Wait time when creating new DNS+sites

Discussion in 'General' started by TonyG, Oct 24, 2020.

  1. TonyG

    TonyG Active Member

    Add a new subdmain in DNS. It will take some normal time for DNS propagation.
    Without waiting for that, immediately create a website. This isn't a problem, you know the site still will not be reachable until DNS propagates.
    But what happens when we attempt to create a SSL cert? If this is requested immediately, of course it will fail.

    So, is there anything in ISPConfig now or planned that will check to ensure that a host can be reached from outside, before the cert is requested?

    I'm thinking a request can be sent to a server in some other part of the world. If that comes back with a server response, rather than a DNS error, then it's safe to assume that a Let's Encrypt query will be able to HTTP:80 to get create the cert. There are sites that provide this service via API, and any of us can arrange with partners in other parts of the world to host a simple script that essentially does a reverse query to verify a site.

    The actual processing a cert request can be queued until the DNS resolves, and then it can be processed.

    I have no idea if it already somehow works like that, or (it looks like this is the case) if cert requests are processed immediately rather than being queued. The benefit of a queuing mechanism is that it allows us to do everything at once, and then just let cron test for DNS resolution, cert requests, etc. Otherwise it seems like we need a manual reminder to come back and request a cert - or create our own script to ping us when DNS has propagated.

    Thanks!
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, there is a check. if you try to enable LE for example, it will check if the host is reachable. If it isn't, ISPConfig won't even try to get a cert for it at let's encrypt.
     
  3. TonyG

    TonyG Active Member

    Thanks Thom, but again that forces us to have to manually come back. In fact, if we just created the site, given that we know DNS hasn't propagated, we shouldn't even bother to enable LE - we know it won't work.

    So as long as there is a check I guess I'll need to look into code: 1) to find where it checks to see if the DNS resolves, and 2) to see how it enqueues the request for a cert. I'm suggesting that if it can't resolve now then it should requeue for a check later using cron. THEN when that is successful, enqueue the cert request and remove the cron to check DNS.

    Or am I misunderstanding? Thanks as always.
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    There is no queue when it fails, as this could result in infinite retries. However, we could implement something like that, where it does one second try a hour later. If that fails, there won't be a second retry. But this has cons: some users won't know that it didn't work immediately and be confused, and probably more.

    Currently, it just logs an error and eventually notifies you through email if you have email alerts enabled.
     
    TonyG likes this.

Share This Page