Certificate Request with Certbot timing out

stevenzhu · October 26, 2018, 9:02pm

Hi,

I would not think so... And it's actually wierd since other post requests are processed normally.

Is the issue persists?

Could you please try to run dig +short TXT whoami.ds.akahelp.net and share us the output?

Thank you

unixfy · October 26, 2018, 9:13pm

Yes, the issue is still persisting.

Here's the output:

"ns" "2620:171:fe:f0::4"

unixfy · October 26, 2018, 9:15pm

I even tested this with different clients (dehydrated and acme.sh) and all of them error out at the same stage (the POST to the LE API with the finalize URL). Acme.sh’s error indicates that it recieved an error 52 from CURL (meaning no data was returned back to my server)?

stevenzhu · October 26, 2018, 9:18pm

Pinging @lestaff since the error only occurs when it’s finalizing the order.

Maybe they could find something at server-side (or akamai side)

Thank you

unixfy · October 26, 2018, 9:18pm

Thanks @stevenzhu, I’ll see what they have to say.

unixfy · October 26, 2018, 11:09pm

Could MTU on the tunnel be the culprit? Wireguard is 1420 by default.

jsha · October 27, 2018, 1:04am

This is pretty odd. From our side, we never receive the finalize request from your client, even though it’s there in the logs. I guess it’s possible Akamai could be specifically blocking your finalize requests - maybe they have some content in them that Akamai’s WAF doesn’t like. I’ll see what I can find out.

unixfy · October 29, 2018, 9:34pm

So I just tested IIS and Certify the Web and certificate issuance works. However, nothing on Linux works… This is getting very confusing.

JuergenAuer · October 29, 2018, 9:50pm

Checking your certificate signing request

again. And found:

CSR Decoder - Check CSR to verify its contents has no problem. But

https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp

has some problems.

Missing items: Common name, Country, City/locality, Organization, State/province

Your CSR does not contain the following items: Common name, Country, City/locality, Organization, State/province

Checking the code of my own client: There I specified all these entries, Letsencrypt ignores them. But perhaps the Country is important.

But there

https://ssl-trust.com/SSL-Zertifikate/csr-decoder

is something interesting:

Checking your CSR

Version: 2 (0x2)

Checking one of my last CSR (created with Windows .NET command):

Version: 0 (0x0)

Has someone a CSR created via Certbot to check?

jsha · October 29, 2018, 10:19pm

These are not important; Boulder does not check these.

I believe Version 2 is correct (corresponding to x509v3). Version 0 is incorrect, and I believe Boulder will reject it.

Also it's worth noting that this can't be a problem where Boulder is rejecting the CSR, because according to our logs, Boulder never received the CSR.

@unixfy, what are the differences between your Certify the Web instance and your Linux instance? I assuming they are different servers on different IP addresses? Were you issuing for the same hostname?

unixfy · October 29, 2018, 10:20pm

Both are running on the same machine with the same IP configuration (but different IP addresses). For the Linux instance I was issuing for gamecp.x2c0.net, for Windows I was issuing for rd.x2c0.net.

jsha · October 29, 2018, 10:23pm

Can you try issuing for gamecp.x2c0.net from your Windows instance?

JuergenAuer · October 29, 2018, 10:25pm

I've got the certificate, no reject.

jsha · October 29, 2018, 10:29pm

Looks like I was wrong. I was thinking about CSRs with an empty version field.

unixfy · October 29, 2018, 10:53pm

The request to get a certificate succeeds with Certify the Web on gamecp.x2c0.net.

system · November 28, 2018, 10:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.