Certbot authorization procedure fails

nimrod-cohen · December 15, 2017, 1:12pm

Dears,

my domain is registered and DNS managed with namecheap.

My domain is:

I ran this command:
certbot renew

It produced this output:
Attempting to renew cert from /etc/letsencrypt/renewal/longrunplan.com.conf produced an unexpected error: Failed authorization procedure. longrunplan.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://longrunplan.com/.well-known/acme-challenge/3peW_6yKRmWEh9sHgIlQe3s7jikxqxFgTplnaonJ1E0: Timeout. Skipping.

My web server is (include version):
I’m running on a linode CentOS 7 and nginx

I have root access, and testing the .well-known folder proves that its accessible via a browser.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no.

many thanks!

jmorahan · December 15, 2017, 1:19pm

You have an AAAA DNS record but your server doesn’t seem to respond on ipv6. You should fix your server to work on ipv6 or remove the AAAA record.

nimrod-cohen · December 15, 2017, 1:44pm

Wow thanks, I would’ve never thought about it… good catch!

how does a server should respond to IPv6?

nimrod-cohen · December 15, 2017, 1:52pm

This solved 2 domains I had this issue with, I removed their AAAA DNS records, and the renewal worked.

I’m left with a single domain (countcrm.com) on that same server, that has a reverse proxy defined in linode, and properly defined in godaddy (this is the DNS in this case), and it still gives the same error.

any idea?

bytecamp · December 15, 2017, 2:03pm

This domain has an AAAA record set which isn’t even reachable via ping. Port 80 isn’t reachable, too.

jmorahan · December 15, 2017, 7:25pm

Right - again you have an AAAA record, but the server (or proxy I guess?) doesn’t respond on IPv6. Check that it’s pointed at the correct address for the proxy, that the proxy is listening on IPv6, that there are no firewalls blocking access, etc.

If you can’t get the proxy to work with IPv6 then you need to remove the AAAA record, just like the other domains. I guess the procedure to do that is different on godaddy, but what needs to be done is the same.

nimrod-cohen · December 15, 2017, 8:45pm

Thanks both,
I removed AAAA completely, this was not playing well with Linode’s proxy for some reason.

much obliged, problem solved!

system · January 14, 2018, 8:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cert renew fails Help	3	1433	August 2, 2017
Failed authorization procedure - timeout Help	3	1845	January 4, 2018
Cannot Renew Domain Help	3	722	July 8, 2018
Certbot renew errors with "unexpected error: Failed authorization procedure Help	5	1352	August 20, 2020
Certbot renewal was working, but broke at some point Help	3	764	April 30, 2018

Certbot authorization procedure fails

Related topics