Announcement

Collapse
No announcement yet.

Let's Encrypt always needs second try

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Let's Encrypt always needs second try

    Is anybody else experiencing this? Whenever I click "Generate all with Let's Encrypt" it generates an error on the first try, the gist of it being "Temporary failure in name resolution".
    Only on the second try the whole process goes through.

    Just want to confirm this is "normal" behaviour....

    Cheers, Michael

  • #2
    Hi Michael

    I hope your well

    I'll see if I can try this but I might think slow dns server perhaps

    As far as I know, but could be wrong, LE checks that the A record exists and is pointed at the server it is been created on

    Many thanks

    John

    Comment


    • #3
      Hi Michael

      I have just tried LE on a holding domain we have for client, and worked first time.

      We are on centos 6 with latest Iw 5.1.51

      Is it still the same for you today, as it could at a pinch be LE systems running slow or a high peak time

      Many thanks

      John

      Comment


      • #4
        Hi John,

        I am fine thanks. Looking forward to summer temperatures... :) And you are great, I hope?

        Slow DNS was exactly my thinking, but that would mean my own DNS are slow, right? Not sure why they would be though... If I test my own DNS servers, they answer quickly (around 120 ms)

        This happens all the time, since beginning of the year, when I started using Let's Encrypt. But I have so gotten used to clicking, waiting for the errro message and then clicking again that I didn't think about it much anymore. But now I thought "take the time and get to the bottom of this"... ;-)

        Cheers,

        Michael

        Comment


        • #5
          Hi Michael

          Many thanks

          Your dns speeds look fine at 120ms, think you score A+ on a dns test at that

          I'll have to try in a centos 7, but will be later as I'm pretty tied up next few days, and I need to transfer a domain to the test server, as LE needs it on same server with correct dns

          I'll let you know how it goes but certainly if it fails first time, then works second time, there's a delay somewhere I think

          Many thanks

          John

          Comment


          • #6
            I was also thinking, maybe LE is running their own resolver and the first request is a miss, but when the second comes, the resolver has updated his records already...

            Not sure though. But I agree, it must be some timeout, most likely DNS related.

            Comment


            • #7
              Hi Michael
              Sorry, just tried LE on centos 7, and LE are having issues.
              If you read the community link for LE you may find it interesting but it is others thoughts
              I will try over the weekend, and hopefully LE should have resolved their issues hopefully. It will also allow DNS to populate on the A record I changed for a domain I will test with.
              I hope that helps and have a lovely weekend
              Many thanks
              John
              Installing SSL Certificate failed!
              ReadTimeout: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Read timed out. (read timeout=45)
              https://community.letsencrypt.org/t/...port-443/34341
              http://letsencrypt.status.io/

              Comment


              • #8
                Let's Encrypt always needs second try

                Hi Michael

                I have just tried this on the test server, centos 7 and latest IW, all updated to yesterday and it worked lovely

                Do all your Iw servers on centos 7 do the same

                Is LE working now as it should - thinking of the issue from yesterday maybe your issue earlier

                Many thanks and have a lovely weekend

                John

                Comment


                • #9
                  Hi John,

                  it seems not to be related to Centos, I have 6.9 and 7.3 running and it happens on both. It also happens for newly added domains as well as for older ones. I just tried it on4 different servers, and it happend only on one, but with a domain that already had an LE certificate, so it had worked in the past.
                  I get this error (the same as always)

                  Installing SSL Certificate failed!
                  ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.con nection.VerifiedHTTPSConnection object at 0x7f033577e650>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',))
                  Usually I simply have to click on "Generate all with Let's Encrypt" again, but this time I got a new error:

                  Installing SSL Certificate failed!
                  <p"
                  Hmm...

                  Comment


                  • #10
                    btw. your isseu might have been related to an internal LE problem: https://www.heise.de/newsticker/meld...t-3719227.html (sorry found no english reference to it, it basically says that LE was down for a few hours on may, 19th.)

