Random domains timeout when renewing the certificate

All domains are on the same Apache vhost:

www.fully-kiosk.com
fully-kiosk.com
licensing.fully-kiosk.com
licensing2.fully-kiosk.com
remoting.fully-kiosk.com
remoting2.fully-kiosk.com
www2.fully-kiosk.com
etc

I ran this command:

/usr/bin/certbot renew

It produced this output:

Randomly one or many domain connections time out. Can’t renew the certificate now as always at least one domain times out. Last update 2 months ago was allright.

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/www2.fully-kiosk.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: fully-kiosk.com
    Type: connection
    Detail: Timeout

My web server is (include version):

Server version: Apache/2.4.10 (Debian)

The operating system my web server runs on is (include version):

Debian 3.16.43-2+deb8u1 (2017-06-18) x86_64 GNU/Linux

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

Do you use any rate limiting in Apache or did you in any way limit access to port 80/443 via a stateful packet filter?

Nope. Ratelimit module is not installed and not in use. There is also no packet filter.

That could be a real server timeout as after server restart there are many waiting client requests arriving on Apache which make it slow for the first seconds.

I managed this by increasing server process numbers in /etc/apache2/mods-available/mpm_prefork.conf Then I could finally renew the certificate on the second attempt.

Is there a way to increase the connection timeout value for certification process by certbot?

I'm not sure that this is the same delay that you're thinking of but you might get what you want if you can change the time.sleep(3) here to a larger value.

https://github.com/certbot/certbot/blob/master/certbot-apache/certbot_apache/configurator.py#L1926

I believe that is the one where Certbot has made changes to your Apache configuration to pass the challenges from the CA and is then waiting after restarting Apache. If it takes more than 3 seconds to start up, you might encounter problems here.

This value is currently not configurable in any configuration file and would require you to change the code in your locally installed copy of Certbot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.