Certbot timeout before dns update

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: themysteriesoftherosary.net

I ran this command: sudo certbot certonly --manual --server https://acme.ssl.com/sslcom-dv-rsa --agree-tos --no-eff-email --email redacted --eab-hmac-key redacted --eab-kid redacted --preferred-challenges dns -d themysteriesoftherosary.net -d wwww.themysteriesoftherosary.net

It produced this output:
Press Enter to Continue
Waiting for verification...
Cleaning up challenges
Press Enter to ContinueCleaning up challenges
Timed out waiting for answer to prompt 'Press Enter to Continue'
greg@meet:/etc/letsencrypt$

My web server is (include version):apache /2.4.46

The operating system my web server runs on is (include version): ubuntu 20.10

My hosting provider, if applicable, is:DNS provider NetworkSolutions

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.7.0

My DNS provider takes up to 24 hours before txt records are added to the dns records and certbot times out before the records are available on the dns sites

It currently has a time out set of 10 hours (36000 seconds).

If I look at the code, this is currently (and in v1.7.0 too) hardcoded without a way to modify it:

In theory you could modify util.py manually to have it wait longer, e.g. 86400 seconds. Or you could open an issue on Github to have certbot modified to somehow customize this timeout.

Why would you have a time out less than the published time to propagate? Modifying the timeout doesn't hurt anyone who has determined via a tool that the dns record has been modified and then presses enter. But I can't even get the certificate created. How do I request that it be fixed. This is a bug.

Your use case is probably very rare. Usually it doesn't take that long for DNS changes to propogate. I guess the certbot developers thought 10 hours is plenty.

I'm not sure this is a bug, but you could file an issue here: Issues · certbot/certbot · GitHub

Uh, I'm really unfamiliar with external account binding, but is this key something that's intended to be shared publicly? Or is it one-time-use and no longer useful now?

That's… really long. You might find it easier (rather than trying to complete manual challenges over the course of a day) to CNAME-delegate your _acme-challenge. name to something like acme-dns and fulfill DNS challenges directly rather than waiting for your DNS provider. It's a lot more easily automated, too, which is really how ACME is designed to be used.

1 Like

I must be the only guy trying to do DNS certification with NetworkSolutions . I have yet to have propagation in less than a day

I just looked up their support page

https://knowledge.web.com/subjects/article/KA-01111/en-us

Domain Name Server changes may take 24-48 hours to update throughout the internet. Advanced DNS updates will take up to 2 hours to take effect—updates may resolve more quickly at some locations than others because many nameservers on the Internet retrieve updates at different times.

Which sounds to me that if you're changing what your DNS servers are (the NS records) that it could take 24, but for "normal" updates it should only take up to 2 hours. (Which is still longer than average, I'd say, but much more reasonable.) Have you actually measured what the delay is between when you make a change and it shows up on your authoritative DNS servers to be 24 hours?

I am using NetworkSolutions so I added using advance DNS the following txt records which show on my account:
image.png

If I use the Network tools from mxtoolbox.com using my domain: themysteriesoftherosary.com the tool shows that the domain is published but there are no txt records. I added the two records shown above at 1:25pm yesterday.

I can find the record perfectly using Googles online tools:

https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.themysteriesoftherosary.net

Not sure if the mxtoolbox you've used is the correct tool, as MX records are an entirely different thing than TXT records.

1 Like

I'm not sure about the tool you're looking at, but I see the records on your authoritative servers (ns85.worldnic.com & ns86.worldnic.com) just fine from where I am on the Internet.

(Happen to be checking this from a Windows machine this time, though I removed the directory I was in from the prompts below.)

>nslookup -type=NS themysteriesoftherosary.net.
Server:  UnKnown
Address:  192.168.1.1

Non-authoritative answer:
themysteriesoftherosary.net     nameserver = ns85.worldnic.com
themysteriesoftherosary.net     nameserver = ns86.worldnic.com

>nslookup -type=TXT _acme-challenge.themysteriesoftherosary.net. ns85.worldnic.com
Server:  UnKnown
Address:  162.159.26.131

_acme-challenge.themysteriesoftherosary.net     text =

        "2QlqVFNNnfh2lMrXZMwBz3ZkX3j4beOijmr9BsL3HSE"

>nslookup -type=TXT _acme-challenge.themysteriesoftherosary.net. ns86.worldnic.com
Server:  UnKnown
Address:  162.159.27.117

_acme-challenge.themysteriesoftherosary.net     text =

        "2QlqVFNNnfh2lMrXZMwBz3ZkX3j4beOijmr9BsL3HSE"

>nslookup -type=TXT _acme-challenge.www.themysteriesoftherosary.net. ns85.worldnic.com
Server:  UnKnown
Address:  162.159.26.131

_acme-challenge.www.themysteriesoftherosary.net text =

        "EP9wdRTa2uqZNcNQ9m1aKHcVASeVy6tO2F6Mb_cm768"

>nslookup -type=TXT _acme-challenge.www.themysteriesoftherosary.net. ns86.worldnic.com
Server:  UnKnown
Address:  162.159.27.117

_acme-challenge.www.themysteriesoftherosary.net text =

        "EP9wdRTa2uqZNcNQ9m1aKHcVASeVy6tO2F6Mb_cm768"
2 Likes

A good tool for checking this from online is unboundtest.com, which uses the same DNS resolver settings as Let's Encrypt does (which are different than many normal OS resolver defaults). The debug output is pretty arcane, but at the top is the somewhat-readable summary of what it found.

https://unboundtest.com/m/TXT/_acme-challenge.themysteriesoftherosary.net./SVP2K4SB

1 Like

Thank you for the other tool links. It worked this time.

1 Like

Note that you only have to wait for the TXT record to copy to your main nameservers, cached DNS responses elsewhere don't matter.

I had no idea ssl dot com had a (free) ACME service, I must have missed that (or forgotten about it!).

3 Likes

I don't think I knew about that either. It looks like they have a business model where you can get free 90 day certificates, or pay for 1-year certificates, both using ACME.

People might not like this approach, but I believe that the people who originally developed ACME would have found this quite creative and probably welcomed it.

There are regularly people who ask on this forum "can't I pay you for a longer-than-90-day certificate?" and who really seem to want that (perhaps for use on machines that aren't constantly connected to the Internet, among other cases). So one answer could now be "no, but there is another CA that offers that, and in a way that's probably compatible with the software that you've already been using", rather than just "no".

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.