Certbot - IPV6 Address on Domain Misconfigured and Challenges Fail (Prefer IPV6)

Help
#1

I’m renewed certificate on many domains and all is ok besides unanalytics.com . All other domains located on same machine and I can issue certs for them, and I can get all responses that needed for verification for example http://unanalytics.com/.well-known/acme-challenge/w7sCXmaGEF5OQygQImuTV6vO3Ry8tRSfwlXiajzo97c , but let’s encrypt can’t get them for some reason.

Can you please help me? I think that maybe is DNS problem and your servers can’t this particular domain?

My domain is: unanalytics.com

I ran this command: /root/.acme.sh/acme.sh --debug --issue -d unanalytics.com -w /etc/nginx/ssl/acme

It produced this output:
Lets find script dir. _SCRIPT_='/root/.acme.sh/acme.sh' _script='/root/.acme.sh/acme.sh' _script_home='/root/.acme.sh' Using default home:/root/.acme.sh Using config home:/root/.acme.sh Using api: Using config home:/root/.acme.sh DOMAIN_PATH='/root/.acme.sh/unanalytics.com' Le_NextRenewTime _on_before_issue Le_LocalAddress Check for domain='unanalytics.com' _currentRoot='/etc/nginx/ssl/acme' _saved_account_key_hash is not changed, skip register account. Read key length: _createcsr Single domain='unanalytics.com' Getting domain auth token for each domain Getting webroot for domain='unanalytics.com' _w='/etc/nginx/ssl/acme' _currentRoot='/etc/nginx/ssl/acme' Getting new-authz for domain='unanalytics.com' Try new-authz for the 0 time. url='https://acme-v01.api.letsencrypt.org/acme/new-authz' payload='{"resource": "new-authz", "identifier": {"type": "dns", "value": "unanalytics.com"}}' RSA key GET url='https://acme-v01.api.letsencrypt.org/directory' timeout _WGET='wget -q --content-on-error ' ret='0' POST url='https://acme-v01.api.letsencrypt.org/acme/new-authz' _WGET='wget -q --content-on-error ' No -i support in sed _ret='0' code='201' The new-authz request is ok. entry='"type":"http-01","status":"pending","uri":"https://acme-v01.api.letsencrypt.org/acme/challenge/LyIBqfXviB_qRJlMFvD6AIv77G7Sce2BtrBiRWHI03Q/1209793177","token":"ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0"' token='ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0' uri='https://acme-v01.api.letsencrypt.org/acme/challenge/LyIBqfXviB_qRJlMFvD6AIv77G7Sce2BtrBiRWHI03Q/1209793177' keyauthorization='ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0.HhzheAQ6RwYUzbBNLNfso6rYoaV5GokXPgxTEzE75PA' dvlist='unanalytics.com#ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0.HhzheAQ6RwYUzbBNLNfso6rYoaV5GokXPgxTEzE75PA#https://acme-v01.api.letsencrypt.org/acme/challenge/LyIBqfXviB_qRJlMFvD6AIv77G7Sce2BtrBiRWHI03Q/1209793177#http-01#/etc/nginx/ssl/acme' [Mon May 22 08:01:22 UTC 2017] vlist='unanalytics.com#ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0.HhzheAQ6RwYUzbBNLNfso6rYoaV5GokXPgxTEzE75PA#https://acme-v01.api.letsencrypt.org/acme/challenge/LyIBqfXviB_qRJlMFvD6AIv77G7Sce2BtrBiRWHI03Q/1209793177#http-01#/etc/nginx/ssl/acme,' ok, let's start to verify Verifying:unanalytics.com d='unanalytics.com' keyauthorization='ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0.HhzheAQ6RwYUzbBNLNfso6rYoaV5GokXPgxTEzE75PA' uri='https://acme-v01.api.letsencrypt.org/acme/challenge/LyIBqfXviB_qRJlMFvD6AIv77G7Sce2BtrBiRWHI03Q/1209793177' _currentRoot='/etc/nginx/ssl/acme' wellknown_path='/etc/nginx/ssl/acme/.well-known/acme-challenge' writing token:ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0 to /etc/nginx/ssl/acme/.well-known/acme-challenge/ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0 Changing owner/group of .well-known to root:root url='https://acme-v01.api.letsencrypt.org/acme/challenge/LyIBqfXviB_qRJlMFvD6AIv77G7Sce2BtrBiRWHI03Q/1209793177' payload='{"resource": "challenge", "keyAuthorization": "ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0.HhzheAQ6RwYUzbBNLNfso6rYoaV5GokXPgxTEzE75PA"}' POST url='https://acme-v01.api.letsencrypt.org/acme/challenge/LyIBqfXviB_qRJlMFvD6AIv77G7Sce2BtrBiRWHI03Q/1209793177' _WGET='wget -q --content-on-error ' No -i support in sed _ret='0' code='202' sleep 2 secs to verify checking GET url='https://acme-v01.api.letsencrypt.org/acme/challenge/LyIBqfXviB_qRJlMFvD6AIv77G7Sce2BtrBiRWHI03Q/1209793177' timeout _WGET='wget -q --content-on-error ' ret='0' unanalytics.com:Verify error:Invalid response from http://unanalytics.com/.well-known/acme-challenge/ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0: Debug: get token url. GET url='http://unanalytics.com/.well-known/acme-challenge/ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0' timeout='1' _WGET='wget -q --content-on-error --timeout=1' 172.18.0.1 - - [22/May/2017:08:01:24 +0000] "GET /.well-known/acme-challenge/ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0 HTTP/1.1" 200 87 "-" "acme.sh/2.6.9 (https://github.com/Neilpang/acme.sh)" ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0.HhzheAQ6RwYUzbBNLNfso6rYoaV5GokXPgxTEzE75PA[Mon May 22 08:01:24 UTC 2017] ret='0' Debugging, skip removing: /etc/nginx/ssl/acme/.well-known/acme-challenge/ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0 pid No need to restore nginx, skip. _clearupdns Dns not added, skip. _on_issue_err Please add '--debug' or '--log' to check more details. See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh url='https://acme-v01.api.letsencrypt.org/acme/challenge/LyIBqfXviB_qRJlMFvD6AIv77G7Sce2BtrBiRWHI03Q/1209793177' payload='{"resource": "challenge", "keyAuthorization": "ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0.HhzheAQ6RwYUzbBNLNfso6rYoaV5GokXPgxTEzE75PA"}' POST url='https://acme-v01.api.letsencrypt.org/acme/challenge/LyIBqfXviB_qRJlMFvD6AIv77G7Sce2BtrBiRWHI03Q/1209793177' _WGET='wget -q --content-on-error ' wget returns 8, the server returns a 'Bad request' response, lets process the response later. No -i support in sed _ret='0' code='400'