                    Comment


                    • #11
                      Hi Michael
                      Many thanks, yes that was the issue on the 19 May.
                      This is a new issue though, as I have tried on live servers and it fails as you post.
                      Looking at it below stands out, so I am thinking a change has been made by LE, most likely due to OSCP, as my extract lower down shows my test domain used, is not authorised.
                      I will open a support ticket and show this thread, so they can have a look and you have credit. It is new though, as my tests on Saturday showed no issue, and there has been no updates of Centos or IW (see pic)
                      Many thanks
                      John

                      2017-05-22 11:13:33.44827 [lxeduu-bdk7-h6my-PHP] [WARN] : entered correctly and the DNS A record(s) for that domain : controller.php
                      2017-05-22 11:13:33.44821 [lxeduu-bdk7-h6my-PHP] [WARN] : To fix these errors, please make sure that your domain name was : controller.php
                      2017-05-22 11:13:33.46702 [lxeduu-bdk7-5rbw-CLI] [INFO] : script end : controller.php2017-05-22 11:13:33.46650 [lxeduu-bdk7-5rbw-CLI] [ERR] : Unknown ini access [cluster][node_id] : controller.php2017-05-22 11:13:33.44834 [lxeduu-bdk7-h6my-PHP] [WARN] : contain(s) the right IP address. : controller.php2017-05-22 11:13:33.44827 [lxeduu-bdk7-h6my-PHP] [WARN] : entered correctly and the DNS A record(s) for that domain : controller.php2017-05-22 11:13:33.44821 [lxeduu-bdk7-h6my-PHP] [WARN] : To fix these errors, please make sure that your domain name was : controller.php2017-05-22 11:13:33.44815 [lxeduu-bdk7-h6my-PHP] [WARN] : : controller.php2017-05-22 11:13:33.44809 [lxeduu-bdk7-h6my-PHP] [WARN] : <p" : controller.php2017-05-22 11:13:33.44803 [lxeduu-bdk7-h6my-PHP] [WARN] : <h1>Not Found</h1> : controller.php2017-05-22 11:13:33.44797 [lxeduu-bdk7-h6my-PHP] [WARN] : </head><body> : controller.php2017-05-22 11:13:33.44791 [lxeduu-bdk7-h6my-PHP] [WARN] : <title>404 Not Found</title> : controller.php2017-05-22 11:13:33.44785 [lxeduu-bdk7-h6my-PHP] [WARN] : <html><head> : controller.php2017-05-22 11:13:33.44779 [lxeduu-bdk7-h6my-PHP] [WARN] : "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> : controller.php2017-05-22 11:13:33.44773 [lxeduu-bdk7-h6my-PHP] [WARN] : http://www.mytestdomain.url/.well-kn...OHk4-HePFPOdMk: : controller.php2017-05-22 11:13:33.44767 [lxeduu-bdk7-h6my-PHP] [WARN] : Detail: Invalid response from : controller.php2017-05-22 11:13:33.44761 [lxeduu-bdk7-h6my-PHP] [WARN] : Type: unauthorized : controller.php2017-05-22 11:13:33.44755 [lxeduu-bdk7-h6my-PHP] [WARN] : Domain: www.mytestdomain.url : controller.php2017-05-22 11:13:33.44749 [lxeduu-bdk7-h6my-PHP] [WARN] : : controller.php2017-05-22 11:13:33.44743 [lxeduu-bdk7-h6my-PHP] [WARN] : <p" : controller.php2017-05-22 11:13:33.44737 [lxeduu-bdk7-h6my-PHP] [WARN] : <h1>Not Found</h1> : controller.php2017-05-22 11:13:33.44730 [lxeduu-bdk7-h6my-PHP] [WARN] : </head><body> : controller.php2017-05-22 11:13:33.44723 [lxeduu-bdk7-h6my-PHP] [WARN] : <title>404 Not Found</title> : controller.php2017-05-22 11:13:33.44717 [lxeduu-bdk7-h6my-PHP] [WARN] : <html><head> : controller.php2017-05-22 11:13:33.44711 [lxeduu-bdk7-h6my-PHP] [WARN] : "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> : controller.php2017-05-22 11:13:33.44705 [lxeduu-bdk7-h6my-PHP] [WARN] : http://mytestdomain.url/.well-known/...3l0_-CWRKIIpOc: : controller.php2017-05-22 11:13:33.44699 [lxeduu-bdk7-h6my-PHP] [WARN] : Detail: Invalid