HTTP challenges retry

falcantaras · May 13, 2020, 4:01pm

Hi,

I am trying to generate a single certificate with multiple alternate names (50).
For the certificate to be generated, all challenges to all domain names have to be valid, this is obvious.

I am running busy sites and sometimes I have intermittent network access issues. This means that, in 50 challenges, the probability for one challenge to fail is very high.

This is one example:
Challenge response: {
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “During secondary validation: Fetching http://yyyyy.cc/.well-known/acme-challenge/AAAAA: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/stuff”,
“token”: “AAAAA”,
“validationRecord”: [
{
“url”: “http://yyyyy.cc/.well-known/acme-challenge/AAAAA”,
“hostname”: “yyyyy.cc”,
“port”: “80”,
“addressesResolved”: [
“x.x.x.x”
],
“addressUsed”: “x.x.x.x”
}
]
}.

So I have two questions:

Is it possible to force a retry on an invalid challenge?
Is it possible to change the challenge’s timeout?

Thanks,
Filipe

JuergenAuer · May 13, 2020, 4:35pm

Hi @falcantaras

if you have that error, first read

Looks like you have a blocking firewall, may be a regional blocking.

You can create a new order. But there are some limits.
No.

It's a problem of your system. May be name servers are too slow, buggy, may be your server is too slow. If it isn't a firewall problem.

If you have such an instable system, you shouldn't try to create certificates with 50 domain names.

falcantaras · May 13, 2020, 4:41pm

Hi and thank you for the fast response.

That was just an example, the normal error is
Timeout during connect (likely firewall problem)

If I create a new order, will I be able to generate the certificate anyway? So, for example, if I am trying to generate a certificate for 10 domains, and one challenge fails, will I be able to generate the certificate for the 9 domains that had a valid challenge?

Filipe

JuergenAuer · May 13, 2020, 4:48pm

Read some required basics:

falcantaras · May 13, 2020, 4:58pm

Hi, and thanks again for the fast response,

I do understand the basics, and when there are no invalid challenges I am able to generate the certificate.
My issue is that, it takes just an invalid challenge for the entire process to fail, and I would like to have a workaround for this.
Maybe I am asking the wrong questions…

Filipe

system · June 12, 2020, 4:59pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.