Certificate renewal timeout in Verification but File test link OK

My domain is: www.kittcat.tk
I ran this command: zerossl.com FREE SSL Certificate Wizard
It produced this output: interface keeps telling me a timeout error occurred at http verification
My web server is (include version): Apache/2.2.31
The operating system my web server runs on is (include version): Synology DSM 5.2-5967 Update 3
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I’m trying to renew my Let’s Encrypt certificate. I create the file with the chalenge on my web site as the verification page instructs. I test the File link - everything is ok, but when I press Next it’s always a timeout error.

I tested the access to the newly created challenge file with an Internet tool (ex. Hurl.it) and it gets the file without a problem.

Any help would be great.

Hi @kittcat,

You are advertising an IPv6 address 2001:8a0:639d:301:211:32ff:fe06:a11b via an AAAA record in DNS, but your device is not reachable at that address, only via IPv4.

further to this

many people have been hit by this as Let’s Encrypt will use the IPV6 address (even though it doesn’t resolve) to anything in this case

Web Browsers are smart enough to try the IPV4 address however Let’s Encrypt currently does not

Andrei

This isn’t true. We do check IPv4 addresses in addition to IPv6 for dual-homed hosts for TLS-SNI-01 challenges. The HTTP-01 challenges will do the same after today’s production deploy when a bug is fixed.

1 Like

If I understand correctly, my case (and others) should work tomorrow, is that it?
If that is so, I’ll try the http challenge again tomorrow and post here the result.

Hi @kittcat,

Yes, if your server is able to solve the HTTP-01 challenge over IPv4 then it should start to work immediately after today’s deploy. You can follow https://status.letsencrypt.org to know when this is released. You can also try testing right now with the staging environment which will issue test-certificates (not suitable for your production website). The staging environment already has this fix applied.

I would definitely encourage you to try and fix the underlying IPv6 problem by either fixing connectivity to your website over IPv6 or removing the AAAA record. It’s likely going to cause slowness for browsers that waste time trying IPv6 before falling back to IPv4 and could cause you more headaches down the road.

Hope that helps!

Hi everyone,

I don’t know exactly if the deploy went ahead as scheduled but I just tried to renew my certificate in zerossl.com’s interface with the http challenge and still get the same timeout error.

I decided to go with the IPv6 configuration and in the end, what was missing was just a firewall http rule in the router, specific for the site’s IPv6 address.

After this I was able to renew the certificate.

Thanks to all those who took a little of their time to respond and help me. :slight_smile:

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.