Validation for domain ota1.kwapiszewski.com fails with "timeout" error

sakrpa · January 9, 2018, 5:24pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ota1.kwapiszewski.com

I ran this command:

curl -s -D - “http://ota1.kwapiszewski.com/.well-known/acme-challenge/tBUR5cQ850p06SLk780XgSuH__Pd6uwCXUAj4-WCGUo” -o /dev/null

It produced this output:
HTTP/1.1 302 Moved Temporarily
Server: AkamaiGHost
Content-Length: 0
Location: http://dcv.akamai.com/.well-known/acme-challenge/tBUR5cQ850p06SLk780XgSuH__Pd6uwCXUAj4-WCGUo
Date: Tue, 09 Jan 2018 17:22:55 GMT
Connection: keep-alive
My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

mnordhoff · January 9, 2018, 6:01pm

ota1.kwapiszewski.com.                       (unsigned)  599  CNAME  ota1.kwapiszewski.com.edgekey.net.
ota1.kwapiszewski.com.edgekey.net.           (unsigned)  600  CNAME  ota1.kwapiszewski.com.eip.akadns.net.
ota1.kwapiszewski.com.eip.akadns.net.        (unsigned)  300  CNAME  eip-tata.ota1.kwapiszewski.com.akahost.net.
eip-tata.ota1.kwapiszewski.com.akahost.net.  (unsigned)  30   A      184.31.3.178
eip-tata.ota1.kwapiszewski.com.akahost.net.  (unsigned)  30   AAAA   2600:1480:2000:b0::

Oddly enough, i have trouble connecting to that over IPv6 too. Even though me and my nearest Akamai PoP are probably far away from the Let’s Encrypt validation systems.

(IPv4 works.)

You might need to contact Akamai?

I also get a “503”, “Service Unavailable - DNS” from http://dcv.akamai.com/ (which is IPv4-only anyway) but that might be normal. (They probably deleted that validation file immediately after it failed.)

Edit: Akamai’s using anycast for those 2 IPs, and it looks like they’re returning the same 2 IPs regardless of location. Maybe it’s a routing issue specific to that address (range) rather than some sort of issue specific to one region.

system · February 8, 2018, 6:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.