Letsecncrypt taking too much time to Generate Certs and Sometimes getting Timeout

Help
1

Description Of Issue:

We are hosting more than 2000 domains on nginx using certbot for ssl , everything was working fine a day back but as the configs kept increasing the time taken for generating certs also increased from 20 seconds to 2-3 minutes . Also during the acme challenge validation we are getting the timeout error sometimes , which has now become more frequent , please help us on urgent basis .

Detail: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)

My domain is: xyz.com

I ran this command: certbot --nginx -d xyz.com -d www.xyz.com

It produced the following output:


Server: nginx
Date: Sat, 02 Oct 2021 08:27:48 GMT
Content-Type: application/json
Content-Length: 1109
Connection: keep-alive
Boulder-Requester: 195657700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00023b5UyQrkNR-nQu_jC5jdlJWBWGq2QkcES-qU6GNXmzU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
 "identifier": {
  "type": "dns",
  "value": "xyz.com"
 },
 "status": "invalid",
 "expires": "2021-10-09T08:26:09Z",
 "challenges": [
  {
   "type": "http-01",
   "status": "invalid",
   "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)",
    "status": 400
   },
   "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/36294543070/GM59Hg",
   "token": "XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY",
   "validationRecord": [
    {
     "url": "http://xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY",
     "hostname": "xyz.com",
     "port": "80",
     "addressesResolved": [
      "IP"
     ],
     "addressUsed": "IP"
    }
   ],
   "validated": "2021-10-02T08:26:19Z"
  }
 ]
}
2021-10-02 08:27:48,776:DEBUG:acme.client:Storing nonce: 00023b5UyQrkNR-nQu_jC5jdlJWBWGq2QkcES-qU6GNXmzU
2021-10-02 08:27:48,777:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: xyz.com
Type:  connection
Detail: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2021-10-02 08:27:48,777:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
 File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
  self._respond(aauthzrs, resp, best_effort)
 File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
  self._poll_challenges(aauthzrs, chall_update, best_effort)
 File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
  raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. xyz.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)

2021-10-02 08:27:48,777:DEBUG:certbot.error_handler:Calling registered functions
2021-10-02 08:27:48,778:INFO:certbot.auth_handler:Cleaning up challenges
2021-10-02 08:28:29,423:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
 File "/usr/bin/certbot", line 11, in <module>
  load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
 File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
  return config.func(config, plugins)
 File "/usr/lib/python3/dist-packages/certbot/main.py", line 1119, in run
  certname, lineage)
 File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
  lineage = le_client.obtain_and_enroll_certificate(domains, certname)
 File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
  cert, chain, key, _ = self.obtain_certificate(domains)
 File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
  orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
 File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
  authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
 File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
  self._respond(aauthzrs, resp, best_effort)
 File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
  self._poll_challenges(aauthzrs, chall_update, best_effort)
 File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
  raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. xyz.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)

My web server is (include version): nginx

The operating system my web server runs on is (include version): ubuntu 18.04

Cerbtot version : certbot 0.31.0

2

@anil12 It looks like you have modified your servers since you posted. I say this because your output shows errors fetching a site but the current responses are different.

You show error fetching:
https://www.xyz.com/.well-known/...
for a certonly command for domains xyz.live and www.xyz.live

For that to happen your xyz.live servers are redirecting the original challenge requests to https (note not http) and also a different domain name (.com not .live).

This will be slower than it needs to be and causes further demand on your servers to handle the redirects.

I say you must have modified your servers because I do not see the same result. In fact, I now see an incorrect response from your server.

For request of:

curl -I http://xyz.live/.well-known/acme-challenge/Test-Forum-123   

HTTP/1.1 200 OK
Server: openresty
Date: Mon, 04 Oct 2021 14:12:17 GMT
Content-Type: text/html
Content-Length: 2548
Last-Modified: Fri, 01 Oct 2021 19:43:55 GMT
ETag: "615764fb-9f4"
X-Adblock-Key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJRmzcpTevQqkWn6dJuX/N/Hxl7YxbOwy8+73ijqYSQEN+WGxrruAKtZtliWC86+ewQ0msW1W8psOFL/b00zWqsCAwEAAQ_j14ISl2hJbpWcTuTtc0MJbfAXrZImLDSwMvvxynNDkw7GVjWlbzMQyvSq19wo9odcWBgjGY1lNye7E9+D8cTLA
Set-Cookie: system=PW;Path=/;Max-Age=86400;
Set-Cookie: caf_ipaddr=3.87.190.9;Path=/;Max-Age=86400;
Set-Cookie: country=US;Path=/;Max-Age=86400;
Set-Cookie: city="Ashburn";Path=/;Max-Age=86400;
Set-Cookie: traffic_target=gd;Path=/;Max-Age=86400;
Accept-Ranges: bytes
Via: 1.1 google

Note it responds with a status 200 where it should be 404 (not found). The contents of the response look like a landing page.

Note also that it did not redirect as in your example.

Please post current results if you are still having problems. Add three backticks (```) before and after sample code to format it nice. Thanks

1 Like
3

Hi @ MikeMcQ , apologies for the edits.

