All my certbot renewals failing

Hi,

I have been using letsencrypt / certbot successfully since the early days and very much appreciate the project.

I set up a cron job for my renewals some time ago and everything has been working well with many renewals.

However, recently the cron job has been failing and sending me emails with the following error details for all of the subdomains.

I’ve checked the usual stuff - dns, ipv6 ping, configs, permissions as well as browsing successfully to test.txt page under .well-known. I’ve also used curl and got 301s and 200s to check out good response on ipv6.

I’m now stuck. Hope someone can help.

Thanks.

An example domain is: family.glynos.co.uk ( plus 4 other subdomains affected, same error)

I ran this command: certbot renew (via regular cron job)

It produced this output:

Processing /etc/letsencrypt/renewal/family.glynos.co.uk.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for family.glynos.co.uk
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/family.glynos.co.uk/humogen/.well-known/acme-challenge
Attempting to renew cert from /etc/letsencrypt/renewal/family.glynos.co.uk.conf produced an unexpected error: Failed authorization procedure. family.glynos.co.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://family.glynos.co.uk/.well-known/acme-challenge/vcuARt3uNFpH5BD0ieTRBRMNIh6AnhT1AJZfOGU70ZE: Timeout. Skipping.

Domain: family.glynos.co.uk
Type: connection
Detail: Fetching
http://family.glynos.co.uk/.well-known/acme-challenge/QiW9ubuAeELU5ItfBW-fZKecYOz_Tx4Z_eUOmON1bYQ:
Timeout

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Debian jessie

My hosting provider, if applicable, is: own server

I can login to a root shell on my machine (yes or no, or I don’t know): Yes.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

Hi @rickglyn,

You are advertising an IPv6 address, 2001:ba8:1f1:f307::15, via an AAAA record in DNS, but your web site is not actually reachable at that address. This is why the validation and renewal are failing.

Hi @schoen,

Thanks for quick response. There is the mystery of why things were working error-free until recently. Apache is supposedly listening to all IPs, IPv4 and IPv6 but maybe there has been an update change. Do I need to put the specific IPv6 addresses in vhost configs? Or am I missing something else?

There was a change in the CA’s behavior about 1-2 months ago to use IPv6 addresses in preference to IPv4 behavior, which is why some people’s renewals that previously worked no longer do.

You may want to ask your hosting provider about your IPv6 connectivity. It might require a firewall rule change or some additional host or router configuration to make it work. However, I also notice that you said above that you tested it before and it appeared to work for you, and right now I can’t reach that server in either IPv4 or IPv6 at all by any means, so maybe there’s something else going on.

Success!

I checked out all aspects to IPv6 network access and discovered the problems. The main one was that I had a duplicate (dadfailed) IPv6 gateway address. I also discovered when testing DNS that I had the wrong name for the master server. All renewals done.

Thanks.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.