TTL 1 minute at TransIp domain hoster


#1

Hi,

A colleague and i tried to renew a wildcard ssl certificate for a domain but somehow this failed and after some failed retries we can’t renew anymore.

We are using sslforfree.com for this.

From what i understood from the limits page, i have to wait a day before retrying(is this right?)

Our domain hoster is TransIp.nl which where the shortest TTL we can set is 1 minute.
After clicking the manually verify button on the page we replaced the old txt records, which where there since the first time we requested the certificate(which was successful back then) and waited a minute(due to the TTL of 1 minute).

After the minute we pressed the request certificate button which after while gave us a page that said requesting failed. Unfortunately i did not copy the error we got(i know, not very smart :sweat_smile:).

Did i do the renewal good or should i have done something else?

Kind regards,

Walter


#2

It seems that you are doing the renewals correctly. However, you probably need to wait for a few more minutes before clicking verify button.

That’s not right.
I assuming you are hitting a rate limit due to too many failed request recently, which would allow you to try again after 1 hours.

There is a Failed Validation limit of 5 failures per account, per hostname, per hour.

So in conclusion, wait for about 10 minutes after you setup the records and try again.

Thank you


#3

Hi @waeb

what’s your domain name? Sometimes users create wrong entries, so this is the reason.

Letsencryt uses authoritative nameservers, so there is no caching problem.


#4

Hi @JuergenAuer
the domain we are using is *.jccsoftwarebv.nl and jccsoftwarebv.nl.


#5

Hey @stevenzhu

if i understand correctly then after i click the manually verify button on sslforfree to get the acme dns codes I put them within the dns settings on transip, wait a few minutes and after that we should click the download certificates button?

Kind regards,

Walter


#6

Yes.
That’s the expectations.

However, you should check the TEXT records are fully propergated by direct querying your authoritive DNS servers (all of them, mutiple times) before click on download certificate button.

Thank you


#7

Your definitions are good:


TXT - Entries

Domainname TXT Entry Status ∑ Queries ∑ Timeout
jccsoftwarebv.nl ok 1 0
www.jccsoftwarebv.nl 1 0
_acme-challenge.jccsoftwarebv.nl 5EbCqD1mpuJsIYvFdWSzl8N3RCcE5NYo91fYc4413-k looks good 1 0
_acme-challenge.jccsoftwarebv.nl LOYU5lAe5EDuM9ITdATBw2iTbWEbubVXEv0eqrrhfqs looks good 1 0
_acme-challenge.www.jccsoftwarebv.nl Name Error - The domain name does not exist 1 0
_acme-challenge.jccsoftwarebv.nl.jccsoftwarebv.nl Name Error - The domain name does not exist 1 0
_acme-challenge.www.jccsoftwarebv.nl.www.jccsoftwarebv.nl Name Error - The domain name does not exist 1 0

None of the typical errors.

So this isn’t the problem.


#8

@JuergenAuer and @stevenzhu thank you both for your replies.
Once i get back at work(tommorow) i will be able to retry.

@JuergenAuer thank you for checking the records. I’m glad that we did not mess that up :slight_smile:

@stevenzhu if i remember correctly sslforfree has a verify link below the acme values.
Once the verifications are correct i will use the download button to generate the certificate.

If something comes up, i will post it in this topic :slight_smile:

Thnx again!

Kind regards,

Walter


#9

After updating the dns with the new records and waiting a few minutes the renewal succeeded.

Thanks all for the help!