…yet I kept getting an error (not matching). I have my DNS set to update every 5 minutes, so there is no way (after an hour) it should still be using the old version. I can’t get the site back up again until this is done, as it’s all on SSL!
Why such a low (silly) limit? I’m now going to have to see if I can somehow grab the certificates from my other server (where it used to be hosted), but I’m not even sure that is an option as I can’t seem to log in to it anymore.
The same code worked fine on another of my domains(on the same server), so I don’t get why this one is having such a problem (and ironically, this is the one I need to get moved over ASAP… the other one is just a test domain I was trying out before the move)
Is there a place we can find out what IP it’s hitting? I did read that it uses the Google Public DNS servers to work out where a domain is, but then I also read it got cached for 24 hours? (even though my TTL is lower)
If one uses a control panel, such as VinstaCP, the control panel should "just work". If not, you should contact the developers of the control panel used.
My understanding is that Let's Encrypt uses whatever nameservers are specified as authoritative for your domain. As to finding out what IP it's hitting, if you were using certbot, it would tell you, and also tell you much more specifically what the error was. What logs does your control panel make available?
The control panel isn’t the problem. The DNS caching is As you can see above, the pages DO load fine - but my guess is that it’s looking at the old (wrong) server
The Let’s Encrypt validation server doesn’t cache anything, including DNS requests. It always asks the authoritive name server directly.
Further, the error “Error: LetsEncrypt challenge request 429” isn’t very helpful. I’m guessing it’s an error from the control panel software, as this isn’t likely to be an error directly from the Let’s Encrypt validation server.
And some other thing: I just clicked on your foo.html and test.txt links above and your site is completely broken. I’m getting ERR_EMPTY_RESPONSE as wel as ERR_CONNECTION_RESET errors in Chrome.
The latter is probably because I have IPv4 and IPv6 dual stack, obviously preferring IPv6… And your site doesn’t work through IPv6.
I've updated the issue title to more accurately reflect the problem. Please also take a moment to review the community guidelines.
The failed authorization limit is higher in the staging environment specifically to help with the case where you are troubleshooting. I second @Osiris's recommendation that you switch to the staging environment while you work out the kinks in your process.
Can you share the exact error that you see? Do you have any additional logs?
Right now you've shared the 429 error that was caused by too many failed validations but that won't help identify the problem that caused the failed validations.
I think there might be some wires crossed here. For an HTTP-01 challenge it likely isn't a DNS problem. [quote="steampunkjnkies, post:3, topic:31863"]
I did read that it uses the Google Public DNS servers to work out where a domain is, but then I also read it got cached for 24 hours? (even though my TTL is lower)
[/quote]
Can you share where you read this? It's not true and I'd like to get it fixed if possible. The Let's Encrypt validation server does not use Google public DNS to work out a domain and does not cache for 24 hours.
Thanks @danb35. Unfortunately it only likes working with their built in system. Unfortunately I don’t get an error, and can’t seem to find any log it would use:
The failed authorization limit is higher in the staging environment specifically to help with the case where you are troubleshooting. I second @Osiris's recommendation that you switch to the staging environment while you work out the kinks in your process.
Thanks. I'm not so sure how / where I would do that though
Can you share where you read this? It's not true and I'd like to get it fixed if possible. The Let's Encrypt validation server does not use Google public DNS to work out a domain and does not cache for 24 hours.
Sorry, it was yesterday I read it (can't remember where now, but if I come across it again, I'll give you a shout :))
It looks like I do have an ipv6 issue though. ipv4 works fine, but not ipv6. Will dig into that (I doubt its the problem, but needs fixing anyway);
root@steamdev2:~# curl -Iv4 http://businessofbrands.co.uk
* Rebuilt URL to: http://businessofbrands.co.uk/
* Hostname was NOT found in DNS cache
* Trying 178.79.134.35...
* Connected to businessofbrands.co.uk (178.79.134.35) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: businessofbrands.co.uk
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
* Server nginx is not blacklisted
< Server: nginx
Server: nginx
< Date: Tue, 11 Apr 2017 14:24:17 GMT
Date: Tue, 11 Apr 2017 14:24:17 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 178
Content-Length: 178
< Connection: keep-alive
Connection: keep-alive
< Keep-Alive: timeout=60
Keep-Alive: timeout=60
< Location: https://businessofbrands.co.uk/
Location: https://businessofbrands.co.uk/
<
* Connection #0 to host businessofbrands.co.uk left intact
root@steamdev2:~# curl -Iv6 http://businessofbrands.co.uk
* Rebuilt URL to: http://businessofbrands.co.uk/
* Hostname was NOT found in DNS cache
* Trying 2a01:7e00::f03c:91ff:febc:659...
* Connected to businessofbrands.co.uk (2a01:7e00::f03c:91ff:febc:659) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.38.0
> Host: businessofbrands.co.uk
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
I still can't seem to get ipv6 working on port 80 The weird thing, is that it works fine on 443!
root@com:~# wget http://businessofbrands.co.uk/.well-known/acme-challenge/foo.html
--2017-04-11 15:36:25-- http://businessofbrands.co.uk/.well-known/acme-challenge/foo.html
Resolving businessofbrands.co.uk (businessofbrands.co.uk)... 2a01:7e00::f03c:91ff:febc:659, 178.79.134.35
Connecting to businessofbrands.co.uk (businessofbrands.co.uk)|2a01:7e00::f03c:91ff:febc:659|:80... connected.
HTTP request sent, awaiting response... No data received.
Retrying.
I'm wondering if this could be part of the problem.The stupid thing is that it was working fine yesterday! The only 2 things I installed since it was all working fine, is:
I guess there must be a bug. Bit annoying, as I was hoping to use the fully integrated method of VestaCP to create and manage the certs, but this will have to do