Certificate request timeout on subdomain containing a dash


#1

My domain is:
web-01.samys.network

I ran this command:
Certificate was requested using Virtualmin virtualmin.com

It produced this output:
Timeout

My web server is (include version):
Apache (Apache/2.4.18 (Ubuntu))

The operating system my web server runs on is (include version):
Ubuntu 16.04.4 LTS

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes, Virtualmin virtualmin.com

Requesting a certificate for a subdomain without dash is working perfectly fine on the same webserver.


#2

What is the intended IP address of the web-01.samys.network domain?

From an external perspective:

  1. It has no A/IPv4 address
  2. It has an AAAA/IPv6 address of 2a01:4f8:1c0c:707f::64 but it is not accessible from the external internet.

It seems more likely that the other subdomain has its DNS configured properly and that the dash has nothing to do with it.

One way to solve this is to post the name of the working subdomain, and then we can compare the DNS setup of the two.


#3
  1. The IPv4 is properly set.
  2. IPv6 is not configured for this domain.

The intended IP is 195.201.96.250. The working subdomain is web1.samys.network

[Edit]
The full error message is web-01.samys.network challenge did not pass: Fetching http://web-01.samys.network/.well-known/acme-challenge/YHAqFhpI2D_UAPSX6oQ7ZrU7LrPQaw-Fteu3tk8-HOI: Timeout


#4

Well:

$ dig +short samys.network ns | xargs -I{} dig @{} +noall +answer web-01.samys.network aaaa
web-01.samys.network.   900     IN      AAAA    2a01:4f8:1c0c:707f::64
web-01.samys.network.   900     IN      AAAA    2a01:4f8:1c0c:707f::64
web-01.samys.network.   900     IN      AAAA    2a01:4f8:1c0c:707f::64

Let’s Encrypt will attempt to use the IPv6 address, if it exists for a domain. If it fails to connect using the IPv6 address, it will fail the entire validation process.

That is why you have a timeout.

Yeah, my bad. For some reason my local resolver had a cached NXDOMAIN for it, but the AAAA record takes precedence anyway.


#5

Aaaarhg, I forgot that I configured IPv6. I enabled IPv6 on the webserver and it works now :wink:
Thank you!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.