Description Of Issue:
We are hosting more than 2000 domains on nginx using certbot for ssl , everything was working fine a day back but as the configs kept increasing the time taken for generating certs also increased from 20 seconds to 2-3 minutes . Also during the acme challenge validation we are getting the timeout error sometimes , which has now become more frequent , please help us on urgent basis .
Detail: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)
My domain is: xyz.com
I ran this command: certbot --nginx -d xyz.com -d www.xyz.com
It produced the following output:
Server: nginx
Date: Sat, 02 Oct 2021 08:27:48 GMT
Content-Type: application/json
Content-Length: 1109
Connection: keep-alive
Boulder-Requester: 195657700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 00023b5UyQrkNR-nQu_jC5jdlJWBWGq2QkcES-qU6GNXmzU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "xyz.com"
},
"status": "invalid",
"expires": "2021-10-09T08:26:09Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/36294543070/GM59Hg",
"token": "XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY",
"validationRecord": [
{
"url": "http://xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY",
"hostname": "xyz.com",
"port": "80",
"addressesResolved": [
"IP"
],
"addressUsed": "IP"
}
],
"validated": "2021-10-02T08:26:19Z"
}
]
}
2021-10-02 08:27:48,776:DEBUG:acme.client:Storing nonce: 00023b5UyQrkNR-nQu_jC5jdlJWBWGq2QkcES-qU6GNXmzU
2021-10-02 08:27:48,777:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: xyz.com
Type: connection
Detail: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2021-10-02 08:27:48,777:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. xyz.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)
2021-10-02 08:27:48,777:DEBUG:certbot.error_handler:Calling registered functions
2021-10-02 08:27:48,778:INFO:certbot.auth_handler:Cleaning up challenges
2021-10-02 08:28:29,423:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1119, in run
certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. xyz.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: During secondary validation: Fetching https://www.xyz.com/.well-known/acme-challenge/XZnKoF6YzPe3EAf8U68Tc286ZUROSn3d2zX4GIMtyYY: Timeout after connect (your server may be slow or overloaded)
My web server is (include version): nginx
The operating system my web server runs on is (include version): ubuntu 18.04
Cerbtot version : certbot 0.31.0