Client connection failed following certbot update


#1

I’m trying to have a certificate from new site www.crif-online.visurasubito.com.
I have other sites with the same configuration as https://www.cattivo-pagatore.visurasubito.com/ and I never had problems.
After the last client cerbot update released I have problems with verification:
"
2018-04-17 05:10:44,636:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.crif-online.visurasubito.com
Type: connection
Detail: Fetching http://www.crif-online.visurasubito.com/.well-known/acme-challenge/KVxwpNlxpCTGHtEyDWUIPKWr3lEp7TsPM99aQnBbhAc: Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2018-04-17 05:10:44,636:INFO:certbot.auth_handler:Cleaning up challenges
2018-04-17 05:10:45,110:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.22.2’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1266, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 1031, in run
certname, lineage)
File “/usr/lib/python3/dist-packages/certbot/main.py”, line 118, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 350, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 294, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File “/usr/lib/python3/dist-packages/certbot/client.py”, line 330, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 79, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 154, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File “/usr/lib/python3/dist-packages/certbot/auth_handler.py”, line 220, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.crif-online.visurasubito.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.crif-online.visurasubito.com/.well-known/acme-challenge/KVxwpNlxpCTGHtEyDWUIPKWr3lEp7TsPM99aQnBbhAc: Timeout
"
how can I solve problem?


#2

Hi,

You have a misconfigured aaaa (ipv6) record, please remove that from your 1&1 control panel (and it’s going to be all good.

Thank you


#3

Or, more preferably if you’re able to, fix your IPv6 connectivity and leave the record there!

Let’s Encrypt will prefer IPv6 if you’re advertising an AAAA record, so you will either need to fix that or remove the record.


#4

Also check this nice info out: (so you probably would understand not to put ipv4 in ipv6 record:joy:)
https://www.tutorialspoint.com/ipv6/index.htm

Thank you


#5

Ok, I understood.
So, the best solution is to buy an pubblic ip V6: I’m proceeding.
But in the meantime how can I tell to cerboot to use ipv4?


#6

As long as there exists an IPv6 address for your FQDN, certbot will prefer IPv6 over IPv4 and use that IP.
You can control what IPs your name resolves to.
The quickest solution is as @stevenzhu recommended:


#7

Certbot will always focus on ipv6 than 4, (as @rg305 said) so if you are going to use ipv4 for now, just remove the ipv6 and add it back later.
I’m not sure the host you are using provide ipv6 or not… (if it’s cPanel, the likelihood of ipv6 is minium)

P.S. your website is using http/1.1 as well as a insecure PHP session Id. If you have chance, correct it.


#8

I deleted AAAA IpV6 record from provider and now work fine.
Thz 1000
Vincenzo


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.