My operating system is (include version): Alpine linux

My web server is (include version): nginx

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Replace SSL certificate
#2

Do someone know the reason? Can you please check is this domain reachable from your servers? Thanks in advance!

#3

Hi @talionarwork,

Your problem is exactly this Certbot - IPV6 Not Configured and Challenges Fail (IPV6 Preferred) as @mnordhoff explain, if you have 2 ips, one for ipv4 and the other one for ipv6, Let’s Encrypt will prefer the ipv6 and your site is not answering correctly in ipv6.

Testing ipv4 connection (OK):

curl -i4 'http://unanalytics.com/.well-known/acme-challenge/ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0'
HTTP/1.1 200 OK
Server: nginx/1.11.8
Date: Mon, 22 May 2017 11:07:24 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 87
Last-Modified: Mon, 22 May 2017 08:01:22 GMT
Connection: keep-alive
Vary: Accept-Encoding
ETag: "59229ad2-57"
Accept-Ranges: bytes

ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0.HhzheAQ6RwYUzbBNLNfso6rYoaV5GokXPgxTEzE75PA

Testing ipv6 connection (FAIL):

curl -i6 'http://unanalytics.com/.well-known/acme-challenge/ZACZeLOKjIEC0Mr8hHHQwGrxlLdud5wHkCIu7N19YZ0'
HTTP/1.1 404 Not Found
Server: nginx/1.11.8
Date: Mon, 22 May 2017 11:07:18 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Vary: Accept-Encoding

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.11.8</center>
</body>
</html>

Good luck,
sahsanu

1 Like
#4

Thanks, man! But why I able issue certs on bunch of other domains on same server? I have 5 domains on this server and all certs ok, besides this particular domain.

#5

@talionarwork, the other domains have A and AAAA records?

#6

Wow, thanks, man! Somehow on this particular domain we had AAAA record assigned. Thanks a lot!)

2 Likes
#7

Your nginx server on for this domain only listens at ipv4:80, it should also listens at ipv6:80 too.

#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.