Open etiennetremel opened 7 years ago
Have you tried using the --dns-timeout
flag to increase the timeout?
I see, so it seems that the binary from the latest release doesn't include that flag, see below:
lego --help
NAME:
lego - Let's Encrypt client written in Go
USAGE:
lego [global options] command [command options] [arguments...]
VERSION:
v0.3.1-0-g96a2477
COMMANDS:
run Register an account, then create and install a certificate
revoke Revoke a certificate
renew Renew a certificate
dnshelp Shows additional help for the --dns global option
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--domains, -d [--domains option --domains option] Add domains to the process
--server, -s "https://acme-v01.api.letsencrypt.org/directory" CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client.
--email, -m Email used for registration and recovery contact.
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
--key-type, -k "rsa2048" Key type to use for private keys. Supported: rsa2048, rsa4096, rsa8192, ec256, ec384
--path "/home/etremel/workspace/src/bitbucket.org/xivart/.lego" Directory to use for storing the data
--exclude, -x [--exclude option --exclude option] Explicitly disallow solvers by name from being used. Solvers: "http-01", "tls-sni-01".
--webroot Set the webroot folder to use for HTTP based challenges to write directly in a file in .well-known/acme-challenge
--http Set the port and interface to use for HTTP based challenges to listen on. Supported: interface:port or :port
--tls Set the port and interface to use for TLS based challenges to listen on. Supported: interface:port or :port
--dns Solve a DNS challenge using the specified provider. Disables all other challenges. Run 'lego dnshelp' for help on usage.
--help, -h show help
--version, -v print the version
Building the Docker image from the source allow use to use it:
docker run -t -i lego -help
NAME:
lego - Let's Encrypt client written in Go
USAGE:
lego [global options] command [command options] [arguments...]
VERSION:
0.3.1
COMMANDS:
run Register an account, then create and install a certificate
revoke Revoke a certificate
renew Renew a certificate
dnshelp Shows additional help for the --dns global option
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--domains value, -d value Add domains to the process
--csr value, -c value Certificate signing request filename, if an external CSR is to be used
--server value, -s value CA hostname (and optionally :port). The server certificate must be trusted in order to avoid further modifications to the client. (default: "https://acme-v01.api.letsencrypt.org/directory")
--email value, -m value Email used for registration and recovery contact.
--accept-tos, -a By setting this flag to true you indicate that you accept the current Let's Encrypt terms of service.
--key-type value, -k value Key type to use for private keys. Supported: rsa2048, rsa4096, rsa8192, ec256, ec384 (default: "rsa2048")
--path value Directory to use for storing the data (default: "/.lego")
--exclude value, -x value Explicitly disallow solvers by name from being used. Solvers: "http-01", "tls-sni-01".
--webroot value Set the webroot folder to use for HTTP based challenges to write directly in a file in .well-known/acme-challenge
--http value Set the port and interface to use for HTTP based challenges to listen on. Supported: interface:port or :port
--tls value Set the port and interface to use for TLS based challenges to listen on. Supported: interface:port or :port
--dns value Solve a DNS challenge using the specified provider. Disables all other challenges. Run 'lego dnshelp' for help on usage.
--http-timeout value Set the HTTP timeout value to a specific value in seconds. The default is 10 seconds. (default: 0)
--dns-timeout value Set the DNS timeout value to a specific value in seconds. The default is 10 seconds. (default: 0)
--dns-resolvers value Set the resolvers to use for performing recursive DNS queries. Supported: host:port. The default is to use Google's DNS resolvers.
--pem Generate a .pem file by concatanating the .key and .crt files together.
--help, -h show help
--version, -v print the version
I have hit the weekly rate limit, I will try again next week and let you know if that --dns-timeout
helped.
Did it help @etiennetremel ?
@xenolf sorry for this late reply, I still get error message related to the challenge, I used --dns-timeout=60
then get the the same error message [...]did not return the expected TXT record[...]
.
Should I use a higher value, ie 120?
This time, on 40 domains only 1 domain failed. They are all sub-domains so when I try again I get a rateLimited message from acme but looking at the letsencrypt rate limits page, it seems possible to combine them into a single certificate. Unfortunately I didn't find any documentation here, maybe you have some tips?
Are you passing all of your domains into one command or are you running lego 40 times? The former will already create a so called SAN certificate which has all your domains on it. Which of the rate limits are you hitting?
I'm running the following command, multiple domain at the same time:
lego --dns-timeout=60 \
--domains=test-1.domain.com \
--domains=test-2.domain.com \
--domains=test-x.domain.com \
--email=email@address.com \
--dns=cloudflare \
--accept-tos run
The the rate limit I'm facing is Error creating new cert :: Too many certificates already issued for domain.com
Hi, I'm facing this issue (DNS timeout) not existing on the binary version - Google DNS isn't propogating a TXT record fast enough for one server.
Would you be able to build a binary that has this supported?
@etiennetremel were you able to solve the problem?
Unfortunately I can't recall, I guess I just dropped the idea to do it this way.
This is still an issue. I've set lego to query the authorative name server (in my case: ns1.desec.io) but somehow the challenge still fails with
acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.... - check that a DNS record exists for this domain
I'd like lego to retry at least once after some time when this happens.
I'm generating multi-domain certificates, something like 20 domains, I often get error because of the challenge (dial udp: i/o timeout, did not return the expected TXT record, etc.) and need to rerun the full command which can take quite some time.
Would it be a good idea to add a flag which allow the user to re-run failed challenge? or add an exponential/custom retry strategy?