
soon
October 24, 2023, 3:09am
13
the last line
162.158.245.62 - - [24/Oct/2023:02:30:50 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301
it's 11 seconds later than the previous request
162.158.245.37 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301
and no more request after 301,the renew failed,
anyway,I'll try CF origin certificate later.
rg305
October 24, 2023, 3:19am
14
These first three groups seem OK:
[HTTP gets redirected to HTTPS - goes through the proxy and is returned the 87 bytes expected]
172.71.146.90 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.69.58.206 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.57 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/AquZqEtRSFC5soqmAzdQ5wkY3ZiO7wVY4G5RmkoTNKc" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.69.58.94 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.71.150.188 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.63 - - [24/Oct/2023:02:29:10 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:29:11 +0000] "GET /.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8 HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/hwZOWtL7HJr0QjlO-GqxQm62E5VpDdqEizEquafq0J8" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.71.146.184 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.70.130.211 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.37 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:41 +0000] "GET /.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E HTTP/1.1" 200 87 "http://myhopeless.life/.well-known/acme-challenge/WE81tZx5aUwF9JdXhLpVXSdMO_V5yxGHLrCebnbrW1E" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
But this last group definitely encounters an issue:
108.162.245.203 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
172.70.130.202 - - [24/Oct/2023:02:30:39 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
127.0.0.1 - - [24/Oct/2023:02:30:40 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 200 87 "http://www.myhopeless.life/.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
162.158.245.62 - - [24/Oct/2023:02:30:50 +0000] "GET /.well-known/acme-challenge/Q5UIDBdVxArpVyRXfpNmcenExVYBUBbPJ8KndQWsZXs HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
There is a clear 10 second gap between the first requests and the last.
Then the third request is never being proxied.
I'd say something is doing some sort of inbound rate limiting/throttling.
Do you use anything that could do anything along those lines?
2 Likes
rg305
October 24, 2023, 3:50am
15
I see two names:
Maybe you could obtain certs for them individually.
That would cut the challenges in half.
[I mean they would run at different times]
OR
Get a cert for one name [and don't actually use it].
Then the next day get a cert for both names [and use this one].
That way each time the second cert goes to renew, the first name is already renewed and it's authorization for that account is cached.
In either case, you would be using two certs [instead of one].
So, neither is more wasteful than the other.
2 Likes
rg305
October 24, 2023, 3:59am
16
As a sidestep/workaround: Have you looked into using DNS-01
authentication?
4 Likes
system
Closed
November 23, 2023, 4:00am
17
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.