response from : controller.php2017-05-22 11:13:33.44693 [lxeduu-bdk7-h6my-PHP] [WARN] : Type: unauthorized : controller.php2017-05-22 11:13:33.44687 [lxeduu-bdk7-h6my-PHP] [WARN] : Domain: mytestdomain.url : controller.php2017-05-22 11:13:33.44681 [lxeduu-bdk7-h6my-PHP] [WARN] : : controller.php2017-05-22 11:13:33.44675 [lxeduu-bdk7-h6my-PHP] [WARN] : - The following errors were reported by the server: : controller.php2017-05-22 11:13:33.44669 [lxeduu-bdk7-h6my-PHP] [WARN] : IMPORTANT NOTES: : controller.php2017-05-22 11:13:33.44663 [lxeduu-bdk7-h6my-PHP] [WARN] : <p" : controller.php2017-05-22 11:13:33.44657 [lxeduu-bdk7-h6my-PHP] [WARN] : <h1>Not Found</h1> : controller.php2017-05-22 11:13:33.44651 [lxeduu-bdk7-h6my-PHP] [WARN] : </head><body> : controller.php2017-05-22 11:13:33.44645 [lxeduu-bdk7-h6my-PHP] [WARN] : <title>404 Not Found</title> : controller.php2017-05-22 11:13:33.44639 [lxeduu-bdk7-h6my-PHP] [WARN] : <html><head> : controller.php2017-05-22 11:13:33.44632 [lxeduu-bdk7-h6my-PHP] [WARN] : <p", www.mytestdomain.url (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mytestdomain.url/.well-kn...OHk4-HePFPOdMk: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> : controller.php2017-05-22 11:13:33.44625 [lxeduu-bdk7-h6my-PHP] [WARN] : <h1>Not Found</h1> : controller.php2017-05-22 11:13:33.44619 [lxeduu-bdk7-h6my-PHP] [WARN] : </head><body> : controller.php2017-05-22 11:13:33.44613 [lxeduu-bdk7-h6my-PHP] [WARN] : <title>404 Not Found</title> : controller.php2017-05-22 11:13:33.44607 [lxeduu-bdk7-h6my-PHP] [WARN] : <html><head> : controller.php2017-05-22 11:13:33.44601 [lxeduu-bdk7-h6my-PHP] [WARN] : Failed authorization procedure. mytestdomain.url (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mytestdomain.url/.well-known/...3l0_-CWRKIIpOc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> : controller.php2017-05-22 11:13:33.44595 [lxeduu-bdk7-h6my-PHP] [WARN] : <p" : controller.php2017-05-22 11:13:33.44589 [lxeduu-bdk7-h6my-PHP] [WARN] : <h1>Not Found</h1> : controller.php2017-05-22 11:13:33.44583 [lxeduu-bdk7-h6my-PHP] [WARN] : </head><body> : controller.php2017-05-22 11:13:33.44577 [lxeduu-bdk7-h6my-PHP] [WARN] : <title>404 Not Found</title> : controller.php 2017-05-22 11:13:33.44571 [lxeduu-bdk7-h6my-PHP] [WARN] : <html><head> : controller.php2017-05-22 11:13:33.44564 [lxeduu-bdk7-h6my-PHP] [WARN] : <p", www.mytestdomain.url (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mytestdomain.url/.well-kn...OHk4-HePFPOdMk: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> : controller.php2017-05-22 11:13:33.44557 [lxeduu-bdk7-h6my-PHP] [WARN] : <h1>Not Found</h1> : controller.php2017-05-22 11:13:33.44551 [lxeduu-bdk7-h6my-PHP] [WARN] : </head><body> : controller.php2017-05-22 11:13:33.44545 [lxeduu-bdk7-h6my-PHP] [WARN] : <title>404 Not Found</title> : controller.php2017-05-22 11:13:33.44539 [lxeduu-bdk7-h6my-PHP] [WARN] : <html><head> : controller.php2017-05-22 11:13:33.44532 [lxeduu-bdk7-h6my-PHP] [WARN] : FailedChallenges: Failed authorization procedure. mytestdomain.url (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mytestdomain.url/.well-known/...3l0_-CWRKIIpOc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> : controller.php2017-05-22 11:13:33.44525 [lxeduu-bdk7-h6my-PHP] [WARN] : raise errors.FailedChallenges(all_failed_achalls) : controller.php2017-05-22 11:13:33.44519 [lxeduu-bdk7-h6my-PHP] [WARN] : File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges : controller.php2017-05-22 11:13:33.44513 [lxeduu-bdk7-h6my-PHP] [WARN] : self._poll_challenges(chall_update, best_effort) : controller.php2017-05-22 