Renew request getting timed out


#1

Hi,

I’m having some issues with my cert renewal, i’m always getting timed out during my attempts. I’ve already tried some curl to https://acme-v01.api.letsencrypt.org and telnet on port 443, they are both working pretty well.

Thanks for your answers

My domain is: commande-materiel.alpagroupe.fr

I ran this command: /opt/certbot/certbot-auto certonly --webroot -w /path/where/website/is -d commande-materiel.alpagroupe.fr

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing…
Renewing an existing certificate
An unexpected error occurred:
ReadTimeout: HTTPSConnectionPool(host=‘acme-v01.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45)
Please see the logfiles in /var/log/letsencrypt for more details.

My web server is (include version): Apache 2.2.22

The operating system my web server runs on is (include version): Debian 7.10

My hosting provider, if applicable, is: Local server, no hosting provider

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


Dns-01 + HTTPS timeout
#2

Here is a link to my logs file:

https://pastebin.com/QrPnsUSY


#3

If you put the following in /etc/hosts, does it start working for you?

23.193.200.139    acme-v01.api.letsencrypt.org

(Note this is not a reliable workaround, it is merely to confirm the presence of CDN issues).


ConnectTimeout: HTTPSConnectionPool (host='acme-v02.api.letsencrypt.org', port=443)
#4

How well? If you use curl -v, does it try IPv6? Does it fail and fall back to IPv4?


#5

It seems that it worked well, thank you !

So the problem was about resolving the ip address ? Because when i was trying to ping the address, the domain name was resolved to 23.40.253.15, so I’ve done the hosts file thing and it didn’t work :confused:

@mnordhoff Here is my curl -v log :
root@AlpagroupeFR:/opt/certbot# curl -v https://acme-v01.api.letsencrypt.org

  • About to connect() to acme-v01.api.letsencrypt.org port 443 (#0)
  • Trying 23.40.253.15…
  • connected
  • Connected to acme-v01.api.letsencrypt.org (23.40.253.15) port 443 (#0)
  • successfully set certificate verify locations:
  • CAfile: none
    CApath: /etc/ssl/certs
  • SSLv3, TLS handshake, Client hello (1):
  • SSLv3, TLS handshake, Server hello (2):
  • SSLv3, TLS handshake, CERT (11):
  • SSLv3, TLS handshake, Server key exchange (12):
  • SSLv3, TLS handshake, Server finished (14):
  • SSLv3, TLS handshake, Client key exchange (16):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSLv3, TLS change cipher, Client hello (1):
  • SSLv3, TLS handshake, Finished (20):
  • SSL connection using ECDHE-RSA-AES256-GCM-SHA384
  • Server certificate:
  •    subject: CN=acme-v02.api.letsencrypt.org
    
  •    start date: 2018-05-25 00:25:19 GMT
    
  •    expire date: 2018-08-23 00:25:19 GMT
    
  •    subjectAltName: acme-v01.api.letsencrypt.org matched
    
  •    issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
    
  •    SSL certificate verify ok.
    

GET / HTTP/1.1
User-Agent: curl/7.26.0
Host: acme-v01.api.letsencrypt.org
Accept: /

  • additional stuff not fine transfer.c:1037: 0 0
  • HTTP 1.1 or later with persistent connection, pipelining supported
    < HTTP/1.1 200 OK
    < Server: nginx
    < Content-Type: text/html
    < Content-Length: 2174
    < Last-Modified: Fri, 02 Feb 2018 23:46:37 GMT
    < ETag: “5a74f85d-87e”
    < X-Frame-Options: DENY
    < Strict-Transport-Security: max-age=604800
    < Accept-Ranges: bytes
    < Expires: Tue, 10 Jul 2018 08:02:29 GMT
    < Cache-Control: max-age=0, no-cache, no-store
    < Pragma: no-cache
    < Date: Tue, 10 Jul 2018 08:02:29 GMT
    < Connection: keep-alive
    <

#6

I think this is the same issue that’s seen previously on this forum where some Akamai edges are dropping request bodies over a certain size on the floor. Never got to the bottom of it though :frowning: .

Unfortunately you can’t use that workaround in the long term because eventually the IP address will be invalid.


#7

It seems kinda weird, so how can I find a permanent workaround ? Because it took me a day trying to find a solution before going on this forum and I don’t think that asking you a solution every three months is a suitable option.


#8

Yes, it sucks. However I’m pretty sure only Let’s Encrypt can fix the issue in a reliable way and the cause is still an unsolved mystery.

You can help by performing the following task and then devnullsmyhappyplace can take a look at it:


#9

Of course, if it can help here are the outputs:

  • Mtr cmd
    root@AlpagroupeFR:~# mtr --no-dns -c100 --report acme-v01.api.letsencrypt.org HOST: AlpagroupeFR Loss% Snt Last Avg Best Wrst StDev
    1.|-- 192.168.10.254 15.0% 100 0.7 0.5 0.4 0.9 0.1
    2.|-- 192.168.133.254 0.0% 100 1.7 1.5 1.2 2.1 0.1
    3.|-- 91.244.238.248 83.0% 100 1.9 1.7 1.5 2.1 0.2
    4.|-- 46.231.217.43 0.0% 100 2.5 3.0 2.1 22.1 2.8
    5.|-- 46.231.221.32 0.0% 100 4.1 4.5 3.8 19.5 2.2
    6.|-- 31.172.160.16 0.0% 100 5.7 6.7 5.3 45.6 5.1
    7.|-- 46.231.220.49 0.0% 100 5.5 5.8 5.0 53.0 4.8
    8.|-- 82.196.29.114 1.0% 100 11.4 11.8 11.0 67.1 5.6
    9.|-- 185.84.18.1 0.0% 100 12.0 11.7 11.3 15.8 0.5
    10.|-- 129.250.6.13 0.0% 100 17.7 18.8 17.4 34.3 2.8
    11.|-- 129.250.4.129 0.0% 100 18.1 17.7 17.4 19.4 0.3
    12.|-- ??? 100.0 100 0.0 0.0 0.0 0.0 0.0
    13.|-- 134.222.48.201 0.0% 100 24.1 24.5 23.6 30.9 1.0
    14.|-- 134.222.92.25 0.0% 100 24.1 24.0 23.7 28.9 0.5
    15.|-- 23.40.253.15 0.0% 100 23.9 24.0 23.6 25.0 0.2

  • First curl
    https://pastebin.com/Re8VyV5m

  • Second curl
    https://pastebin.com/KsijeMyk

Hope that this will help

Have a great day !


#10

Thanks! I think you need to get rid of the https:// in your first command to make it succeed (not your fault).

@devnullsmyhappyplace


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.