Certbot renewal http-01 challenge - Cannot Connect Due to IPV6 Configurations

immunity · May 29, 2017, 7:33pm

Hello i have a ubuntu 16.04 with nginx
i have “configure” the nginx server blocks

i can curl www.domain.com domain.com which 301 to https://domain.com
if i curl http://www.domain.com/.well-known/index.html i get 200 status for the contect of the index.html file i have add in the directory, also for http://domain.com/.well-known/index.html

But when i try to create cert or renewal i get connect error for www.domain.com
certbot certonly --webroot --webroot-path=/var/www/domain.com/htdocs -d domain.com -d www.domain.com

server block
server {
listen 80;
server_name www.domain.com domain.com;
location / {
return 301 https://domain.com$request_uri;
}
location /.well-known {
root /var/www/domain.com/htdocs/;
}
}

sahsanu · May 29, 2017, 8:36pm

Hi @immunity,

If you provide your real domain it should be easier to help you.

Is your domain pointing to ipv4 and ipv6 addresses?.

Cheers,
sahsanu

immunity · May 29, 2017, 8:53pm

www.starenio.gr and starenio.gr

www IN A 88.99.191.252
www IN AAAA 2a01:4f8:c0c:fa1::

sahsanu · May 29, 2017, 9:09pm

Hi @immunity,

Remove the AAAA record for www.starenio.gr from your DNS server and try again. The other option is to configure the ipv6 address for your domain and the web server correctly to serve your domain using ipv6 too.

Note: 2a01:4f8:c0c:fa1:: is not a valid ipv6 address, is the subnet 2a01:4f8:c0c:fa1::/64 assigned to you by Hetzner.

Cheers,
sahsanu

immunity · May 29, 2017, 9:17pm

ok i will try to remove the record (it will need some time till the letsencrypt refresh their dns right ?)

do i have a ipv6 ? or just v4 and if i want to use ipv6 i will have to buy a ipv6 assigned by hetzner

sahsanu · May 29, 2017, 9:27pm

Let's Encrypt try to reach your DNS server every time to check what your records are but doesn't cache them, well it does some cache but as far as I know, only 30 or 60 minutes. Indeed if you remove the AAAA record, you can wait 5 minutes and try again.

I supposed that if you used that subnet is because it is the one assigned to you. If you have a dedicated server yes, you should have a /64 subnet assigned to you at no cost (you can check it from the robot web page -> Servers -> Select your server -> IPs tab and you will see the assigned subnet).

immunity · May 29, 2017, 9:36pm

Hello Sahsanu, i there was missing a 2 at the end of ipv6
i correct it and now certification completed with success for both non-www and www domain

thank you very much everything works fine now

sahsanu · May 29, 2017, 9:43pm

@immunity, I’m glad you finally got your certificate… and enjoy your 18,446,744,073,709,551,616 ipv6 addresses

system · June 28, 2017, 9:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help Getting Nginx working with IPv6 Help	10	2228	April 9, 2021
Certificate renew fail if IPv6 is enabled Help	9	8473	May 29, 2019
Can’t certbot renew in nginx - files are accessible Help	5	1060	March 8, 2018
Certbot Renewal - Issue with IPV6 Address and Web Server Configuration Help	5	6400	June 22, 2017
Renew of certificate wont work. error 101 Help	10	802	February 24, 2020

Certbot renewal http-01 challenge - Cannot Connect Due to IPV6 Configurations

Related topics