Starting Feb. 19, 2020, Let’s Encrypt began making multiple domain validation
requests from diverse network vantage points. More info here:
Different API require different timeouts to ensure total propagation. CertBot has a listing of the suggested timeouts. My DNS providers tend to take a little longer.
Can we set the timeout in 22.214.171.124 or do we need to request a new enhancement on github?
Hi, I’ve replied to your support email about this. I’ll make sure the propagation delay is configurable for more DNS providers in the next release, as a fallback you can use DNS scripting or switch to a provider such as AWS Route 53 (which currently has configurable delay).
You have clearly determined that propagation time is the problem, so I assume your certificate request is actually failing to validate?
The renwal, in most cases, does validate after several repeated attempts. One took over 5 days before it finally was able to validate. Another one, I had to switch to http because I just could not get it to validate via DNS. If you use TEST, it does validate more often on the first attempt.
In speaking with support at both of my dns providers, they both said the average propagation is 60 seconds but that it can take upto over 90 seconds depending on timing and traffic.
Having the option in with each Authorization Setting you add to a cert would be great as a cert with a number of different FQDN can have many different authorization settings to different dns providers.
Thanks for your willingness to add this as an option in the next release.
v4.1.7 is out now with longer propagation time defaults (120s in most cases) and with the option to customise if it’s not long enough.
I updated one instance to 4.1.7 to test. I thought when you updated, any custom scripts you have in the scripts folder are left alone as long as you have a different name from the 3 provided. When I updated to 4.1.7, it wiped out all my custom scripts. I have not had this issue in the past that I recall. My script is called Server.CertExport.ps1
But I did see the new time out option and then saved the setup so the new 120 becomes part.
Unfortunately yes all contents under C:\Program Files\CertifyTheWeb are removed and replaced on upgrade but settings kept elsewhere are preserved. This has always been the case (unless there was an installer bug that didn’t delete the files). It should also require you to edit the files as administrator to edit the ones under Program Files so usually that requires some extra effort to do.
We now put a warning in the script files themselves (for the past few versions) to say this will happen. Instead you should create a dedicated folder (such as C:\CertifyScripts) and keep them there.