Cloudflare propagation times out continuously #167
Comments
|
Hello there! Thanks for reporting this. I expected that we'd have to tweak these numbers a bit. Do you have an idea as to how much higher we should set it?
Yes, it does. |
|
Closed via #168 |
|
I actually changed the wrong timeout. The 30 seconds I updated wasn't the propagation timeout, but an individual http call timeout. It should either have been the global 60 seconds timeout - see 8aa797f from PR #148 - or by adding a Timeout func to the Cloudflare provider as is done in https://github.com/xenolf/lego/blob/master/providers/dns/namecheap/namecheap.go (line 79 at this moment). What would be your preferred approach? Revert #168 and then add the timeout function in a new PR? |
|
I'm checking with Cloudflare if this is abnormal and something to fix on their end or if there's a higher maximum propagation time they're dedicated to deliver, which can then be put into the lego client. I'll post it here once I know more. |
And I didn't properly look at it. 👎 I reverted the change and pushed the proper fix with a |
Thank you! 😃 |
|
Thanks guys! 😄 👍 |
|
Thanks. I'll test this latest version, but 120 seconds might not be enough. According to Cloudflare it ranges up to 10 minutes at this moment, something they're looking into and trying to get fixed. Not sure if you have to code your way around issues on their side though. A command line configurable timeout might still make sense though, so the user of lego can decide for themselves what they find acceptable. Defaulting to what's currently set for individual providers of course, so people aren't surprised that the slower ones are so slow. |
|
Thanks for this information @JorritSalverda. Let me know how this latest version work out for you. I'm currently thinking of a way to customize the values of |
|
@JorritSalverda They seem to have fixed it: https://www.cloudflarestatus.com/incidents/krp8q7d54d0f |
|
Yes, all is working fine again. Ran lego tons of times successfully today. |
|
@xenolf I had this problem a few days ago too before you fixed it. Which is why I had to force-quit lego because it would have taken ages to finish ( which is described here too: Is there any way I can fix this by e.g. deleting or re-using the pending authorizations? |
|
@lenovouser Authz deletion was only added recently to the ACME spec (ietf-wg-acme/acme#98). I'm not sure if boulder already implements it. What I'm unsure about is how you ended up with that many pending authz. Did you abort the client multiple times? |
|
@xenolf two times, yes. First time because I waited like 30 minutes and thought "maybe something is wrong with the internet connection lego is getting". I quit it, restarted my root and tried a 2nd time. Then I realized it has to be something deeper in lego and found this issue. This was like 4 days ago and I thought maybe the pending authorizations would go away at some point but they don't seem to. I have also asked the same question in the let's encrypt community |
|
Two times? How many domains did you pass? 150? |
|
@lenovouser I'm not sure your problem is related to the one discussed in this issue. This issue caused lego to bail before the DNS record was propagated because of an insufficient timeout value. Your issue sounds like lego hung entirely and was not doing anything at all which should not happen as the timeouts should expire. |
|
@xenolf I am not sure if lego hung entirely or if it just took longer and longer to set the DNS records. At some point it didn't do anything for about 14 minutes which is why I force-quit it. I just counted and it are exactly |
|
@lenovouser The reason I think it's not related to this issue is because lego should have bailed after 60 seconds of not being able to determine the DNS record (120 seconds in latest master) and after 30 seconds in case of a HTTP hang while talking to CF. There should be no way for it to hang for 14 minutes. |
|
@xenolf I am unsure whether I should create a new issue or if this is not fixable at all now? |
|
@lenovouser Well, if it's only about the deletion of authz objects, then you are out of luck at the moment. The client does not save the authz objects it creates to resume aborted operations and boulder does not yet implement the authz link in registrations from 6.1.1 of the spec. |
|
@xenolf okay, I'll hope someone in the LE forum has an idea on how to fix this. Thanks for your help! |
Updated timeout for cloudflare dns challenge record propagation to fix issue as described in go-acme/lego#167
Most of the days it works fine, but today the configured 30 seconds timeout isn't sufficient. I get the following error over and over:
Either bumping it up to a much higher value - it does multiple checks within that timeout, right? - or making it configurable by command line parameter would help to cater for this incidental high propagation times.
The text was updated successfully, but these errors were encountered: