Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version): Debian 11.1
My hosting provider, if applicable, is: -
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0
Hi, I have a problem that's a bit annoying: certbot uses ipv6 i.e. ::::80 even though ipv6 is disabled on my server. This server only has an ipv4 Address and has no AAAA Record. How can I convince certbot to use ipv4?
Hi, I already renewed by DNS challenge. It was a bit urgent. But I still have the non verbose output in my logs:
Dec 7 14:04:59 aksawedge certbot: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Dec 7 14:04:59 aksawedge certbot:
Dec 7 14:04:59 aksawedge certbot: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dec 7 14:04:59 aksawedge certbot: Processing /etc/letsencrypt/renewal/gate.altmark-klinikum.de.conf
Dec 7 14:04:59 aksawedge certbot: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dec 7 14:04:59 aksawedge certbot: Cert is due for renewal, auto-renewing...
Dec 7 14:04:59 aksawedge certbot: Plugins selected: Authenticator standalone, Installer None
Dec 7 14:05:00 aksawedge certbot: Renewing an existing certificate for gate.altmark-klinikum.de
Dec 7 14:05:00 aksawedge certbot: Performing the following challenges:
Dec 7 14:05:00 aksawedge certbot: http-01 challenge for gate.altmark-klinikum.de
Dec 7 14:05:00 aksawedge certbot: Waiting for verification...
Dec 7 14:05:11 aksawedge certbot: Challenge failed for domain gate.altmark-klinikum.de
Dec 7 14:05:11 aksawedge certbot: http-01 challenge for gate.altmark-klinikum.de
Dec 7 14:05:11 aksawedge certbot: Cleaning up challenges
Dec 7 14:05:11 aksawedge certbot: Failed to renew certificate gate.altmark-klinikum.de with error: Some challenges have failed.
Dec 7 14:05:12 aksawedge certbot:
Dec 7 14:05:12 aksawedge certbot: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dec 7 14:05:12 aksawedge certbot: All renewals failed. The following certificates could not be renewed:
Dec 7 14:05:12 aksawedge certbot: /etc/letsencrypt/live/gate.altmark-klinikum.de/fullchain.pem (failure)
Dec 7 14:05:12 aksawedge certbot: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Dec 7 14:05:12 aksawedge certbot: Running post-hook command: /etc/haproxy/cert_LE_renew.sh
Dec 7 14:05:12 aksawedge certbot: 1 renew failure(s), 0 parse failure(s)
Dec 7 14:05:12 aksawedge certbot: IMPORTANT NOTES:
Dec 7 14:05:12 aksawedge certbot: - The following errors were reported by the server:
Dec 7 14:05:12 aksawedge certbot:
Dec 7 14:05:12 aksawedge certbot: Domain: gate.altmark-klinikum.de
Dec 7 14:05:12 aksawedge certbot: Type: connection
Dec 7 14:05:12 aksawedge certbot: Detail: Fetching
Dec 7 14:05:12 aksawedge certbot: http://gate.altmark-klinikum.de/.well-known/acme-challenge/McgnZorl0dSr-61VgqxqXFV2fISyMrkIm1xbLVP39Gg:
Dec 7 14:05:12 aksawedge certbot: Timeout during connect (likely firewall problem)
Dec 7 14:05:12 aksawedge certbot:
Dec 7 14:05:12 aksawedge certbot: To fix these errors, please make sure that your domain name was
Dec 7 14:05:12 aksawedge certbot: entered correctly and the DNS A/AAAA record(s) for that domain
Dec 7 14:05:12 aksawedge certbot: contain(s) the right IP address. Additionally, please check that
Dec 7 14:05:12 aksawedge certbot: your computer has a publicly routable IP address and that no
Dec 7 14:05:12 aksawedge certbot: firewalls are preventing the server from communicating with the
Dec 7 14:05:12 aksawedge certbot: client. If you're using the webroot plugin, you should also verify
Dec 7 14:05:12 aksawedge certbot: that you are serving files from the webroot path you provided.
There is usually no service running on port 80. Certbot only starts a temporary service on port 80 which I could observe with "watch -n 1 netstat -tulpen".
that showed tcp6 [...] :::80 :::* [...] PID/python
Usually you'd get an immediate "Connection refused" error if there isn't anything listening on a port and it isn't firewalled, not a timeout.
Also, unless /proc/sys/net/ipv6/bindv6only is set to 1, the socket listening on :::80 is also accepting IPv4 connections, so nothing strange there. See linux - Semantics of :: and 0.0.0.0 in dual-stack OSes - Server Fault for more info. However, even if bindv6only is set, certbot will correctly listen on IPv4 and on IPv6, as demonstrated by:
Thanks for the quick help! Just found the exact same info. Was a bit confused by other services just having a tcpv4 port open. So i'm going to talk to the firewall guys tomorrow.
Sounds like there is some IPv6 left in there somewhere...
But that's nothing to worry about.
Most things that show bound to IPv6, bind to both IPv4 & IPv6 [but only show one].
Was a bit confused by other services just having a tcpv4 port open. So i'm going to talk to the firewall guys tomorrow.