11:13:33.44506 [lxeduu-bdk7-h6my-PHP] [WARN] : File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond : controller.php2017-05-22 11:13:33.44500 [lxeduu-bdk7-h6my-PHP] [WARN] : self._respond(resp, best_effort) : controller.php2017-05-22 11:13:33.44494 [lxeduu-bdk7-h6my-PHP] [WARN] : File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations : controller.php2017-05-22 11:13:33.44488 [lxeduu-bdk7-h6my-PHP] [WARN] : self.config.allow_subset_of_names) : controller.php2017-05-22 11:13:33.44482 [lxeduu-bdk7-h6my-PHP] [WARN] : File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 313, in obtain_certificate : controller.php2017-05-22 11:13:33.44476 [lxeduu-bdk7-h6my-PHP] [WARN] : certr, chain, key, _ = self.obtain_certificate(domains) : controller.php2017-05-22 11:13:33.44470 [lxeduu-bdk7-h6my-PHP] [WARN] : File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/client.py", line 344, in obtain_and_enroll_certificate : controller.php2017-05-22 11:13:33.44464 [lxeduu-bdk7-h6my-PHP] [WARN] : lineage = le_client.obtain_and_enroll_certificate(domains, certname) : controller.php2017-05-22 11:13:33.44458 [lxeduu-bdk7-h6my-PHP] [WARN] : File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 82, in _get_and_save_cert : controller.php2017-05-22 11:13:33.44452 [lxeduu-bdk7-h6my-PHP] [WARN] : lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) : controller.php2017-05-22 11:13:33.44446 [lxeduu-bdk7-h6my-PHP] [WARN] : File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 682, in certonly : controller.php2017-05-22 11:13:33.44440 [lxeduu-bdk7-h6my-PHP] [WARN] : return config.func(config, plugins) : controller.php2017-05-22 11:13:33.44434 [lxeduu-bdk7-h6my-PHP] [WARN] : File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/certbot/main.py", line 742, in main : controller.php2017-05-22 11:13:33.44427 [lxeduu-bdk7-h6my-PHP] [WARN] : sys.exit(main()) : controller.php2017-05-22 11:13:33.44421 [lxeduu-bdk7-h6my-PHP] [WARN] : File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module> : controller.php2017-05-22 11:13:33.44415 [lxeduu-bdk7-h6my-PHP] [WARN] : Traceback (most recent call last): : controller.php2017-05-22 11:13:33.44409 [lxeduu-bdk7-h6my-PHP] [WARN] : Exiting abnormally: : controller.php2017-05-22 11:13:33.44402 [lxeduu-bdk7-h6my-PHP] [WARN] : All challenges cleaned up, removing /home/mytestdo/mytestdomain.url/html/.well-known/acme-challenge : controller.php2017-05-22 11:13:33.44396 [lxeduu-bdk7-h6my-PHP] [WARN] : Removing /home/mytestdo/mytestdomain.url/html/.well-known/acme-challenge/plRO4r6i4eel7FP_0hxq84Tu8jCmLOHk4-HePFPOdMk : controller.php2017-05-22 11:13:33.44390 [lxeduu-bdk7-h6my-PHP] [WARN] : Removing /home/mytestdo/mytestdomain.url/html/.well-known/acme-challenge/Z0p78kTJKwVAObpRp3CxwMLBUse9p3l0_-CWRKIIpOc : controller.php2017-05-22 11:13:33.44384 [lxeduu-bdk7-h6my-PHP] [WARN] : Cleaning up challenges : controller.php2017-05-22 11:13:33.44378 [lxeduu-bdk7-h6my-PHP] [WARN] : To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. : controller.php2017-05-22 11:13:33.44372 [lxeduu-bdk7-h6my-PHP] [WARN] : : controller.php2017-05-22 11:13:33.44366 [lxeduu-bdk7-h6my-PHP] [WARN] : <p" : controller.php2017-05-22 11:13:33.44360 [lxeduu-bdk7-h6my-PHP] [WARN] : <h1>Not Found</h1> : controller.php2017-05-22 11:13:33.44354 [lxeduu-bdk7-h6my-PHP] [WARN] : </head><body> : controller.php2017-05-22 11:13:33.44347 [lxeduu-bdk7-h6my-PHP] [WARN] : <title>404 Not Found</title> : controller.php2017-05-22 11:13:33.44341 [lxeduu-bdk7-h6my-PHP] [WARN] : <html><head> : controller.php
                      Attached Files

