Connection timeout in authorization procedure

Please fill out the fields below so we can help you better.

My domain is: 0xaa55.org

I ran this command: certbot certonly --webroot -w /var/www/0xaa55.org/ -d www.0xaa55.org -d 0xaa55.org

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.0xaa55.org
http-01 challenge for 0xaa55.org
Using the webroot path /var/www/0xaa55.org for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.0xaa55.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.0xaa55.org/.well-known/acme-challenge/DpedMpDmE5C600z3M2aAxsMROcTqiQThlij0fBcHB5U: Timeout

My web server is (include version): Lighttpd 1.4.45

The operating system my web server runs on is (include version): Gentoo

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Certbot complains that the server could not connect to the client. Connection timeout is given as reason. I’ve checked from a client machine that the web server is accessible on port 80 and also that the directory /.well-known/acme-challenges/ is accessible. When dumping traffic on the server, I see a TCP handshake on port 80 initiated by a Letsencrypt machine, immediately followed by a TCP FIN (connection closing). Can anyone help?

$ mhost 0xaa55.org
0xaa55.org.  (unsigned)  86400  A  138.201.37.73
$ mhost www.0xaa55.org
www.0xaa55.org.  (unsigned)  86400  A     138.201.37.73
www.0xaa55.org.  (unsigned)  86400  AAAA  2a01:4f8:121:20e2::3
$ nc -6vz www.0xaa55.org 80
nc: connect to www.0xaa55.org port 80 (tcp) failed: Connection timed out

www.0xaa55.org has an IPv6 address, but connecting to it apparently times out. In the past, when validating dual-stack sites, Let’s Encrypt preferred IPv4; recently, it was changed to prefer IPv6.

It’s actually supposed to fall back to IPv4 in this case, but there’s kind of a bug in the fallback process.

Either way, you should fix the IPv6 server, or remove the AAAA record.

1 Like

Fixed AAAA record, works as expected.

Thanks a lot!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.