The command we are running is
certbot --nginx -d xyz.com -d www.xyz.com

Our nginx conf which is same for all aplication is :

upstream xyz.com {
    server IP:Port;
    server IP:Port;
}
server {
    listen 80;
     server_name xyz.com www.xyz.com;
     return 301 https://www.xyz.com$request_uri;
}
server {
    listen 443 ssl;
    server_name xyz.com  www.xyz.com;

    ssl on;
    ssl_certificate /etc/letsencrypt/live/xyz.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/xyz.com/privkey.pem; # managed by Certbot

    location / {
        proxy_pass http://xyz.com;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Also to mention , the time taken by the certbot to generate certificates also keep on increasing with the growing configuration files , earlier it used to take only 20-25 seconds , now it is taking more or around 2-3 minutes.
We are hosting more the 2000 applications on our servers and these numbers will keep on growing in the coming days. Please help us on urgent basis

Below is the error we are getting almost 70% of the time now , which we were not getting earlier on executing the command


Server: nginx
Date: Sat, 02 Oct 2021 08:27:48 GMT
Content-Type: application/json
Content-Length: 1109
Connection: keep-alive
Boulder-Requester: 195657700
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 00023b5UyQrkNR-nQu_jC5jdlJWBWGq2QkcES-qU6GNXmzU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "[xyz.com](http://xyz.com/)"
},
"status": "invalid",
"expires": "2021-10-09T08:26:09Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/36294543070/GM59Hg",
"token": "XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY",
"validationRecord": [
{
"url": "[.xyz Domain Names | Join Generation XYZ](http://xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY)",
"hostname": "[xyz.com](http://xyz.com/)",
"port": "80",
"addressesResolved": [
"IP"
],
"addressUsed": "IP"
}
],
"validated": "2021-10-02T08:26:19Z"
}
]
}
2021-10-02 08:27:48,776:DEBUG:acme.client:Storing nonce: 00023b5UyQrkNR-nQu_jC5jdlJWBWGq2QkcES-qU6GNXmzU
2021-10-02 08:27:48,777:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: [xyz.com](http://xyz.com/)
Type: connection
Detail: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2021-10-02 08:27:48,777:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. [xyz.com](http://xyz.com/) (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)

2021-10-02 08:27:48,777:DEBUG:certbot.error_handler:Calling registered functions
2021-10-02 08:27:48,778:INFO:certbot.auth_handler:Cleaning up challenges
2021-10-02 08:28:29,423:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1119, in run
certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. [xyz.com](http://xyz.com/) (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)
4

The below error has now become very frequent even though the A records are properly set and Domain is resolving properly , Now the same issue also start occuring when we are trying to renew the certs as it also doing acme challenge

Domain: [xyz.com](http://xyz.com/)
Type: connection
Detail: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
5

@anil12 I am still confused by what I see in your conf and in tests.
I am not even sure how to proceed. It seems like you have an architecture or server problem which is beyond my scope. Perhaps someone else can see a way forward.

General info you may find helpful:

When you request a cert with http challenge, the challenge comes from a Lets Encrypt (LE) server to your server port 80. Example:
http://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY

Using your nginx sample conf:

  1. The server with listen 80 for www.xyz.com redirects that to the https server
  2. LE than makes that request to your https server on port 443
  3. Then, your 443 server sends the request to your upstream proxy
  4. You have commented out the upstream server details so hard to know what happens there.

That is a much longer path than needed. For each http challenge LE may make 4 similar requests.

Ideally, you would have a location /.well-known/acme-challenge/ statement in your port 80 server so it does not redirect it.
This would minimize the time spent to resolve the challenge.

I cannot give exact example as the nginx conf you gave me is incomplete.
And, your nginx is version 1.9.9 which is from 2016 and too old for me to know.
Also, I do not know your full architecture and perhaps this is impossible for you.

Your error message Timeout after connect (your server may be slow or overloaded) may be improved if you can better handle the http challenges. Or, perhaps consider DNS challenges but that is a very different thing.

Things that confuse me:

  1. When I try a sample challenge request this happens.
curl -I http://xyz.com/.well-known/acme-challenge/Test-Forum-123

HTTP/1.1 301 Moved Permanently
Server: nginx/1.9.9
Date: Mon, 04 Oct 2021 19:59:51 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Location: https://gen.xyz/

Note the Location is for gen.xyz and is missing the URI.  
This does not match your sample nginx conf

  1. Your sample certbot command used --nginx Not a problem but that should update the nginx conf and I see none of those updates in your sample nginx conf

  2. Your upstream proxy name is the same as your http port 80 listener server. That seems incorrect.

Hopefully you can find an answer or perhaps someone else can assist you. Sorry

6

That means your firewall/IPs/something is blocking inbound requests to validate the HTTP challenge files.
You should NOT block port 80.

7

Are you running any sort of traffic filtering e.g. a geographic filter? Your server is not reliably responding to http challenges.

Just to be clear, this probably isn't a Let's Encrypt problem, it's most like a your-server problem, so you need to look there first.

1 Like
8

For any one figuring out how to reduce the cert generation can do it by doing the acme challenges on the server itself by passing the webroot parameter

certbot certonly --webroot -w /var/www/html -d example.com -d www.example.com

This way one will be able to generate the certs really fast.

This will only generate the certs, you can modify the configuration by yourself or do it by script.

What --nginx plugin was doing was generating the cert , taking the backup of the sites-enabled folder as well as modifying the configs as well, which can be time consuming for large usecase.

Better to use the certonly command with webroot for faster cert generation.

Thankyou @MikeMcQ and everyone for the immediate response and help

9

@anil12
How many vhost configs are within each file?
How many files were being updated by nginx?

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.