Please fill out the fields below so we can help you better.
My domain is: kevindkeogh.com
I ran this command: sudo certbot certonly --webroot --agree-tos --email kevin.d.keogh@gmail.com -w /var/www/letsencrypt/ -d www.kevindkeogh.com -d kevindkeogh.com
It produced this output:
FailedChallenges: Failed authorization procedure. kevindkeogh.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://kevindkeogh.com/.well-known/acme-challenge/gLZGgPq7ncEVtYPqetUnEwKwgpLNcFCV70lF7QU243g: Timeout, www.kevindkeogh.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.kevindkeogh.com/.well-known/acme-challenge/LhGqT5c-EIRc1HGGNJB5b_Ygps8zJY4-UmGqbJ0uaxw: Timeout
My web server is (include version): nginx/1.12.1
The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
I can also get to the .well-known directory from a browser, see http://kevindkeogh.com/.well-known/acme-challenge/sample.txt
Not sure what else to do. Thanks for the help!
mkwm
September 2, 2017, 10:59pm
2
I see you have AAAA record (IPv6 address) published in DNS and it fails to respond over HTTP. Let’s Encrypt validation server prefer IPv6, when both IPv4 and IPv6 addresses are advertised.
Maybe you have some firewall enabled, which prevents access to nginx (TCP 80) over IPv6?
Possibly nginx isn’t responding to IPv6? this is the config
server {
listen 80 default_server;
listen [::]:80 default_server ipv6only=on;
server_name kevindkeogh.com www.kevindkeogh.com;
include /etc/nginx/snippets/letsencrypt.conf;
root /var/www/kevindkeogh.com/html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
mkwm
September 2, 2017, 11:08pm
4
I don't think so, as you have correct line in config file:
::
means "all IPv6 addresses of this machine".
Could you try to list ip6tables rules (ip6tables -L
)?
Or, are you using DigitalOcean Cloud Firewall ?
I am not using DO Cloud Firewall.
$ sudo ip6tables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all anywhere anywhere
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT esp anywhere anywhere
ACCEPT all anywhere anywhere ah
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp echo-request limit: up to 5/sec burst 5 mode srcip srcmask 32
ACCEPT udp anywhere anywhere multiport dports isakmp,ipsec-nat-t
ACCEPT tcp anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp router-advertisement HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-solicitation HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp neighbour-advertisement HL match HL == 255
ACCEPT ipv6-icmp anywhere anywhere ipv6-icmp redirect HL match HL == 255
ACCEPT udp anywhere fe80::/64 state NEW udp dpt:dhcpv6-client
ACCEPT udp anywhere fcaa::1 udp dpt:domain
Chain FORWARD (policy DROP)
target prot opt source destination
DROP all fd9d:bc11:4020::/48 fd9d:bc11:4020::/48
ICMPV6-CHECK all anywhere anywhere
DROP tcp anywhere anywhere tcp dpt:microsoft-ds
DROP udp anywhere anywhere multiport ports netbios-ns,netbios-dgm
DROP tcp anywhere anywhere multiport ports netbios-ns,netbios-ssn
ACCEPT all anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all fd9d:bc11:4020::/48 anywhere ctstate NEW policy match dir in pol ipsec
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain ICMPV6-CHECK (1 references)
target prot opt source destination
ICMPV6-CHECK-LOG ipv6-icmp anywhere anywhere HL match HL != 255 ipv6-icmp router-solicitation
ICMPV6-CHECK-LOG ipv6-icmp anywhere anywhere HL match HL != 255 ipv6-icmp router-advertisement
ICMPV6-CHECK-LOG ipv6-icmp anywhere anywhere HL match HL != 255 ipv6-icmp neighbour-solicitation
ICMPV6-CHECK-LOG ipv6-icmp anywhere anywhere HL match HL != 255 ipv6-icmp neighbour-advertisement
Chain ICMPV6-CHECK-LOG (4 references)
target prot opt source destination
LOG all anywhere anywhere LOG level warning prefix "ICMPV6-CHECK-LOG DROP "
DROP all anywhere anywhere
mkwm
September 2, 2017, 11:21pm
6
Yep, firewall is blocking HTTP access over IPv6 - INPUT chain default policy is set to DROP and there is no rule allowing HTTP access; it should look like:
ACCEPT tcp anywhere anywhere state NEW tcp dpt:http
I’m not familiar with using Ubuntu 16.04 on server, but if I remember correctly, Ubuntu uses something called ufw
(u ncomplicated f irew all?) to handle iptables/ip6tables rules. Maybe this article would help: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-with-ufw-on-ubuntu-16-04 .
Make sure to unblock both HTTP and HTTPS - as you are advertising IPv6 address in DNS, your IPv6-capable users may have troubles connecting to your website if you don’t do so.
This was the problem. Ended up just resetting all my iptables and ip6tables. Thank you!
1 Like
system
Closed
October 3, 2017, 1:52am
8
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.