Can't renew with certbot and webroot

Please fill out the fields below so we can help you better.

My domain is: kevindkeogh.com

I ran this command: sudo certbot certonly --webroot --agree-tos --email kevin.d.keogh@gmail.com -w /var/www/letsencrypt/ -d www.kevindkeogh.com -d kevindkeogh.com

It produced this output:

FailedChallenges: Failed authorization procedure. kevindkeogh.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kevindkeogh.com/.well-known/acme-challenge/gLZGgPq7ncEVtYPqetUnEwKwgpLNcFCV70lF7QU243g: Timeout, www.kevindkeogh.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.kevindkeogh.com/.well-known/acme-challenge/LhGqT5c-EIRc1HGGNJB5b_Ygps8zJY4-UmGqbJ0uaxw: Timeout

My web server is (include version): nginx/1.12.1

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I can also get to the .well-known directory from a browser, see http://kevindkeogh.com/.well-known/acme-challenge/sample.txt

Not sure what else to do. Thanks for the help!

I see you have AAAA record (IPv6 address) published in DNS and it fails to respond over HTTP. Let’s Encrypt validation server prefer IPv6, when both IPv4 and IPv6 addresses are advertised.

Maybe you have some firewall enabled, which prevents access to nginx (TCP 80) over IPv6?

Possibly nginx isn’t responding to IPv6? this is the config

server {                                                                        
    listen 80 default_server;                                                   
    listen [::]:80 default_server ipv6only=on;                                  
    server_name kevindkeogh.com www.kevindkeogh.com;                            
                                                                                
    include /etc/nginx/snippets/letsencrypt.conf;                               
                                                                                
    root /var/www/kevindkeogh.com/html;                                         
    index index.html;                                                           
                                                                                
    location / {                                                                
        try_files $uri $uri/ =404;                                              
    }                                                                           
}

I don't think so, as you have correct line in config file:

:: means "all IPv6 addresses of this machine".

Could you try to list ip6tables rules (ip6tables -L)?

Or, are you using DigitalOcean Cloud Firewall?

I am not using DO Cloud Firewall.

$ sudo ip6tables -L

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all      anywhere             anywhere            
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     esp      anywhere             anywhere            
ACCEPT     all      anywhere             anywhere             ah 
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp echo-request limit: up to 5/sec burst 5 mode srcip srcmask 32
ACCEPT     udp      anywhere             anywhere             multiport dports isakmp,ipsec-nat-t
ACCEPT     tcp      anywhere             anywhere             tcp dpt:ssh ctstate NEW
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp router-advertisement HL match HL == 255
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-solicitation HL match HL == 255
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp neighbour-advertisement HL match HL == 255
ACCEPT     ipv6-icmp    anywhere             anywhere             ipv6-icmp redirect HL match HL == 255
ACCEPT     udp      anywhere             fe80::/64            state NEW udp dpt:dhcpv6-client
ACCEPT     udp      anywhere             fcaa::1              udp dpt:domain

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all      fd9d:bc11:4020::/48  fd9d:bc11:4020::/48 
ICMPV6-CHECK  all      anywhere             anywhere            
DROP       tcp      anywhere             anywhere             tcp dpt:microsoft-ds
DROP       udp      anywhere             anywhere             multiport ports netbios-ns,netbios-dgm
DROP       tcp      anywhere             anywhere             multiport ports netbios-ns,netbios-ssn
ACCEPT     all      anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all      fd9d:bc11:4020::/48  anywhere             ctstate NEW policy match dir in pol ipsec

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain ICMPV6-CHECK (1 references)
target     prot opt source               destination         
ICMPV6-CHECK-LOG  ipv6-icmp    anywhere             anywhere             HL match HL != 255 ipv6-icmp router-solicitation
ICMPV6-CHECK-LOG  ipv6-icmp    anywhere             anywhere             HL match HL != 255 ipv6-icmp router-advertisement
ICMPV6-CHECK-LOG  ipv6-icmp    anywhere             anywhere             HL match HL != 255 ipv6-icmp neighbour-solicitation
ICMPV6-CHECK-LOG  ipv6-icmp    anywhere             anywhere             HL match HL != 255 ipv6-icmp neighbour-advertisement

Chain ICMPV6-CHECK-LOG (4 references)
target     prot opt source               destination         
LOG        all      anywhere             anywhere             LOG level warning prefix "ICMPV6-CHECK-LOG DROP "
DROP       all      anywhere             anywhere            

Yep, firewall is blocking HTTP access over IPv6 - INPUT chain default policy is set to DROP and there is no rule allowing HTTP access; it should look like:

ACCEPT     tcp      anywhere             anywhere             state NEW tcp dpt:http

I’m not familiar with using Ubuntu 16.04 on server, but if I remember correctly, Ubuntu uses something called ufw (uncomplicated firewall?) to handle iptables/ip6tables rules. Maybe this article would help: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-16-04.

Make sure to unblock both HTTP and HTTPS - as you are advertising IPv6 address in DNS, your IPv6-capable users may have troubles connecting to your website if you don’t do so.

This was the problem. Ended up just resetting all my iptables and ip6tables. Thank you!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.