Can't do ACME challenge

Help
1

Hi everyone,

I’m trying to obtain a SSL certificate using Certbot but I’m getting a little problem. I use the manual plugin of Certbot and when I’m trying to achieve challenge, I’m getting the following error : (whereas in my browser the link http://red-army.freeboxos.fr/.well-known/acme-challenge/XXXXXXXXXXX is working …)

My domain is: red-army.freeboxos.fr

I ran this command: sudo certobot --manual

It produced this output:

{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Fetching http://red-army.freeboxos.fr/.well-known/acme-challenge/-yeitzm0icBfOGLgHjMLhTz8oQkkW7PhHAd5wjI0pZs: Timeout”,
“status”: 400
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/O_bc06El_l4P8Sp8x3ZIx3huDf2mvlHiJutdeaKggDA/1630347336”,
“token”: “-yeitzm0icBfOGLgHjMLhTz8oQkkW7PhHAd5wjI0pZs”,
“keyAuthorization”: “-yeitzm0icBfOGLgHjMLhTz8oQkkW7PhHAd5wjI0pZs.93pxR13Jd1UBgt_j1H_4WX9inPLOtOhvRezdBH1XsfE”,
“validationRecord”: [
{
“url”: “http://red-army.freeboxos.fr/.well-known/acme-challenge/-yeitzm0icBfOGLgHjMLhTz8oQkkW7PhHAd5wjI0pZs”,
“hostname”: “red-army.freeboxos.fr”,
“port”: “80”,
“addressesResolved”: [
“88.190.142.193”,
“2a01:e35:8be8:ec10::1”
],
“addressUsed”: “2a01:e35:8be8:ec10::1”,
“addressesTried”: []
}
]
}

My web server is (include version): nodeJs using Express

The operating system my web server runs on is (include version): macOS el capitan

I can login to a root shell on my machine (yes or no, or I don’t know): YES

(NOTE : My website may be down when you read this topic.)

EDIT : When i’m trying to ping my IPv6 or IPv4 address from my home, it’s working

Thank you by advance !

Julien

2

Here is the clue: your site is accessible in IPv4 (at 88.190.142.193), but not in IPv6 (2a01:e35:8be8:ec10::1).

3

Thanks for your reply !

Is there a way to force certbot to use IPv4 ?

4

It's not Certbot that's using it; it's the Let's Encrypt CA, which is connecting back to you from its data centers. There is no way to force the Let's Encrypt CA to use IPv4.

If you can't receive connections via IPv6, you shouldn't advertise a DNS record that says that you can. If you can't allow incoming connections but can change your DNS zone, you can also use the DNS-01 validation method to prove your control over the domain name to Let's Encrypt.

2 Likes
5

Thank you :slight_smile:

So I think I will try to find a solution to make my website accessible on IPv6 !

I need to “forward” the IPv6 adress of my box to connect to my server if I understand ? (The DNS refers to the IP of my box, and in IPv4 an simple forwarding on port 80 redirect this to my server, but in IPv6 I think I may use another way to use this kind of forwarding)

6

You can definitely use a proxy like that. It seems to me that whoever set up that IPv6 address in DNS must have had some reason to think that it pointed to your server or your router.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.