Connection timeout in authorization procedure

Please fill out the fields below so we can help you better.

My domain is:

I ran this command: certbot certonly --webroot -w /var/www/ -d -d

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1):
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
Using the webroot path /var/www/ for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Timeout

My web server is (include version): Lighttpd 1.4.45

The operating system my web server runs on is (include version): Gentoo

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Certbot complains that the server could not connect to the client. Connection timeout is given as reason. I’ve checked from a client machine that the web server is accessible on port 80 and also that the directory /.well-known/acme-challenges/ is accessible. When dumping traffic on the server, I see a TCP handshake on port 80 initiated by a Letsencrypt machine, immediately followed by a TCP FIN (connection closing). Can anyone help?

$ mhost  (unsigned)  86400  A
$ mhost  (unsigned)  86400  A  (unsigned)  86400  AAAA  2a01:4f8:121:20e2::3
$ nc -6vz 80
nc: connect to port 80 (tcp) failed: Connection timed out has an IPv6 address, but connecting to it apparently times out. In the past, when validating dual-stack sites, Let’s Encrypt preferred IPv4; recently, it was changed to prefer IPv6.

It’s actually supposed to fall back to IPv4 in this case, but there’s kind of a bug in the fallback process.

Either way, you should fix the IPv6 server, or remove the AAAA record.

1 Like

Fixed AAAA record, works as expected.

Thanks a lot!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.