SSL Cert failed: time limit exceeded

Monkay · December 18, 2019, 3:48pm

I've got port 8089 open and forwarding to to my Channels DVR server but the iOS app says it's unreachable. In the log I get the following (happens every time I turn remote access off/on too):

    2019/12/18 15:42:20 [ERR] Generating SSL cert failed: acme: Error -> One or more domains had a problem:
[xx.channelsdvr.net] time limit exceeded: last error: NS kevin.ns.cloudflare.com. returned SERVFAIL for _acme-challenge.xx.channelsdvr.net.

I'm running version 2019.12.18.0106 - any suggestions to resolve?

tmm1 · December 18, 2019, 4:33pm

Are you running pihole or any other dns firewalls?

Monkay · December 18, 2019, 8:24pm

I have a setting enabled on my router 'Override DNS Settings for All Clients' - when I disable that Channels DVR is able to obtain the certificate

embj · December 18, 2019, 9:56pm

I was also going to ask the same thing until I figured out that it was directly checking Cloudflare DNS servers for the TXT record.

I use pfSense to redirect all outbound DNS requests to my local DNS servers for filtering via pfBlockerNG, with the exception of allowing direct access to query specific external DNS servers for those clients that need it.

@tmm1, what host names/addresses are used for the validation? Is it only kevin.ns.cloudflare.com and dara.ns.cloudflare.com? I'd like to make sure that I won't run into issues three months from now when the cert needs to be renewed.

Also, would it be possible to have a failback to local DNS if it can't query the hardcoded servers? I imagine there are others out there who are doing something similar to block outbound DNS requests from clients that make this otherwise seamless setup experience not so seamless.

tmm1 · December 18, 2019, 9:59pm

Yes those are the two main cloudflare dns nameservers used.

What error were you getting? Also the same SERVFAIL?

embj · December 19, 2019, 2:07am

Thanks. I was getting a REFUSED message:

[xxxxxx.channelsdvr.net] time limit exceeded: last error: NS dara.ns.cloudflare.com. returned REFUSED for _acme-challenge.xxxxxx.channelsdvr.net.

tsheley · December 20, 2019, 9:35pm

I am getting a similar error...

Requesting certificate for xxxxxxxxx.channelsdvr.net
2019/12/20 11:11:22 [ERR] Generating SSL cert failed: acme: Error -> One or more domains had a problem:
[xxxxxxxxxx.channelsdvr.net] time limit exceeded: last error: NS dara.ns.cloudflare.com. did not return the expected TXT record [fqdn: _acme-challenge.xxxxxxxxxx.channelsdvr.net., value: QJVvekgDvUjpuZ1CAXtx9kHKMBZIxErd0h52WpO-_Po]:

tmm1 · December 20, 2019, 9:38pm

Click-and-hold the update button to update to the latest version. If it still happens, then you may need to disable any dns firewall you have running.

mgantt87 · December 23, 2019, 1:18am

Similar issues here.

2019/12/22 19:10:06 http: TLS handshake error from 54.172.239.65:54358: remote error: tls: expired certificate
2019/12/22 19:10:51 http: TLS handshake error from 54.172.239.65:55266: remote error: tls: expired certificate
2019/12/22 19:38:27 [TLS] Requesting certificate for b0642468055b.channelsdvr.net
2019/12/22 19:40:04 [ERR] Generating SSL cert failed: acme: Error -> One or more domains had a problem:
[b0642468055b.channelsdvr.net] time limit exceeded: last error: could not determine authoritative nameservers
2019/12/22 20:10:42 http: TLS handshake error from 54.172.239.65:51714: remote error: tls: expired certificate
2019/12/22 20:10:57 http: TLS handshake error from 104.12.248.32:55176: EOF
2019/12/22 20:10:58 http: TLS handshake error from 104.12.248.32:55180: EOF