Random timeout failures


#1

Hello. I looked at some of the reported errors to see if this is the same, I see some related but not relevant (at least to a semi-technical person like me).

I have 21 subdomains for 6 domains, and am using standalone mode. OpenSuse LEAP 42.3, I’ve had this for many years (upgrading in place), just using it for some “home web servers and email server” for my family and a few friends, very low traffic volume.

After all, we all do want https everywhere, right?

I’m on DSL at the fringe (so, 6MB down and 800KB up). Yeah, I know, rather poor compared to some people… :slight_smile:

Anyhow, when I put all 21 on the list of domains to certify for (the same list I always use), I will get “timeout” errors, but only for a random few. The ones that timeout will vary from attempt to attempt, sometimes just 2 or 3, sometimes 5 to 8 of them, never the same list.

In the past, I just try a few times and it eventually works. Today, after 5 attempts (or whatever the limit it), again with a random set of (sub)domains that failed, I hit a limit!!! Never saw that before.

I had once long ago tried the Apache Web Server plug, maybe a year or more ago, never got it to work (did I mention I was not an expert??). I also tried the webroot files version, maybe that worked last time, I can’t remember. I seem to remember I had issues at one time, and just used the standalone since, which used to work after a few attempts.

So…

Is there a way I can perhaps “slow down the certificate issuance server” so that it does one at a time (serially), and waits a little longer? I suspect it is firing all domains in parallel at the same time, and falling flat with some because of my DSL bandwidth… Or my router (did I mention low budget?).

Or something else?

I could post logs here, if needed, just let me know the commands.

Permanent solution == $25 donation to let’s encrypt!

Thanks in advance.


#2

Hi @NorthernComfort,

If you are experiencing timeouts maybe you should split your domains in different certificates or for a “permanent” solution, if your DNS provider uses some kind of API you could issue your certificates using dns challenge then Let’s Encrypt won’t try to reach your server to validate the domains, only some TXT records on your DNS server.

Cheers,
sahsanu


#3

Thanks for the suggestions. I’ll try that after work. I could ask for one certificate for all www.* domains (for apache), and one certificate for all smtp.* and mail.* (for mail). Might have to change a few email clients at the same time.


#4

I had to reduce the number of domains to less than 10. Then it worked. Thanks! I hope some day that more could be allowed…


#5

Hi @NorthernComfort,

I’m glad you got it wotking.

LE allows till 100 domains per certificate, here the problem is not LE but your network or server giving timeouts, maybe because of concurrent requests… who knows. Did you take a look to the DNS challenge approach?.

Cheers,
sahsanu


#6

Or maybe the line is very congested - which would not be that hard to do; given the size.
Do you have any line utilization stats?
Errors/Retransmissions?


#7

If I have to add more domains, I will look at the DNS challenge approach. Currently, by DNS provider for some of the domains provides very limited record types. For the rest, I can add needed records.


#8

Unless the 21 subdomains are all from similar domains, that could be as high as 27 verifications.
And if you are serving your own DNS from that same line (no way to tell from the info given), you might end up with the same congestion problem.

So, where is he DNS hosted?
And how many verifications would you need to include all the wildcards and root domains?
(which could be as low as 12 but that is still above your current pass level of 10)


#9

The router log does not show any packet drops nor is the bandwidth maximised. I really don’t run much on here… :slight_smile: Nothing in error logs in /var/log/apache2


#10

I was using things like example.com, www.example.com, imap.example.com, smtp.example.com (but not example.com in reality, my actual domains). For some of the 6 domains, I didn’t really need imap and smtp nor the root, just www., so I removed all those and a couple of others until 10 and it now works.


#11

You could always break them into separate requests (per domain).
That would be 6 certs with less than 10 names on each.


#12

I’ve been using reg.ca for many years as my DNS provider for several domains, and they seem to allow TXT and SPF records now. I don’t recall seeing that before, so I can add what I need, I think, if/when I get more domains and if this is the record type I need. I’d have to research what I need to add to DNS server for the challenge approach.


#13

I can do that for web, but not for my mail server. Anyhow, it works for now…


#14

Thanks everyone for the replies. Awesome of you all! I think I’ll donate that $25 anyhow, why not. It’s worked well enough for me, even though my needs are very simple. Cheers.


#15

Glad to help :slight_smile:
Cheers


#16

Donation completed. Thanks everyone.


#17

Is it not required, so thanks for helping.

There will always be someone here, should you ever need :slight_smile:


#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.