rancher-letsencrypt: Time limit exceeded with Cloudflare provider

This is the output of rancher-letsencrypt with -debug=1:

7/25/2016 11:04:21 PM[INFO][foo.com, bar.foo.com, biz.foo.com, baz.foo.com, boz.foo.com, qux.foo.com, qix.foo.com] acme: Obtaining bundled SAN certificate
7/25/2016 11:04:22 PM[INFO][foo.com] acme: Could not find solver for: http-01
7/25/2016 11:04:22 PM[INFO][foo.com] acme: Could not find solver for: tls-sni-01
7/25/2016 11:04:22 PM[INFO][foo.com] acme: Trying to solve DNS-01
7/25/2016 11:04:27 PM[INFO][foo.com] Checking DNS record propagation...
7/25/2016 11:04:33 PM[INFO][foo.com] The server validated our request
7/25/2016 11:04:37 PM[INFO][bar.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:04:40 PM[INFO][bar.foo.com] Checking DNS record propagation...
7/25/2016 11:04:47 PM[INFO][bar.foo.com] The server validated our request
7/25/2016 11:04:51 PM[INFO][biz.foo.com] acme: Could not find solver for: tls-sni-01
7/25/2016 11:04:51 PM[INFO][biz.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:04:54 PM[INFO][biz.foo.com] Checking DNS record propagation...
7/25/2016 11:06:59 PM[INFO][baz.foo.com] acme: Could not find solver for: tls-sni-01
7/25/2016 11:06:59 PM[INFO][baz.foo.com] acme: Could not find solver for: http-01
7/25/2016 11:06:59 PM[INFO][baz.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:07:02 PM[INFO][baz.foo.com] Checking DNS record propagation...
7/25/2016 11:09:07 PM[INFO][boz.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:09:09 PM[INFO][boz.foo.com] Checking DNS record propagation...
7/25/2016 11:11:12 PM[INFO][qux.foo.com] acme: Could not find solver for: tls-sni-01
7/25/2016 11:11:12 PM[INFO][qux.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:11:13 PM[INFO][qux.foo.com] Checking DNS record propagation...
7/25/2016 11:13:15 PM[INFO][qix.foo.com] acme: Trying to solve DNS-01
7/25/2016 11:13:17 PM[INFO][qix.foo.com] Checking DNS record propagation...
7/25/2016 11:14:46 PM[INFO][qix.foo.com] The server validated our request
7/25/2016 11:14:48 PMlevel=error msg="[biz.foo.com] Error obtaining certificate: Time limit exceeded. Last error: NS kai.ns.cloudflare.com. did not return the expected TXT record"
7/25/2016 11:14:48 PMlevel=error msg="[baz.foo.com] Error obtaining certificate: Time limit exceeded. Last error: NS kai.ns.cloudflare.com. did not return the expected TXT record"
7/25/2016 11:14:48 PMlevel=error msg="[boz.foo.com] Error obtaining certificate: Time limit exceeded. Last error: NS kai.ns.cloudflare.com. did not return the expected TXT record"
7/25/2016 11:14:48 PMlevel=error msg="[qux.foo.com] Error obtaining certificate: Time limit exceeded. Last error: NS kai.ns.cloudflare.com. did not return the expected TXT record"

Any ideas on what’s going on here?

About this issue

  • Original URL
  • State: closed
  • Created 8 years ago
  • Reactions: 1
  • Comments: 17 (2 by maintainers)

Most upvoted comments

@nunofgs Having the ability to override the timeout for the propagation check makes sense (see my comment in the upstream ACME library). But at the end of the day this would merely be a workaround for the shortcomings on CloudFlare’s side. If CloudFlare is either voluntary throttling DNS propagation or having technical issues themselves, then shouldn’t you raise this issue with them, @EugenMayer? After all they claim that DNS updates will not take longer than the TTL (here 120 sec). Also, AWS Route 53 is very reasonably priced, so if you are looking for a service more suited for production, it might be worth making the switch to them.

@emilebosch @EugenMayer I think you both suggested to add support for the HTTP based challenge, there is now a ticket for that here https://github.com/janeczku/rancher-letsencrypt/issues/28, and i will look into how this makes the most sense to implement.

+1
janeczku on Jul 29, 2016

@EugenMayer I’m sorry, i understand that you’re frustrated, but feel free to contribute a solution. As i said i’m not author nor owner of the stack. From the sounds of it. I havent upgraded this catalog yet, but i’ve been running our staging production with this ssl certs for some time now and we’re very happy. For production we just buy wildcard certs.

But as said, please contribute if you have a better solution. It also sounds like it just doesn’t keep state between upgrades so that could be a volume issue?

+1
emilebosch on Jul 27, 2016
Read more comments on GitHub
← oh-my-posh: Windows Defender says oh-my-posh contains virus and blocks it
rancher-letsencrypt: when strting in HTTP mode, the service is not listening  →