I didn't found any related answer so i'm a little bit confused as well.
At last day of march i want to renew all certificates which are used by default.
Most of them succeeded but 2 (whole) websites failed with the above:
Here is one of them:
Domain: ambiente.one
Type: connection
Detail: Could not connect to http://ambiente.one/.well-known/acme-
challenge/kUPBqADAIhew-SKMkuo5pMIhzRUo8u7kgPzcwZBUFs8
Domain: www.ambiente.one
Type: connection
Detail: Could not connect to http://www.ambiente.one/.well-known
/acme-challenge/5cTETa5X-ILqgZru8aGnYP2oSRWkfvlkVo_UIbzi1vg
The difference between this and any other is, that this website redirect (301) all http:// requests to https:// by default. So there is no real http://... available.
Let's Encrypt performed some network maintenance today (or rather yesterday) between 11PM and 12AM UTC:
Let's Encrypt will be doing maintenance on it's network during this time and there will likely be intermittent interruption of services.
Is it possible your renewal was just inside that window?
Redirecting to HTTPS is fine for http-01 validation, as long as the target URL serves the correct challenge token. Your SSL configuration doesn't seem like it would cause any connection errors from the CA server either, so a temporary network error would be my best guess.
This should skip the redirect for anything starting with .well-known/acme-challenge. If this ends up working, there’s either a regression in the CA server software or the CA server’s TLS stack has some odd connectivity issue with your TLS configuration (which, to me, looks perfectly fine).
Redirects don’t seem to be broken completely, but something specific to your config seems to break it. (I’ve tested it on another domain just now, and it worked).
For now, I’d recommend adding the new redirect logic for any sites where you’re getting this error.
@jsha: Any boulder logs you could check that might shed some light on this issue? I’ve seen similar issues once or twice, like this one, but I can’t find anything wrong with this particular TLS config (A+ on SSL Labs).