Can't renew - new ISP - router can't loopback

jtsoftware · September 2, 2017, 6:18am

I got the renewal reminder email. I'm trying to renew for the first time.
Note that about two weeks ago I changed ISPs from AT&T to Comcast.
Unfortunately, the new router doesn't let me access my site by host name www.jtlanguage.com from within my home network.
But I can reference my site on my phone with the data connection.
I can access the challenge file on my phone, though it does get redirected to https.

www.jtlanguage.come
letsencrypt --renew
...
Renewing certificate for IIS www.jtlanguage.com (C:\JTLanguageWeb) Renew After 8/21/2017
Authorizing Identifier www.jtlanguage.com Using Challenge Type http-01
Writing challenge answer to C:\JTLanguageWeb.well-known/acme-challenge/Z0JG0P--JgTZEzZx9UwpRJaW95JX8bVZsieSA-F-x00
Writing web.config to add extensionless mime type to C:\JTLanguageWeb.well-known\acme-challenge\web.config
Answer should now be browsable at http://www.jtlanguage.com/.well-known/acme-challenge/Z0JG0P--JgTZEzZx9UwpRJaW95JX8bVZsieSA-F-x00
Submitting answer
Refreshing authorization
Refreshing authorization
Authorization Result: invalid
Authorization Failed invalid

The ACME server was probably unable to reach http://www.jtlanguage.com/.well-known/acme-challenge/Z0JG0P--JgTZEzZx9UwpRJaW95JX8bVZsieSA-F-x0
0

Check in a browser to see if the answer file is being served correctly. If it is, also check the DNSSEC configuration.
Authorize failed: This could be caused by IIS not being setup to handle extensionless static files.Here's how to fix that:
1.In IIS manager goto Site/ Server->Handler Mappings->View Ordered List
2.Move the StaticFile mapping above the ExtensionlessUrlHandler mappings. (like this http://i.stack.imgur.com/nkvrL.png)
3.If you need to make changes to your web.config file, update the one at C:\Tools\letsencrypt-win-simple-master\letsencrypt-win-simple\bin\D
ebug\web_config.xml

Renewal failed IIS www.jtlanguage.com (C:\JTLanguageWeb) Renew After 8/21/2017, will retry on next run
Press enter to continue.

Windows 8.1
IIS 8.5
Comcast ISP

nslookup -type=A www.jtlanguage.com
Server: cdns01.comcast.net
Address: 75.75.75.75

Non-authoritative answer:
Name: jtlanguage.com
Address: 24.6.132.61
Aliases: www.jtlanguage.com

Thanks.

-John

sahsanu · September 2, 2017, 6:49am

Hi @jtsoftware,

Since a few months, Let’s Encrypt prefers IPv6 over IPv4 and your domain have both, A and AAAA records but it is not reachable using IPv6.

$ curl -6vikL http://www.jtlanguage.com/.well-known/acme-challenge/Z0JG0P--JgTZEzZx9UwpRJaW95JX8bVZsieSA-F-x00
*   Trying 2601:647:4480:cb0f:f1e7:8ff4:5962:9c68...
* TCP_NODELAY set
* connect to 2601:647:4480:cb0f:f1e7:8ff4:5962:9c68 port 80 failed: Connection timed out
* Failed to connect to www.jtlanguage.com port 80: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to www.jtlanguage.com port 80: Connection timed out

And that is the reason for the error during the renew. You should fix the IPv6 connectivity or remove the AAAA records for your domain.

Cheers,
sahsanu

system · October 2, 2017, 6:49am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.