My web server is (include version):
apache 2
The operating system my web server runs on is (include version):
Debian 10
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0
This has been working the last past months. So why are my domains not able to renew now? Can this be solved? Or d I have to remove all ande create the certs again (what files to -rm than?)
That could be right, since its looking at "http" instead of "https. Since my config is rewriting http to https... So how to get certbot to look at https instead of http. (I can temp gray out the rewriting but that seems not the right way).
The http challenge always starts with http. The Lets Encrypt server will follow redirects but starts there.
But, I think your problem relates to IPv6. Your DNS has both IPv4 and IPv6 and Lets Encrypt server will prefer IPv6. But, I can only reach your site on IPv4.
Check your Apache conf to ensure it listens on IPv6 for each domain name. If you do not see anything, run sudo apachectl -S and post results here. Please use the preformatted text option in the menu (or Ctrl-E).
*:443 is a NameVirtualHost
default server shufflemix.com (/etc/apache2/sites-enabled/shufflemix.com-ssl.conf:1)
port 443 namevhost shufflemix.com (/etc/apache2/sites-enabled/shufflemix.com-ssl.conf:1)
alias shufflemix.com
alias www.shufflemix.com
alias https://shufflemix.com
port 443 namevhost shufflemix.de (/etc/apache2/sites-enabled/shufflemix.de-ssl.conf:1)
alias shufflemix.de
alias www.shufflemix.de
port 443 namevhost shufflemix.nl (/etc/apache2/sites-enabled/shufflemix.nl-ssl.conf:1)
alias shufflemix.nl
alias www.shufflemix.nl
*:80 is a NameVirtualHost
port 80 namevhost shufflemix.com (/etc/apache2/sites-enabled/shufflemix.com.conf:1)
alias shufflemix.com
alias www.shufflemix.com
alias http://www.shufflemix.com
alias http://shufflemix.com
port 80 namevhost shufflemix.de (/etc/apache2/sites-enabled/shufflemix.de.conf:1)
alias shufflemix.de
alias www.shufflemix.de
alias http://www.shufflemix.de
alias http://shufflemix.de
port 80 namevhost shufflemix.nl (/etc/apache2/sites-enabled/shufflemix.nl.conf:1)
alias shufflemix.nl
alias www.shufflemix.nl
alias http://www.shufflemix.nl
alias http://shufflemix.nl
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Hmm. That looks ok to me. Where are your servers hosted? Do they need IPv6 config at all? Like with AWS I need to setup my Security Group too.
Here is what I see and why I say IPv6 is likely culprit:
curl -I4 www.shufflemix.com (testing IPv4)
HTTP/1.1 301 Moved Permanently
Date: Sun, 07 Nov 2021 19:04:03 GMT
Server: Apache/2.4.38 (Debian)
Location: https://www.shufflemix.com/
Content-Type: text/html; charset=iso-8859-1
curl -I6 www.shufflemix.com (testing IPv6)
curl: (7) Failed to connect to www.shufflemix.com port 80: No route to host
curl -i6 ifconfig.co (test I can reach other IPv6 site)
HTTP/1.1 200 OK
Date: Sun, 07 Nov 2021 19:07:50 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 40
Further, we see your error in first post is for http. Had LE server been able to reach it you would have redirected it to https. So, the error related to the initial http request.
I think I need to have a look at the IPv6 dns settings Need to have that in place for mail purposes. But the ip address might be wrong
this is the ip 6 I get when running ```
curl -6 ifconfig.co
2a01:7c8:aaae:1b0:5054:ff:fea3:21ac
Which I can see in the ip a output as well.
Yes, should match the server IP. Did it resolve the Certbot problem?
For later, I would wonder how that could happen. Might need to add some monitoring to ensure your DNS stays in sync with your server IP addresses. Could create problems with other visitors to your site - not just Certbot.