Cannot create certificate for Nginx on Unbuntu 16.04

gigilsu · January 25, 2018, 9:54pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.angryhash.com, angryhash.com
I ran this command:
sudo ./certbot-auto --nginx -d angryhash.com -d www.angryhash.com
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for angryhash.com
http-01 challenge for www.angryhash.com
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.angryhash.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.angryhash.com/.well-known/acme-challenge/XkWIRiIGNp69JFZzhODRAjJ6FX_u9omq1OTO_NkyCGU: Timeout, angryhash.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://angryhash.com/.well-known/acme-challenge/F_Xjw9KEevoKiUMAiB7U5Q5nP8VMdBIJAM0rAoDwyYQ: Timeout

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: www.angryhash.com
Type: connection
Detail: Fetching
http://www.angryhash.com/.well-known/acme-challenge/XkWIRiIGNp69JFZzhODRAjJ6FX_u9omq1OTO_NkyCGU:
Timeout

Domain: angryhash.com
Type: connection
Detail: Fetching
http://angryhash.com/.well-known/acme-challenge/F_Xjw9KEevoKiUMAiB7U5Q5nP8VMdBIJAM0rAoDwyYQ:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version):
nginx version: nginx/1.10.3 (Ubuntu)
The operating system my web server runs on is (include version):
Ubuntu 16.04
My hosting provider, if applicable, is:
Linode
I can login to a root shell on my machine (yes or no, or I don’t know):
I sudo to root. I have login disabled to root on ssh
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

I have checked DNS and it resolves. I checked OpenSSL and that checks too. I checked the path to my webroot and that checks also. I have tried many different ways but nothing works.

_az · January 25, 2018, 9:58pm

Fix your IPv6 connectivity/AAAA record. Let’s Encrypt will prefer to use IPv6 if it is advertised in DNS for the domain, which yours is.

IPv6 broken:

$ curl -X GET -I -6 --connect-timeout 10 angryhash.com
curl: (28) Connection timed out after 10001 milliseconds

IPv4 works:

$ curl -X GET -I -4 --connect-timeout 10 angryhash.com
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 25 Jan 2018 21:57:16 GMT
Content-Type: text/html
Content-Length: 322
Last-Modified: Wed, 24 Jan 2018 12:33:48 GMT
Connection: keep-alive
ETag: "5a687d2c-142"
Accept-Ranges: bytes

gigilsu · January 25, 2018, 9:59pm

Ah, thanks. I disabled IPV6 on purpose for security, but I will enable it again

_az · January 25, 2018, 10:00pm

Sure. If you wish to keep it disabled you can just withdraw the AAAA record from DNS as well.

gigilsu · January 25, 2018, 10:01pm

ah ok, I will try that first. I didn’t realize the record had been added for IPV6

gigilsu · January 25, 2018, 10:05pm

If I withdraw the records do I need to wait a certain amount of time before creating the certificate again? I withdrew the records but still wasn’t able to create the certificate.

_az · January 25, 2018, 10:07pm

Linode is still advertising your AAAA records.

Let’s Encrypt does not have any kind of DNS caching, but your actual DNS host has to be serving the right records:

$ dig +noall +answer @ns1.linode.com angryhash.com  aaaa
angryhash.com.          86400   IN      AAAA    2600:3c02::f03c:91ff:fef9:3eac

Not sure if you’re currently doing this, please use --dry-run with Certbot while debugging your issues. If you don’t, you will hit rate limits and be unable to issue a cert once your issues are fixed.

gigilsu · January 25, 2018, 10:15pm

Thanks. I wait until linode quits advertising IPV6 records. When you say to use --dry-run to you mean to sudo ./certbot-auto --dry-run between my attempts, or should I do something like… sudo ./certbot-auto --nginx -d angryhash.com -d www.angryhash.com --dry-run each time I attempt to create cert?

_az · January 25, 2018, 10:19pm

Adding it to the end of whatever command you were already running would work fine (such as your latter example).

I am very surprised that Linode takes this long to start serving an updated record .

edit: Looks like it just went through.

gigilsu · January 25, 2018, 10:39pm

Thank you so much for all your help!!! Got the certificate!!!

mnordhoff · January 26, 2018, 10:08am

Linode updates DNS every quarter hour. And in this case the record was deleted around 22:01 - 22:05, so it took just about the maximum possible time. Plus the edge PoPs may cache for up to 15 minutes more.

system · February 25, 2018, 10:09am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.