New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
I will say, whenever Letsencrypt cert renewal fails for some random reason, IIRC, I've always had to rerun it with verbose to have any fucking clue what the actual problem was.
So I'm with op for problem 1 and provider for problem 2.
Sorry that we never responded to this thread, I've just been made aware of it care of a customer with AutoSSL issues (resolved, customer did not tick the "Enable AutoSSL" checkbox). I'm sure OP has moved on but in the interest of anyone who may find this thread here is the response from me (X4B).
I found the customers ticket. Read through the ticket, I'm pretty happy with the responses made by myself, considering the responses quoted are the worst the customer could find and are the kind of responses I would like to be on the receiving end of (provides next steps, provides indication of tests performed, well written) I struggle to fault myself here. Certainly for the limited time we have to allocate towards support I think they are very good (feedback is always welcome).
Its quite old now but fortunately there is extensive notes of what was done to troubleshoot the customers issue (mostly because being the first issue of its kind we needed to validate against library / system failure). But from that I'll cover a few key points.
a) When queried by LE responded to an older location (or perhaps geodns etc) which served its own ACME challenge response (invalid) and hence LE rejected the order; or
b) the customers domain was on a LE blacklist
The only item on our roadmap here is to offer advice (think like our error log system) on ratelimit related errors.
If anyone would like to suggest something extra that we can provide, I'm all ears. As far as I am aware this is all we have.
The process to generate a certificate from LE is the following:
1. Upload a challenge file to the edge servers (simplifying here, we don't actually do this)
2. Issue a couple API requests to LE
3. LE issues a HTTP request to your domain on port 80 retreiving this challenge file
4. We ask LE for the result, or an error if one occurs.
5. We distribute the certificate to all edge servers (if fails will be retried)
We use AcmePHP as our LE client, and custom web server integration and deployment systems. If an error occurs, we report it. An error can not occurs at any step its reported by us (and the process stops). To the best of our knowledge its incredibly reliable. There are currently 52k active certificates being managed by the system.
Asside from some documentation on some of the LE error codes we havent needed much else, is there something else we should have done here?
All things that our previous standalone system was not (and I believe it to be incredibly reliable as a result).
I will shedule a review of the documentation and if needed add some (small) additional documentation.