Dns-01 + HTTPS timeout


I’m trying to get certbot to fetch a certificate for imap.nocternity.net + vm-imap.internal.nocternity.net (the latter being in the cert’s DN) from a CSR, using dns-01 with RFC 2136 updates sent to a “remote” bind9 server.

The process works fine at the beginning:

My domain is: nocternity.net (but I’m trying to get a cert for imap.nocternity.net + vm-imap.internal.nocternity.net)

I ran this command: su -s /bin/bash -c ‘certbot certonly --work-dir /var/lib/certificates/certbot/work --logs-dir /var/lib/certificates/certbot/logs --config-dir /var/lib/certificates/certbot/config --csr /var/lib/certificates/imap/vm-imap.internal.nocternity.net.csr --dns-rfc2136 --dns-rfc2136-credentials /var/lib/certificates/certbot-dns.ini’ certbot

It produced this output:

My web server is (include version): none whatsoever

The operating system my web server runs on is (include version): Devuan Ascii with certbot apt-pinned to Devuan Beowulf and certbot-dns-rfc2136 installed from github

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Hi @ebenoit

what says

Where is the exact timeout?

My initial message was much longer and more precise than that, but I keep getting errors (which FF shows as “transmission errors”) when trying to edit the post. I’ll try re-writing the whole thing as a reply.

(1/x) The process works fine at the beginning:

Performing the following challenges:
dns-01 challenge for imap.nocternity.net
dns-01 challenge for vm-imap.internal.nocternity.net
Waiting 60 seconds for DNS changes to propagate
Waiting for verification...
Cleaning up challenges

(2/x) The DNS log confirms that the entries are indeed created and then deleted:

Sep 30 19:04:40 vm-main-dns named[23363]: client 2001:7a8:b270:200::2:13#36208/key ddns-key: updating zone 'nocternity.net/IN': adding an RR at '_acme-challenge.imap.nocternity.net' TXT
Sep 30 19:04:41 vm-main-dns named[23363]: client 2001:7a8:b270:200::2:13#36210/key ddns-key: updating zone 'internal.nocternity.net/IN': adding an RR at '_acme-challenge.vm-imap.internal.nocternity.net' TXT
Sep 30 19:05:45 vm-main-dns named[23363]: client 2001:7a8:b270:200::2:13#36216/key ddns-key: updating zone 'nocternity.net/IN': deleting an RR at _acme-challenge.imap.nocternity.net TXT
Sep 30 19:05:45 vm-main-dns named[23363]: client 2001:7a8:b270:200::2:13#36218/key ddns-key: updating zone 'internal.nocternity.net/IN': deleting an RR at _acme-challenge.vm-imap.internal.nocternity.net TXT

(3/4) However, past that point I get a ReadTimeoutError exception from certbot:

HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)

I’m not posting the whole stack trace, it’s uninformative as it only has entries for the various libraries, nothing certbot-specific.

I had some outbound iptables rules in place that could have interfered but dropped them (iptables -F && ip6tables -F) just to be sure.

(4/4, which is the part of my post which apparently causes trouble)

I tried tcpdump’ing the whole thing both on the VM and on a linux box that acts as a router, and I got a few packets being received after the exception. I can’t seem to be able to post the tcpdump log though, but it shows my side sending a pair of acks (same seq), the other side sending a push, and my side resetting the connection.

“Solved”-ish. I found these threads:

The problem is apparently related to big requests sent using IPv6. Since I didn’t want to hardcode the address of the API webserver into /etc/hosts, I wrote a wrapper script that reads the IPv4 address from DNS and updates the file prior to running certbot. It seems to be working.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.