                      Comment


                      • #12
                        Hi Michael

                        I'll hang my head in shame sorry :(

                        The domain I tested on Saturday by repointing to test server, which worked lovely Saturday and repointed back, was... a disabled domain on live server, which is why I forgot about it sorry

                        It was IW-Jenna who looked into it and told me. Kudos to IW

                        Is your domain same as mine, disabled in IW

                        I hope that helps

                        Many thanks

                        John

                        Comment


                        • #13
                          Hi John,
                          hehe, these things happen, no worries...

                          But nope, the domains are active and as written above I sometimes have the issue when adding a new domain, but also when I want to exchange the certificate (e.g. in order to add a subdomain) on a domain, that has been online for months or years. I cannot find any common denominator, only that it doesn't work on the first try quite often.

                          The new issue of today, where I get this error
                          Installing SSL Certificate failed!
                          <p"
                          seems to be unrelated and opnly happened on one server so far.

                          I'm gonna restart the relevant server tonight and if the problem persists, I might need some help from IW.

                          Comment


                          • #14
                            Hi Michael

                            Ahh yes, haha but just seems to happen to me sorry

                            I thought before replying I had better test, so enabled the domain and LE worked lovely, so disabled the account.

                            IW-Jenna did ask if you were still having the issue, to open a support ticket so IW could have a look to see what's happening.

                            I do believe it is connected with dns though, as your earlier post showed domain resolution failed but guess I need a holiday to recharge my aging batteries

                            Many thanks

                            John

                            Comment


                            • #15
                              Hi Michael

                              Just a thought, as I think it's vps Iw.

                              On the Iw server you took the log extract on, i.e. Max retries exceeded. Is there more then 1 IP address it could use

                              I'm thinking (seen it before), the original outgoing request maybe on 1 ip but subsequently change its outgoing ip to a different ip, there exceeding tries on new connection.

                              It's just a thought

                              Many thanks

                              John

                              Comment

                              Working...
                              X