Lets encrypt refusing to connect to my domain on renew , and now it is saying limit reached

v3ss0n · June 20, 2017, 3:59pm

ondr@ondr:/etc/nginx/sites-enabled⟫ dig chat.ondr.co type257 @chat.ondr.co

; <<>> DiG 9.10.3-P4-Ubuntu <<>> chat.ondr.co type257 @chat.ondr.co
;; global options: +cmd
;; connection timed out; no servers could be reached

cpu · June 20, 2017, 4:01pm

I would highlight @mnordhoff's response for you:

Your DNS provider isn't Cloudflare, it's Digital Ocean, and you should inquire with their support as to why these queries are failing.

v3ss0n · June 20, 2017, 4:04pm

Ahh … so it seems domain was transferred to Digital Ocean and i was never known about that.

; <<>> DiG 9.10.3-P4-Ubuntu <<>> chat.ondr.co type257
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27682
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;chat.ondr.co.                  IN      CAA

;; AUTHORITY SECTION:
ondr.co.                1796    IN      SOA     ns1.digitalocean.com. hostmaster.ondr.co. 1497507243 10800 3600 604800 1800

;; Query time: 3174 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Jun 20 15:58:36 UTC 2017
;; MSG SIZE  rcvd: 108

v3ss0n · June 20, 2017, 4:29pm

I had submitted to DO ,
with --staging , only one failed is
Challenge failed for domain updates-1.chat.ondr.co

But without staging , many are failing … i tried twice so only 3 tries left for this week ?
thanks a lot for patience @mnordhoff and @cpu

schoen · June 20, 2017, 5:49pm

@v3ss0n, when you don't successfully receive a certificate, the limit is 5 attempts per hour, not per week.

v3ss0n · June 20, 2017, 5:56pm

Thanks a lot , the last attempt luckily got 5 domains working : chat.ondr.co , updates-0.chat.ondr.co to updates-4chat…ondr.co and now our service is back online.

I hope next renewal do not have problem like this. it was nightmare …

cpu · June 20, 2017, 5:58pm

I thought that Certbot was set up to try and renew certificates well in advance of when they expire.

@schoen Do you know any reason why this wouldn't have happened in this case? I can't recall how Certbot sets up cron (or does it use a systemd timer?)

v3ss0n · June 20, 2017, 6:00pm

i had to remove auto renewal , if problem like this occours it will block out of renewal when limit reached.

mnordhoff · June 20, 2017, 6:07pm

certbot-auto doesn't automatically set up a job. The Certbot Ubuntu packages, for example, automatically set up a cron job or systemd timer that runs every 12 hours (randomly delayed up to 1 hour). I assume most other packages do something similar.

That's not an issue. The failed validation rate limit is 5 per account per hostname per hour. A typical cron job runs 1 or 2 times per day. And unless the client is managing several duplicate certificates, it would only try to validate each hostname once.

Also, even if it fails, you would typically have almost a month to fix the problem.

v3ss0n · June 21, 2017, 10:35am

so there is another renewal in systemd? i found one in corontab and disabled, it was from letsencrypt.
Now i updated with certbot , it is ubuntu certbot package

v3ss0n · June 21, 2017, 11:47am

Digital ocean confirmed they are aware and working on with DNS issues.

system · July 21, 2017, 11:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.