Hi, the let's encrypt certificate feature is working for all virtual servers apart from one.
It keeps hanging for 5mins+ and then fails. Is there a log somewhere to see why it failed?
The files created under acme-challenge are all accessible, I can see the requests appearing in the access log with code 200. They are also accessible from all aliases/subdomains etc (not redirected), and I have even tested on an IPv6 address too.
There is a LE certificate on the virtual server already but it only covers one domain (2 hosts - example.com and mail.example.com), but I have since added 2 new domains/aliases to the vh, and am trying to re-request the cert so it includes them too.
I suspect the issue is with subdomains - if I request the cert for just the 3 root domains, then the request is successful, however as soon as I introduce even just one subdomain then it hangs and fails. I can see an acme-challenge file is created, and I can see a request for that same file in the access log with code 200, but the file never gets deleted and the request hangs, presumably while it tries to validate the sub domain?
Are there any other steps being performed for subdomains that I can investigate? Or, better still, do you know a solution?! Thanks
Comments
Submitted by andreychek on Mon, 01/21/2019 - 09:46 Comment #1
Howdy -- thanks for contacting us!
We've seen a handful cases where that's happened... in those cases, it's often seemed like the remote Let's Encrypt service has been unable to connect to the server.
It's been unclear why that happens, though often times it's solved by reducing the number of SSL certificates being requested for the domain.
If you look in Server Configuration -> Manage SSL Certificates -> Let's Encrypt, what domain names is it attempting to add to the certificate?
And does it work properly if you have it generate the certificate with fewer domain names in the cert?
Submitted by node77 on Mon, 01/21/2019 - 09:55 Pro Licensee Comment #2
Hi, well, I have tried various numbers of domains, and it worked fine when I just requested it for the 3 root domains (e.g. example1.com, example2.com, example3.com) but as soon as i request it for a subdomain as well (e.g. example1.com, example2.com, example3.com, mail.example1.com) then it fails.
Another virtual server has about 10 domain aliases, each with subdomains, and that cert was issued without problems.
It just seems to be affecting this one virtual server, but like I say, only when I include a subdomain e.g. mail.* in the request).
Submitted by node77 on Mon, 01/21/2019 - 12:52 Pro Licensee Comment #3
Update: I've done some further testing, and it seems that the issue lies with the mail.* subdomains. Even if I only have one mail.* domain in the request for the cert, it is taking several minutes to process it, and issue it.
But the point is, that in the end it was successful.
So why is it taking so long to issue the cert for just one mail.* domain?
Throw 3 mail.* domains into the request and no wonder it's failing with "Gave up waiting for validation".
Any ideas?
Submitted by JamieCameron on Mon, 01/21/2019 - 17:28 Comment #4
Check if you have IPv6 entries in DNS for any of these domains - if you do, and if they can't actually be reached, Let's Encrypt can take a long time to timeout.
Submitted by node77 on Tue, 01/22/2019 - 01:04 Pro Licensee Comment #5
Hi Jamie, as mentioned in original q I've tested on IPv6 connection and all ok. Issue seems to lie with mail.* subdomains only
Submitted by node77 on Mon, 01/28/2019 - 11:01 Pro Licensee Comment #6
Still not sure what the issue was, but I installed certbot and used it to create a test certificate for the domain which went though fine, then created a real certificate, which again worked fine. Then, created another real certificate using the Virtualmin Let's Encrypt feature, and all worked as expected.
To finish up, I deleted the original certificate with certbot to avoid any future issues.
Submitted by node77 on Mon, 01/28/2019 - 11:02 Pro Licensee Comment #7