Certbot webroot connection timeout

One of our certificates has stopped renewing automatically, using the webroot mode. It’s for a basic WordPress site. No settings have (to my knowledge) been changed since the site was first set up. The site loads normally. The DNS is correctly set. The .well-known folder is present and accessible, I can visit it in browser. The site is correctly configured to redirect from port 80 to port 443, and testing with curl -I returns the expected headers. There are two other sites on the same server using Let’s Encrypt, both also WordPress sites, and both renewing successfully. I’ve tried manually triggering a renewal, and also wiping the certificate from Let’s Encrypt and trying again. None of it works. I’m officially stumped, and the site is going to go down when the certificate expires in about 3 days because it has HSTS enabled.

About the only clue I have is that when I try to run a renewal, I don’t see anything in the webserver logs showing the Let’s Encrypt validation servers trying to connect to the site. The other Let’s Encrypt certified sites on the server do show Let’s Encrypt related log entries when I attempt a renewal.

Can anyone suggest what might be up with it and how I might further diagnose and fix it? It looks very much as though the cause of the problem is on the Let’s Encrypt servers, but obviously I have no way of telling what’s happening there. Below is the renewal attempt output, showing one of the successful renewals (example.co.uk) and the failure (example.com):

root@host:~# certbot --dry-run renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.co.uk.conf
-------------------------------------------------------------------------------
Cert not due for renewal, but simulating renewal for dry run
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.co.uk
http-01 challenge for www.example.co.uk
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0016_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0016_csr-certbot.pem

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/example.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Failed authorization procedure. www.example.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://example.com/.well-known/acme-challenge/70EFAavkqkzektth9JbNVqtU2q4NtHpx6dBhDb8Ouu8: Timeout, example.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://example.com/.well-known/acme-challenge/maTwAJhHllDdu-ik3nePuNHhLZIWAwJynAFGlyN3leQ: Timeout. Skipping.
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/example.co.uk/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/example.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.example.com
Type:   connection
Detail: Fetching
https://example.com/.well-known/acme-challenge/70EFAavkqkzektth9JbNVqtU2q4NtHpx6dBhDb8Ouu8:
Timeout

Domain: example.com
Type:   connection
Detail: Fetching
https://example.com/.well-known/acme-challenge/maTwAJhHllDdu-ik3nePuNHhLZIWAwJynAFGlyN3leQ:
Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Any help will be gratefully received, as I’m at my wits’ end here! Thanks!

After claiming that the DNS was all correctly set, I discovered that someone had set the wrong IPv6 address. My bad. As soon as I corrected that the renewal worked. I’m guessing that when the certificate was first set up, either IPv6 was disabled for the domain or certbot preferred IPv4. Anyway, it’s now fixed!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.