Certbot - HTTP Challenge Not Passing Due to IPV6


i was not able to renew all of my certificates using http-01 validation. LE states that it “Could not connect to test1.cms4life.com”, but thats wrong. The webspace is definetly reachable via HTTP on port 80, DNS RRs and Firewaall settings are ok, but there are no entries in my webserver-logs.

now I made a tcpdump:
LE is connecting from outbound1.letsencrypt.org, the tcp connection is successfully created, but without payload, i.e. LE sends no http request header. Therefore nginx is not serving this connection. Instead, LE immediately closes the connection.

14:42:13.177222 IP outbound1.letsencrypt.org.53160 > cms4life-ip-5.http: Flags [S]
14:42:13.177253 IP cms4life-ip-5.http > outbound1.letsencrypt.org.53160: Flags [S.]
14:42:13.331537 IP outbound1.letsencrypt.org.53160 > cms4life-ip-5.http: Flags [.]
14:42:13.332151 IP outbound1.letsencrypt.org.53160 > cms4life-ip-5.http: Flags [F.]
14:42:13.332170 IP cms4life-ip-5.http > outbound1.letsencrypt.org.53160: Flags [F.]
14:42:13.490980 IP outbound1.letsencrypt.org.53160 > cms4life-ip-5.http: Flags [.]

Everything was already working perfect before, so i have no idea what to do on my side and what is causing the troubles right now. Does anybody have an idea?

Of interest may be, that some of my domains are still working, and some are not. Their configuration is likely the same.

  • McJoey

My domain is:

I ran this command:
letsencrypt certonly --staging --authenticator webroot -w /srv/www/server/html -d test1.cms4life.com

It produced this output:
Failed authorization procedure. test1.cms4life.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to test1.cms4life.com

My web server is (include version): nginx version: nginx/1.10.1
The operating system my web server runs on is (include version): Linux / Debian Jessie
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Webspace is reachable: http://test1.cms4life.com/.well-known/acme-challenge/test

Let’s Encrypt would have been connecting over IPv6; is it possible that your server didn’t respond properly to IPv6 requests at first but that you’ve subsequently fixed it? (It looks like it does respond to IPv6 HTTP requests right now.)

1 Like

Hi, Thanks for your response. Your’re right, we had some IPv6 addresses that were not responding. I wasn’t aware that LE checks IPv6 connections as well, and I was too concentrated on the empty/incomplete IPv4 http requests (apperently the IPv4 requests were aborted early because the corresponding IPv6 request failed).
Next time I check both, IPv4 and IPv6 connectivity, at first :slight_smile:

  • McJoey
1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.