My domain is: hub.malvager.net + irc.malvager.net
I ran this command:
certbot-auto certonly --manual --manual-public-ip-logging-ok --rsa-key-size 4096 -n --expand --keep --agree-tos --reuse-key --preferred-challenges=dns --manual-auth-hook /root/LE/auth.sh -d "hub.malvager.net,irc.malvager.net"
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Reusing existing private key from /etc/letsencrypt/live/hub.malvager.net/privkey.pem.
Performing the following challenges:
dns-01 challenge for irc.malvager.net
dns-01 challenge for hub.malvager.net
Running manual-auth-hook command: /root/LE/auth.sh
Output from manual-auth-hook command auth.sh:
Start: Mon Aug 5 03:00:04 CEST 2019
End: Mon Aug 5 03:10:45 CEST 2019Running manual-auth-hook command: /root/LE/auth.sh
Output from manual-auth-hook command auth.sh:
Start: Mon Aug 5 03:10:45 CEST 2019
End: Mon Aug 5 03:20:01 CEST 2019Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
ReadTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.
My web server is (include version): N/A
The operating system of my server is (include version): Debian 9 (Stretch)
My hosting provider is: N/A (home-hosted VM)
I can login to a root shell on my machine: yes
I'm using a control panel to manage my site: no
The version of my client is: certbot 0.36.0
Additional information:
The server on which certbot runs is also my primary DNS server (based on bind9). All zones are propagated to my domain registrar's nameservers so they can be used as secondary/tertiary, in case of outages. As such I need to make sure all authoritative nameservers have the TXT record before LetsEncrypt can verify the challenges, which is why there's about 10 minutes between the start and end times. auth.sh is a simple Bash script to add the record and check every server involved using a for $srv + while dig loop, so it only proceeds with the next server if the record is found.
I actually managed to get all certificates once but that was already a couple months ago. It also succeeded only after 10+ timeout errors, so I guess I just got lucky there.
I read a bunch of topics on here about Akamai dropping packets over a certain size. But if that's the case then it has been that way for almost 2 years already, in which case it's high time for LetsEncrypt/Akamai to reliably fix the issue.
Also, I have other VMs in the same network that use HTTP challenges and those certs get issued just fine.