I am running a nginx reverse proxy with many hosts for several years without problems.
Now I activated ipv6 and Certificate Renwal fails for all sites, which have Force SSL enabled.
The sites respond with error 301 Moved Permanently when trying to download via http.
I think, this should be fixed.
Certbot has version 2.11.0.
Stefan
Hi! I moved your topic to the Help category. If you were to create the topic here, you would've been presented with the following questionnaire. Fill it to the best of your knowledge, especially the domain bit.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0
Then fix it? Let's Encrypt works perfectly with IPv6.. It prefers it even. Thus, the issue is most likely with your setup.
My domain is:
git.hilie.de
I ran this command:
certbot renew --cert-name npm-8 --dry-run --verbose
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/npm-8.conf
/opt/certbot/lib/python3.11/site-packages/certbot/ocsp.py:238: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
if not response_ocsp.this_update:
/opt/certbot/lib/python3.11/site-packages/certbot/ocsp.py:240: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to this_update_utc.
if response_ocsp.this_update > now + timedelta(minutes=5):
/opt/certbot/lib/python3.11/site-packages/certbot/ocsp.py:242: CryptographyDeprecationWarning: Properties that return a naïve datetime object have been deprecated. Please switch to next_update_utc.
if response_ocsp.next_update and response_ocsp.next_update < now - timedelta(minutes=5):
Certificate not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Simulating renewal of an existing certificate for git.hilie.de
Performing the following challenges:
http-01 challenge for git.hilie.de
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain git.hilie.de
http-01 challenge for git.hilie.de
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: git.hilie.de
Type: connection
Detail: 88.217.198.250: Fetching https://git.hilie.de/.well-known/acme-challenge/qNqlczaMLy7hLGOLnuJ0-SGc5fJbol2mFO-A23TTgew: Error getting validation data
Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
Cleaning up challenges
Failed to renew certificate npm-8 with error: Some challenges have failed.
All simulated renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-8/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
My web server is (include version):
nginx version: openresty/1.25.3.2
The operating system my web server runs on is (include version):
docker image jc21/nginx-proxy-manager:2.12.1
My hosting provider, if applicable, is:
I am self hosting
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
jc21/nginx-proxy-manager:2.12.1
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0
certbot 2.11.0
Now I noticed, the some of my domains have Force SSL enabled an are working.
You need to fix your IPv6. The above shows an IPv4 address but also shows an httpS url. This means your IPv6 connect failed, but Let's Encrypt retried with IPv4 and your server redirected it to HTTPS. But, when LE tried HTTPS for your IPv6 it again failed and then fails the challenge.
Either fix your IPv6 configuration or remove the AAAA record from your DNS
But the site is reachable via IPv6. I have a firefox plugin (SixIndicator) which shows that the site is connected via IPv6.
Not from everywhere. The Let's Debug test server can't reach it via IPv6. Nor can the Let's Encrypt auth servers (otherwise you would see the IPv6 address in the error msg).
I can't reach it from my own test server either. Perhaps your firewall settings for IPv6 are different than for IPv4?
From my own test server.
curl -i6 -m8 http://git.hilie.de
curl: (7) Failed to connect to git.hilie.de port 80 after 108 ms:
Permission denied
curl -i4 -m8 http://git.hilie.de
HTTP/1.1 301 Moved Permanently
Server: openresty
Location: https://git.hilie.de/
Can you try with imap.hilie.de? It’s the same IP and the same configuration in npm and it works.
You can try yourself using https://letsdebug.net
I see same as Let's Debug. Your imap subdomain replies to HTTP (port 80) on IPv4 but not Ipv6. Do you normally use port 80 and 443 for it?
I also see it replies on port 443 with a cert you got about a week ago. Maybe something changed since then?
Hmm, now both domains could be updated in the npm gui. I will have an eye on it. Thanks for the quick responses.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.