Cant renew certificate

My domain is: owncloud.inviar.eu

I ran this command: /usr/bin/certbot renew --debug-challenges

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/owncloud.inviar.eu.conf

Cert is due for renewal, auto-renewing...
Non-interactive renewal: random delay of 2.420067443068599 seconds
Plugins selected: Authenticator apache, Installer None
Attempting to renew cert (owncloud.inviar.eu) from /etc/letsencrypt/renewal/owncloud.inviar.eu.conf produced an unexpected error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLError("bad handshake: SysCallError(104, 'ECONNRESET')"))). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/owncloud.inviar.eu/fullchain.pem (failure)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/owncloud.inviar.eu/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

My web server is (include version): Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu Linux 20.04.4

My hosting provider, if applicable, is: GREENHOUSING.CZ

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.40.0

Show us the output of

curl -vvv https://acme-v02.api.letsencrypt.org/directory

And maybe

curl -vvv -L google.com

too.

curl -vvv https://acme-v02.api.letsencrypt.org/directory
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 2606:4700:60:0:f53d:5624:85c7:3a2c:443...

• TCP_NODELAY set

• Connected to acme-v02.api.letsencrypt.org (2606:4700:60:0:f53d:5624:85c7:3a2c) port 443 (#0)

• ALPN, offering h2

• ALPN, offering http/1.1

• successfully set certificate verify locations:

• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
  } [5 bytes data]

• TLSv1.3 (OUT), TLS handshake, Client hello (1):
  } [512 bytes data]

  0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0* OpenSSL SSL_connect: Connection reset by peer in connection to acme-v02.api.letsencrypt.org:443

  0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0

• Closing connection 0
  curl: (35) OpenSSL SSL_connect: Connection reset by peer in connection to acme-v02.api.letsencrypt.org:443

curl -vvv -L https://www.google.com
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 2a00:1450:4014:80a::2004:443...

• TCP_NODELAY set

• Connected to www.google.com (2a00:1450:4014:80a::2004) port 443 (#0)

• ALPN, offering h2

• ALPN, offering http/1.1

• successfully set certificate verify locations:

• CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
  } [5 bytes data]

• TLSv1.3 (OUT), TLS handshake, Client hello (1):
  } [512 bytes data]

  0 0 0 0 0 0 0 0 --:--:-- 0:00:01 --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:02 --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:03 --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:04 --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:05 --:--:-- 0
  0 0 0 0 0 0 0 0 --:--:-- 0:00:06 --:--:-- 0* TLSv1.3 (IN), TLS handshake, Server hello (2):
  { [122 bytes data]

• TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  { [15 bytes data]

• TLSv1.3 (IN), TLS handshake, Certificate (11):
  { [4002 bytes data]

• TLSv1.3 (IN), TLS handshake, CERT verify (15):
  { [79 bytes data]

• TLSv1.3 (IN), TLS handshake, Finished (20):
  { [52 bytes data]

• TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
  } [1 bytes data]

• TLSv1.3 (OUT), TLS handshake, Finished (20):
  } [52 bytes data]

• SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

• ALPN, server accepted to use h2

• Server certificate:

• subject: CN=www.google.com
  ...

It seams that connection to letsencrypt.org is prohibited

Yeah, it looks like your IP might be banned. @lestaff?

What have I do to remove ban from my IP?

Only members of the Let's Encrypt staff can do that and @9peppe has already mentioned the staff. So the only thing you can do now, is wait until the staff has checked and reported the outcome of that check here. Could be anywhere between a few hours or a few days, but most of the time the staff responds quite quickly

Tx. I'll wait

What is your IP?

171.25.221.189

That IP isn’t blocked. However, I see in your output that you’re connecting via IPv6 — Connected to acme-v02.api.letsencrypt.org(2606:4700:60:0:f53d:5624:85c7:3a2c) port 443

Is your curl output different if you pass --ipv4?

If you can tell me your IPv6 address I can check if it’s been blocked too.

Yes you are right IPv4 working.
I guess now my IPv6 is : 2a03:a900:ffff:1115:215:5dff:fe02:9400

Could you advice me how to force certbot to use IPv4?

sorry, my ipv6 seams to be fe80::215:5dff:fe02:9400

I've just disable ipv6 on my Ubuntu and I've got the renew success.
I have to disable ipv6 permanently as I see....

That's not a public IPv6.

The one you need shouldn't start with fe80

OR
Fixt it

If it's blocked by LE, there's not much @Jan can do about that except wait for @mcpherrinm to report about the IPv6 address reported by @Jan being blocked or not Note that the IPv6 connection to Google worked nicely above

That address is not blocked

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.