On Wed, Jan 25, 2017 at 08:32:45AM -0500, Josh Soref wrote: > Please don't. I just started and haven't had time to explain the > problems certbot and boulder are experiencing. > > But, on the spot: > The error handling approach doesn't scale well, doesn't lead to > good errors for end users, and makes it virtually impossible for > clients (like certbot) to provide localized error messages.
The primary task of those error message is for users to troubleshoot. >From LE community forum threads, the following seem to be the most frequent validation errors (in no practicular order) - Rate limiting errors (certs per FQDNset) - Rate limiting errors (certs per domain). - Bad DNS names requested - DNS names classed as high-risk. - DNS names blocked by GSB. - NXDOMAIN from DNS. - Horked DNS server doesn't understand 0x20 hack. - Horked DNS server barfs on CAA records. - Various temporary DNS server horkage (rarely DNSSEC). - Only RFC1918 IP in DNS (for HTTP-01/TLS-SNI-01). - No IPs at all (no A nor AAAA) in DNS (for HTTP-01/TLS-SNI-01) - Wrong IP in DNS. - Connect failure to 80 or 443 port (either firewall or not listening at all). - Port 443 responding with HTTP (yes, really). - HTTP-01 responds with 4XX error. - HTTP-01 responds with spew of HTML with 200 code - HTTP-01 redirects to unexpected place. - TLS-SNI-01 sends some default cert. - TLS-SNI-01 sends fatal alert. - DNS-01 propagation failure. Of course, most have variety of causes. -Ilari _______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
