Dns-01 + HTTPS timeout



I’m trying to get certbot to fetch a certificate for imap.nocternity.net + vm-imap.internal.nocternity.net (the latter being in the cert’s DN) from a CSR, using dns-01 with RFC 2136 updates sent to a “remote” bind9 server.

The process works fine at the beginning:

My domain is: nocternity.net (but I’m trying to get a cert for imap.nocternity.net + vm-imap.internal.nocternity.net)

I ran this command: su -s /bin/bash -c ‘certbot certonly --work-dir /var/lib/certificates/certbot/work --logs-dir /var/lib/certificates/certbot/logs --config-dir /var/lib/certificates/certbot/config --csr /var/lib/certificates/imap/vm-imap.internal.nocternity.net.csr --dns-rfc2136 --dns-rfc2136-credentials /var/lib/certificates/certbot-dns.ini’ certbot

It produced this output:

My web server is (include version): none whatsoever

The operating system my web server runs on is (include version): Devuan Ascii with certbot apt-pinned to Devuan Beowulf and certbot-dns-rfc2136 installed from github

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


Hi @ebenoit

what says

Where is the exact timeout?


My initial message was much longer and more precise than that, but I keep getting errors (which FF shows as “transmission errors”) when trying to edit the post. I’ll try re-writing the whole thing as a reply.


(1/x) The process works fine at the beginning:

Performing the following challenges:
dns-01 challenge for imap.nocternity.net
dns-01 challenge for vm-imap.internal.nocternity.net
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges


(2/x) The DNS log confirms that the entries are indeed created and then deleted:

Sep 30 19:04:40 vm-main-dns named[23363]: client 2001:7a8:b270:200::2:13#36208/key ddns-key: updating zone 'nocternity.net/IN': adding an RR at '_acme-challenge.imap.nocternity.net' TXT
Sep 30 19:04:41 vm-main-dns named[23363]: client 2001:7a8:b270:200::2:13#36210/key ddns-key: updating zone 'internal.nocternity.net/IN': adding an RR at '_acme-challenge.vm-imap.internal.nocternity.net' TXT
Sep 30 19:05:45 vm-main-dns named[23363]: client 2001:7a8:b270:200::2:13#36216/key ddns-key: updating zone 'nocternity.net/IN': deleting an RR at _acme-challenge.imap.nocternity.net TXT
Sep 30 19:05:45 vm-main-dns named[23363]: client 2001:7a8:b270:200::2:13#36218/key ddns-key: updating zone 'internal.nocternity.net/IN': deleting an RR at _acme-challenge.vm-imap.internal.nocternity.net TXT


(3/4) However, past that point I get a ReadTimeoutError exception from certbot:

HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)

I’m not posting the whole stack trace, it’s uninformative as it only has entries for the various libraries, nothing certbot-specific.

I had some outbound iptables rules in place that could have interfered but dropped them (iptables -F && ip6tables -F) just to be sure.


(4/4, which is the part of my post which apparently causes trouble)

I tried tcpdump’ing the whole thing both on the VM and on a linux box that acts as a router, and I got a few packets being received after the exception. I can’t seem to be able to post the tcpdump log though, but it shows my side sending a pair of acks (same seq), the other side sending a push, and my side resetting the connection.


“Solved”-ish. I found these threads:

The problem is apparently related to big requests sent using IPv6. Since I didn’t want to hardcode the address of the API webserver into /etc/hosts, I wrote a wrapper script that reads the IPv4 address from DNS and updates the file prior to running certbot. It seems to be working.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.