Certificate Renewal Fails

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hunttowers.org

I ran this command: Using Let's Encrypt Start for http in Home Assistant

It produced this output:

services-up: info: copying legacy longrun lets-encrypt (no readiness notification)
s6-rc: info: service legacy-services successfully started
[16:02:13] INFO: Selected http verification
[16:02:13] INFO: Detecting existing certificate type for hunttowers.org
Saving debug log to /var/log/letsencrypt/letsencrypt.log
[16:02:19] INFO: Existing certificate using 'ecdsa' key type.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewing an existing certificate for hunttowers.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: hunttowers.org
Type: connection
Detail: 73.60.28.201: Fetching http://hunttowers.org/.well-known/acme-challenge/F15x45g_-q81PFI4GSQbRQTIjR_gbLEm-FHjeB1tfgQ: Connection refused

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.

From Let's Debug

Test result for hunttowers.org using http-01

AAAANotWorking

Error

hunttowers.org has an AAAA (IPv6) record (2601:19c:4182:5900::e690) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.

A timeout was experienced while communicating with hunttowers.org/2601:19c:4182:5900::e690: Get "http://hunttowers.org/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
[editted[0ms: Making a request to http://hunttowers.org/.well-known/acme-challenge/letsdebug-test (using initial IP 2601:19c:4182:5900::e690)
[eddited]0ms: Dialing 2601:19c:4182:5900::e690
[editted]10000ms: Experienced error: context deadline exceeded

ANotWorking

Error

hunttowers.org has an A (IPv4) record (73.60.28.201) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

Get "http://hunttowers.org/.well-known/acme-challenge/letsdebug-test": dial tcp 73.60.28.201:80: connect: connection refused

Trace:
[editted]0ms: Making a request to http://hunttowers.org/.well-known/acme-challenge/letsdebug-test (using initial IP 73.60.28.201)
[editted]0ms: Dialing 73.60.28.201
[editted]141ms: Experienced error: dial tcp 73.60.28.201:80: connect: connection refused

IssueFromLetsEncrypt

Error

A test authorization for hunttowers.org to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.

73.60.28.201: Fetching http://hunttowers.org/.well-known/acme-challenge/I9ozf646FN4gqIlVJZKpBmpmzDUY4YYnydspfipAQK0: Connection refused

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Comcast

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I'm using the interface in Home Assistant (updated to latest as of today)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

Hello @ecodad, welcome to the Let's Encrypt community. :slightly_smiling_face:

You are using the HTTP-01 challenge which states
"The HTTP-01 challenge can only be done on port 80."

Very likely you have a router port forwarding issue and / or a firewall issue.

Presently I find Port 80 not accessible on both IPv4 and IPv6.
Best Practice - Keep Port 80 Open

Using the online tool Let's Debug yields these results https://letsdebug.net/hunttowers.org/2196604

AAAANotWorking
Error
hunttowers.org has an AAAA (IPv6) record (2601:19c:4182:5900::e690) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with hunttowers.org/2601:19c:4182:5900::e690: Get "http://hunttowers.org/.well-known/acme-challenge/letsdebug-test": dial tcp [2601:19c:4182:5900::e690]:80: i/o timeout

Trace:
@0ms: Making a request to http://hunttowers.org/.well-known/acme-challenge/letsdebug-test (using initial IP 2601:19c:4182:5900::e690)
@0ms: Dialing 2601:19c:4182:5900::e690
@10000ms: Experienced error: dial tcp [2601:19c:4182:5900::e690]:80: i/o timeout

ANotWorking
Error
hunttowers.org has an A (IPv4) record (73.60.28.201) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.
Get "http://hunttowers.org/.well-known/acme-challenge/letsdebug-test": dial tcp 73.60.28.201:80: connect: connection refused

Trace:
@0ms: Making a request to http://hunttowers.org/.well-known/acme-challenge/letsdebug-test (using initial IP 73.60.28.201)
@0ms: Dialing 73.60.28.201
@135ms: Experienced error: dial tcp 73.60.28.201:80: connect: connection refused

IssueFromLetsEncrypt
Error
A test authorization for hunttowers.org to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
73.60.28.201: Fetching http://hunttowers.org/.well-known/acme-challenge/z8dkrWCI1mMmbtSaOHivEzcQ8Sh-CJ6bOxwpx6qA1-I: Connection refused

IPv4 Port 80 is closed and Port 443 is open

1>nmap -4 -Pn -p80,443 hunttowers.org
Starting Nmap 7.94 ( https://nmap.org ) at 2024-08-24 17:41 UTC
Nmap scan report for hunttowers.org (73.60.28.201)
Host is up (0.094s latency).
Other addresses for hunttowers.org (not scanned): 2601:19c:4182:5900::e690
rDNS record for 73.60.28.201: c-73-60-28-201.hsd1.ma.comcast.net

PORT    STATE  SERVICE
80/tcp  closed http
443/tcp open   https

Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds

IPv6 both Ports 80 & 443 are filtered

2>nmap -6 -Pn -p80,443 hunttowers.org
Starting Nmap 7.94 ( https://nmap.org ) at 2024-08-24 17:41 UTC
Nmap scan report for hunttowers.org (2601:19c:4182:5900::e690)
Host is up.
Other addresses for hunttowers.org (not scanned): 73.60.28.201

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.12 seconds

Edit
And this is what DNS looks like

image
image939×617 7.45 KB

Edit 2
Using this online tool Open Port Check Tool - Test Port Forwarding on Your Router shows

image
image1067×794 50 KB

4 Likes
3

I agree with Bruce that you have some kind of problem handling incoming HTTP requests on port 80. Check your router NAT or port forwarding and ensure HTTP is allowed by it.

I also see problem with your DNS AAAA record for IPv6

While I can use HTTPS to see your website (with expired cert) on IPv4 I cannot reach it using IPv6. You should review the value in your AAAA record or remove it if you do not support IPv6

Name:   hunttowers.org
A    Address: 73.60.28.201
AAAA Address: 2601:19c:4182:5900::e690

Update:
Here is what I saw using HTTPS and IPv4. Interesting there is no value for "Server:". It is not required but usually a clue of what is responding.

curl -i4k https://hunttowers.org
HTTP/1.1 200 OK
Server:
Content-Length: 5379
Date: Sat, 24 Aug 2024 18:14:32 GMT

<!DOCTYPE html><html><head><title>Home Assistant</title>
4 Likes
4

Thank you! I was able to fix it by switching the Let's Encrypt configuration to use port 80 instead of 444. When I originally set it up last year, it wouldn't let me set it as port 80. Thanks!

3 Likes
5

Great. Good progress. But, you still need to review your IPv6

SSL Labs shows your IPv4 using today's cert. But, it cannot connect to your IPv6 address

https://www.ssllabs.com/ssltest/analyze.html?d=hunttowers.org&hideResults=on

4 Likes
6

HI,
I'm new here. I have trouble renewing like many others. Mainly eddiem.com
Do I tell my story here, start a new thread or what?
Thanx Eddie,

1 Like
7

Please start a new thread in the Help section where you're welcomed by a questionnaire which is mandatory. The chances your problem is exactly the same as this threads are quite slim. Even if the error you're getting might be the same, the origin and solution might not.

3 Likes
9

I opened up the firewall for ipv6 on the xFi Gateway/Router and reran the SSL Report and now get A grades for both ipv4 and ipv6. Is there something more I should do to check the Let's Encrypt certificate for ipv6?

Thanks!

2 Likes
10

No. That looks great.

3 Likes
11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.