I run a daily cron across multiple servers to check cert expiry and automatic renewal. However, for some of my servers this is not working, and i can only assume some sort of rate limiting is in place. I have multiple domain names, but this only appears to be an issue with this one domain name. When the cert check is run in cron, the response is - Pending. Can someone help?
user@hk1:~/.acme.sh/hk1.zennodes.space$ sudo “/home/user/.acme.sh”/acme.sh --cron --home “/home/user/.acme.sh”
[Wed 14 Mar 10:07:33 UTC 2018] ===Starting cron===
[Wed 14 Mar 10:07:33 UTC 2018] Renew: ‘hk1.zennodes.space’
[Wed 14 Mar 10:07:33 UTC 2018] Standalone mode.
[Wed 14 Mar 10:07:33 UTC 2018] Single domain=‘hk1.zennodes.space’
[Wed 14 Mar 10:07:33 UTC 2018] Getting domain auth token for each domain
[Wed 14 Mar 10:07:33 UTC 2018] Getting webroot for domain=‘hk1.zennodes.space’
[Wed 14 Mar 10:07:33 UTC 2018] Getting new-authz for domain=‘hk1.zennodes.space’
[Wed 14 Mar 10:07:34 UTC 2018] The new-authz request is ok.
[Wed 14 Mar 10:07:34 UTC 2018] Verifying:hk1.zennodes.space
[Wed 14 Mar 10:07:34 UTC 2018] Standalone mode server
[Wed 14 Mar 10:07:39 UTC 2018] Pending
[Wed 14 Mar 10:07:41 UTC 2018] Pending
[Wed 14 Mar 10:07:43 UTC 2018] Pending
[Wed 14 Mar 10:07:46 UTC 2018] Pending
[Wed 14 Mar 10:07:48 UTC 2018] hk1.zennodes.space:Verify error:Fetching http://hk1.zennodes.space/.well-known/acme-challenge/553qhbqDSlzv9fh-sTNXrCEOl42u8ICznsKE6YLi7WY: Timeout
[Wed 14 Mar 10:07:48 UTC 2018] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed 14 Mar 10:07:48 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
[Wed 14 Mar 10:07:49 UTC 2018] Error renew hk1.zennodes.space.
[Wed 14 Mar 10:07:49 UTC 2018] ===End cron===
Please bear in mind that i have other domains that work in exactly the same way as this one (with around 20 certs per domain) and these appear to work fine.
I have also randomized the cron job, so all servers crons does not run at the same time.
Help…!!
[Wed 14 Mar 10:26:00 UTC 2018] GET
[Wed 14 Mar 10:26:00 UTC 2018] url='https://acme-v01.api.letsencrypt.org/acme/challenge/77nym1vaXti--rp_FdyOAg8IOUymeSQJ9WiSk94Khyo/3813185908'
[Wed 14 Mar 10:26:00 UTC 2018] timeout
[Wed 14 Mar 10:26:00 UTC 2018] _CURL='curl -L --silent --dump-header /home/user/.acme.sh/http.header '
[Wed 14 Mar 10:26:01 UTC 2018] ret='0'
[Wed 14 Mar 10:26:01 UTC 2018] Pending
The timeout occurs when something on the acme servers are checked. Am i being rate limited? If so, why and how can i get around this??
So how did you setup Let's Encrypt validation for the others?
If you use DNS validation, then you probably just forgot to tell acme.sh to use DNS validation for that individual domain. nevermind.
[Wed 14 Mar 10:07:34 UTC 2018] Standalone mode server
So, you are using standalone mode with acme.sh. That should be fine and not result in a timeout - acme.sh listens on port 80 for you, for the duration of the validation process.
"Timeout" does not indicate any sort of rate limit issue. It means what it says, that the validation server tried to connect but failed.
Are you able to temporarily spin up a web server on your server so we can see if it accessible via port 80?
e.g. maybe with
sudo sh -c 'mkdir -p /tmp/empty; cd /tmp/empty && python -m SimpleHTTPServer 80'
OK. Looks like this could be an issue (firewall on the vps provider side). I am going to test this by allowing a rule for http on the VPS provider. Seems a bit odd though as I am renewing and not setting up for the first time. I will update the progress.
Ok…the test was successful after opening the http port at the VPS provider. All servers are set up the same with configuration management software. I guess what caught me out is that they use different VPS providers, and some of them will have a firewall in by default - so traffic is denied unless you allow it.
Thanks for the help
