Cert renewal times out for only one cert

My domain is: sentinel.darkvirtue.com

I ran this command: /usr/bin/certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/push.darkvirtue.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for push.darkvirtue.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sentinel.darkvirtue.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for sentinel.darkvirtue.com

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: sentinel.darkvirtue.com
  Type:   connection
  Detail: 158.69.63.230: Fetching https://sentinel.darkvirtue.com/.well-known/acme-challenge/tDcrlnL3dX6x40I7afJV4lJObP1vxQtfk6cZw0np-x0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 10443. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate sentinel.darkvirtue.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following simulated renewals succeeded:
  /etc/letsencrypt/live/push.darkvirtue.com/fullchain.pem (success)

The following simulated renewals failed:
  /etc/letsencrypt/live/sentinel.darkvirtue.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Certbot standalone

The operating system my web server runs on is (include version): Debian 12.0

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

When attempting to renew the cert for my "sentinel" subdomain, I get an error that the connection timed out. However, this doesn't occur with the "push" subdomain, even when using --dry-run to simulate renewal regardless of validity time remaining.

• The firewall (firewalld) allows ports 80 and 443.
• The reverse proxy (haproxy) directs traffic for the /.well-known/acme-challenge path on 80 and 443 to certbot on internal port 10443
• certbot is configured with this cli.ini:

email = admin@darkvirtue.com
authenticator = standalone
http-01-port = 10443
rsa-key-size = 4096
non-interactive = True
text = True
keep-until-expiring = True
expand = True
agree-tos = True
max-log-backups = 10

I get the same error when allowing port 10443 at the firewall and even when disabling the firewall altogether. Both subdomains point to the same IP address and the rules of the reverse proxy don't differentiate between the subdomains with regard to /.well-known/acme-challenge requests.

I've been using this configuration for a while on this and other servers for some time now, but the sentinel subdomain is the only one having this issue. I'm not sure what may have changed.

No. sentinel also has an IPv6 address (AAAA record). The error msg shows the IPv4 address but sometimes that isn't the whole story. Let's Encrypt servers favor the IPv6 address when present. Sometimes problems with that still show the IPv4 address in the message. I'm not sure why exactly.

Right now I get a 301 Moved response from the IPv4 for sentinel yet timeout with IPv6. I actually would expect a timeout since you are using the standalone and there wouldn't be anything listening right now.

nslookup push.darkvirtue.com
Address: 158.69.63.230

nslookup sentinel.darkvirtue.com
Address: 158.69.63.230
Address: 2607:5300:201:3100::4ef

The IPv4 response almost looks like a URL redirect service or some proxy server given so few response headers.

curl -I4 sentinel.darkvirtue.com
HTTP/1.1 301 Moved Permanently
content-length: 0
location: https://sentinel.darkvirtue.com/

curl -I6 sentinel.darkvirtue.com
curl: (28) Failed to connect to sentinel.darkvirtue.com port 80 after 130673 ms: Connection timed out

Yeah, that's normal for redirects configured in HAProxy, my reverse proxy.

Ohhh! Thanks for the insight here, I had forgotten I set that up. My reverse-proxy is listening on 80 and 443 on the IPv4 and IPv6 addresses, so I thought this case was covered. Maybe there's a problem with my IPv6 config. I'll disable my AAAA record and see how that goes.

Yep, that was the issue After I disabled the AAAA record and DNS updated my cert was renewed without issue. I'll have to figure out what went wrong with my IPv6 setup but at least certbot is working as expected. Thanks again!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.