Attempting to renew cert (lurex.in.ua) from /etc/letsencrypt/renewal/lurex.in.ua.conf produced an unexpected error: Some challenges have failed.. Skipping

Olexander · April 2, 2020, 8:37pm

Hello, can someone help me with my problem

I ran this command: /usr/local/bin/docker-compose -f docker-compose-production.yml run certbot renew --force-renew

It produced this output:

Creating network "html_default" with the default driver
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/lurex.in.ua.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for lurex.in.ua
Waiting for verification...
Challenge failed for domain lurex.in.ua
http-01 challenge for lurex.in.ua
Cleaning up challenges
Attempting to renew cert (lurex.in.ua) from /etc/letsencrypt/renewal/lurex.in.ua.conf produced an unexpected error: Some challenges have failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lurex.in.ua/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/lurex.in.ua/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: lurex.in.ua
   Type:   connection
   Detail: Fetching
   http://lurex.in.ua/.well-known/acme-challenge/0rHVVJs142pPtjVywLPiEAG19xiicEI4H_exhZBkHtU:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version): 18.04

The operating system my web server runs on is (include version): ubuntu

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): not, l use console

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): be 0.39.0 but now 1.3.0

When I use /usr/local/bin/docker-compose -f docker-compose-production.yml run certbot renew --force-renew first and second once I had it done without problems but now there was an error.
Excuse me for my english.

_az · April 2, 2020, 8:52pm

Is your domain’s IPv6 address (2a01:4f8:c2c:2bf::1) correct? It doesn’t seem to be responding on port 80.

I believe that Let’s Encrypt is connecting to your IPv6 address when it’s trying to fetch the challenge response.

If you fix your IPv4 (or remove your DNS AAAA record), things should start working again.

JuergenAuer · April 2, 2020, 8:53pm

Hi @Olexander

there are some checks of your domain, ~~30 minutes old - https://check-your-website.server-daten.de/?q=lurex.in.ua

You have ipv4 and ipv6. But your ipv6 doesn't work, there is a timeout.

That's critical because Letsencrypt prefers ipv6 checking your domain.

Ah - the new check is running, now you have removed your ipv6.

Olexander · April 3, 2020, 6:14am

Hi! Thanks for the answer, but I can’t understand what is meant by uninstall, or repair ipv6?

Olexander · April 3, 2020, 6:25am

Hi! Thanks for the answer, yes it’s it, but how l can delete AAAA record?

Olexander · April 3, 2020, 6:38am

It’s setting up the lurex.in.ua domain https://i.imgur.com/cV1UDcB.png , https://i.imgur.com/qQ2RuEt.png here I have to delete AAAA?

_az · April 3, 2020, 6:39am

Yes. Select the 3 rows with YYYY as the “A Type”, and press the “Delete” button down the bottom.

Olexander · April 3, 2020, 6:50am

https://i.imgur.com/vwEXiOL.png after this time, can I renew the certificate?
And this removal will in no way affect the workability of the site - domain?

_az · April 3, 2020, 6:53am

I think so, yes.

To take Let's Encrypt out of the picture:

Previously, you were advertising a non-working IPv6 address for your website. So it was already affecting the workability of your site for anybody connecting via IPv6, and now you have repaired it.

Perhaps the non-workability was invisible to you because you are not using an IPv6-enabled internet connection, or because your operating system worked around it and fell back to IPv4 on its own.

In any case, you should be able to renew the certificate right now.

Olexander · April 3, 2020, 6:58am

YES, IT WORKS!!! You saved my day, thank you!!

system · May 3, 2020, 6:58am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.