Lets Encrypt failure - email said to contact support team

sean

agdelma Sorry about this, it seems we've hit our increased rate limit already. We'll do what we can to get that resolved ASAP.

elena

Lets Encrypt failed to generate a certificat
I am having this problem too and I im the middel of a migration, it is urgent.
Thanks

klynton

We've updated the preferred method for Let's Encrypt to work and extended the timeout window since we were seeing some early timeouts. Hopefully this will increase the likelihood of getting a certificate the first run.

elena

Just tested again and get the same error: Lets Encrypt failed to generate a certificate for your site: ... Please contact our Support Team so we can investigate.

klynton

Can you send in a support ticket and the site name so we can look into it further?

There are some legitimate ways that Let's Encrypt can fail. Sometimes DNS propagation takes a lot of time to happen completely and in the time between our system sees the old server instead of the new one.

MrMartian

I've got a lot of temporary/testing subdomains [myapp].[myaccount].opalstacked.com --- without my own domain (yet). I need/want to use HTTPS on them (some already contain real userdata, and logins are used etc), but this needlessly creates new Let's Encrypt certificates as there's already one for opalstacked.com.

Indeed I now get messages "Lets Encrypt was disabled for site [mysitename] and switched to the shared certificate because it contains only opalstacked.com domains." However visiting those sub-subdomains gives me SSL_ERROR_BAD_CERT_DOMAIN on each one as it says "only valid for the following names: *.opalstacked.com, opalstacked.com"? Is ..opalstacked.com not included?

Because my "personal" LEs are for specific sub-subdomains so don't work interchangeably, and I expect it will not help to create one subdomain [myaccount].opalstacked.com for an LE cert because for that one the shared certificate would definitely work.

Or am I overlooking something obvious?

sean

MrMartian we just rolled out that change last night and new documentation is coming soon.

tl;dr: providing LE for every possible subdomain of opalstacked.com is unscalable due to LE rate limits so we've decided to use a shared wildcard cert that covers *.opalstacked.com only, multi-level subdomains are not covered.

Will cover this in more detail in our official docs as soon as possible.

sermodi

sean But with the shared certificate we get the message "connection not secure" for our sites. And that is not good in many contexts. Will we get any solution to this problem in the future?

ssf

I've just swapped over my namesevers to opalstack and tried to generate a certificate, it failed. I've emailed support but not sure if anyone will be online over the weekend? Am I better off just switching the nameservers back to webfaction for now?

sean

ssf we're always around 🙂

If you just switched your NS over then LE will probably fail because the NS changes are still propagating. It's usually best to wait at least an hour after you switch your NS.

pjrobertson

I just switched over to Opalstack and set up a Let's Encrypt certificate no problem. Certificate was created in 2-3 minutes after enabling the option in the admin. Awesome work!

sean

sermodi we're still optimizing our LE system help avoid rate-limiting on the opalstacked.com subdomain but we're not there yet.

If we're able to resolve that problem 100% then we'll look at issuing LE certificates for sub-subdomains of your user.opalstacked.com domains, but until then we're not able to do so.

We are able to issue LE certs for your own registered domains, ie domains that you've purchased via a domain registrar and have pointed at your Opalstack server.

sermodi

sean Ok. thanks

sean

Hi all, the LE rate limit issues have been fixed so: Let's Encrypt certs for opalstacked.com subdomains are back!

sermodi

Thanks for the work Sean,
It is possible that sites that have used a share certificate cannot be passed through lets encript since that change?

sean

sermodi if your site is currently using the shared certificate and you want to switch it back to the automatic LE, then you will need to re-enable LE for that site yourself.

« Previous Page