HTTP challenges retry

Hi,

I am trying to generate a single certificate with multiple alternate names (50).
For the certificate to be generated, all challenges to all domain names have to be valid, this is obvious.

I am running busy sites and sometimes I have intermittent network access issues. This means that, in 50 challenges, the probability for one challenge to fail is very high.

This is one example:
Challenge response: {
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “During secondary validation: Fetching http://yyyyy.cc/.well-known/acme-challenge/AAAAA: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/stuff”,
“token”: “AAAAA”,
“validationRecord”: [
{
“url”: “http://yyyyy.cc/.well-known/acme-challenge/AAAAA”,
“hostname”: “yyyyy.cc”,
“port”: “80”,
“addressesResolved”: [
“x.x.x.x”
],
“addressUsed”: “x.x.x.x”
}
]
}.

So I have two questions:

  1. Is it possible to force a retry on an invalid challenge?
  2. Is it possible to change the challenge’s timeout?

Thanks,
Filipe

Hi @falcantaras

if you have that error, first read

Looks like you have a blocking firewall, may be a regional blocking.

  1. You can create a new order. But there are some limits.
  2. No.

It’s a problem of your system. May be name servers are too slow, buggy, may be your server is too slow. If it isn’t a firewall problem.

If you have such an instable system, you shouldn’t try to create certificates with 50 domain names.

Hi and thank you for the fast response.

That was just an example, the normal error is
Timeout during connect (likely firewall problem)

If I create a new order, will I be able to generate the certificate anyway? So, for example, if I am trying to generate a certificate for 10 domains, and one challenge fails, will I be able to generate the certificate for the 9 domains that had a valid challenge?

Filipe

Read some required basics:

Hi, and thanks again for the fast response,

I do understand the basics, and when there are no invalid challenges I am able to generate the certificate.
My issue is that, it takes just an invalid challenge for the entire process to fail, and I would like to have a workaround for this.
Maybe I am asking the wrong questions…

Filipe

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.