Cannot create certificate for Nginx on Unbuntu 16.04

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.angryhash.com, angryhash.com
I ran this command:
sudo ./certbot-auto --nginx -d angryhash.com -d www.angryhash.com
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for angryhash.com
http-01 challenge for www.angryhash.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.angryhash.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.angryhash.com/.well-known/acme-challenge/XkWIRiIGNp69JFZzhODRAjJ6FX_u9omq1OTO_NkyCGU: Timeout, angryhash.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://angryhash.com/.well-known/acme-challenge/F_Xjw9KEevoKiUMAiB7U5Q5nP8VMdBIJAM0rAoDwyYQ: Timeout

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.angryhash.com
    Type: connection
    Detail: Fetching
    http://www.angryhash.com/.well-known/acme-challenge/XkWIRiIGNp69JFZzhODRAjJ6FX_u9omq1OTO_NkyCGU:
    Timeout

    Domain: angryhash.com
    Type: connection
    Detail: Fetching
    http://angryhash.com/.well-known/acme-challenge/F_Xjw9KEevoKiUMAiB7U5Q5nP8VMdBIJAM0rAoDwyYQ:
    Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    My web server is (include version):
    nginx version: nginx/1.10.3 (Ubuntu)
    The operating system my web server runs on is (include version):
    Ubuntu 16.04
    My hosting provider, if applicable, is:
    Linode
    I can login to a root shell on my machine (yes or no, or I don’t know):
    I sudo to root. I have login disabled to root on ssh
    I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I have checked DNS and it resolves. I checked OpenSSL and that checks too. I checked the path to my webroot and that checks also. I have tried many different ways but nothing works.

Fix your IPv6 connectivity/AAAA record. Let’s Encrypt will prefer to use IPv6 if it is advertised in DNS for the domain, which yours is.

IPv6 broken:

$ curl -X GET -I -6 --connect-timeout 10 angryhash.com
curl: (28) Connection timed out after 10001 milliseconds

IPv4 works:

$ curl -X GET -I -4 --connect-timeout 10 angryhash.com
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Jan 2018 21:57:16 GMT
Content-Type: text/html
Content-Length: 322
Last-Modified: Wed, 24 Jan 2018 12:33:48 GMT
Connection: keep-alive
ETag: "5a687d2c-142"
Accept-Ranges: bytes

Ah, thanks. I disabled IPV6 on purpose for security, but I will enable it again

Sure. If you wish to keep it disabled you can just withdraw the AAAA record from DNS as well.

ah ok, I will try that first. I didn’t realize the record had been added for IPV6

If I withdraw the records do I need to wait a certain amount of time before creating the certificate again? I withdrew the records but still wasn’t able to create the certificate.

Linode is still advertising your AAAA records.

Let’s Encrypt does not have any kind of DNS caching, but your actual DNS host has to be serving the right records:

$ dig +noall +answer @ns1.linode.com angryhash.com  aaaa
angryhash.com.          86400   IN      AAAA    2600:3c02::f03c:91ff:fef9:3eac

Not sure if you’re currently doing this, please use --dry-run with Certbot while debugging your issues. If you don’t, you will hit rate limits and be unable to issue a cert once your issues are fixed.

Thanks. I wait until linode quits advertising IPV6 records. When you say to use --dry-run to you mean to sudo ./certbot-auto --dry-run between my attempts, or should I do something like… sudo ./certbot-auto --nginx -d angryhash.com -d www.angryhash.com --dry-run each time I attempt to create cert?

Adding it to the end of whatever command you were already running would work fine (such as your latter example).

I am very surprised that Linode takes this long to start serving an updated record :confused: .

edit: Looks like it just went through.

Thank you so much for all your help!!! Got the certificate!!! :smiley:

Linode updates DNS every quarter hour. And in this case the record was deleted around 22:01 - 22:05, so it took just about the maximum possible time. :sweat: Plus the edge PoPs may cache for up to 15 minutes more.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.