Time out issues with challenge verification


#1

I am trying to renew a few certs for multiple domains and I keep getting a timeout error on different domains each time I run the challenge verification. For example https://acme-v01.api.letsencrypt.org/acme/challenge/T9okHMNLM_KP9v9AD7-kKqFwKox0ynmapFnUmD0QDqI/10262127939
I have ran this command several times before and never ran into this problem. Any ideals?


#2

I should add that it will verify the challenge on domain A then fail on a different domain and if I run it again it will sometimes fail on domain A and verify the other domain. no pattern to what domain it fails on.


#3

Seems to be have periods where it randomly succeeds, but I can’t reproduce the issue from anywhere other than Let’s Encrypt.

What kind of hosting environment is it running in?

This smells a little bit like a stateful firewall which is doing something like rate limiting connections.


#4

That was my first thought but we haven’t updated the firmware of the firewall or created any new rules on it. I also added the Letsencrypt IP to the white list. We are running a barracuda firewall that handles the sans certs.


#5

Let’s Encrypt uses more than a single IP address to perform validation.

If it is possible to circumvent the firewall’s filtering temporarily to confirm whether the firewall is implicated or not, that would be really helpful.


#6

Problem is the firewall is what handles the creation of the challenge pages and the certs are stored on it. I can see the IP it is coming from and every time I have ran the script today it’s been the same one.


#7

Very odd, I just ran it again and it looks like it is going to make it. Maybe a routing issue somewhere from letsencrypt to our server


#8

Hi @jclark84

this looks terrible. Screenshot from https://www.uptrends.com/tools/uptime

Checked one of my own pages: All is green.


#9

:slight_smile: we block international traffic


#10

That’s not a good idea if you want to use Letsencrypt.


#11

Lets encrypt has priority over our GEO IP rule.


#12

Technically we block lets encrypt as well but we show a custom error page to produce the verification. Anyway, it worked this last time after trying to run it for hours so I’ll blame some odd routing issue.


#13

Note that the IP addresses that Let’s Encrypt uses may change over time, on a scale of seconds to months. We’ve said in various FAQs and forum threads that we don’t document the IP addresses and don’t intend to support specially whitelisting them.

So if a specific validation IP address is whitelisted by your firewall, you might be seeing intermittent failures for that reason because the validation might sometimes occur from that address and sometimes from a different one.


#14

To add to that, whitelisting may eventually create a large list of “false positive” IPs.
As there is no guarantee that once LE has used an IP, that IP will always be used by LE nor that IP is only used by LE (exclusively).


#15

I understand, I normally don’t have to whitelist lets encrypt but I did yesterday due to the timeout issue. I have ran this script 20+ times and never had an issue until yesterday.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.