Connection timeout

ok file is created and i can get the content with curl.

Same file?
Or two files?

same file because webdev redirects to le-auth.

The redirect is actually redirect to https and then redirect to other name:

http://webdev.mediathekview.de/.well-known/acme-challenge/test.txt
301 Moved Permanently
Location: https://webdev.mediathekview.de/.well-known/acme-challenge/test.txt [following]
301 Moved Permanently
Location: http://le-auth.mediathekview.de/.well-known/acme-challenge/test.txt [following]
200 OK

i redirect to http:

location /.well-known/acme-challenge {
	location ~ /.well-known/acme-challenge/(.*) {
		return 301 http://le-auth.mediathekview.de$request_uri;
	}
}

browsers will redirect to https.

Try just:
location ~ /.well-known/acme-challenge {
return 301 http://le-auth.mediathekview.de$request_uri;
}

I have changed it. will you test?

http://webdev.mediathekview.de/.well-known/acme-challenge/test.txt
URL transformed to HTTPS due to an HSTS policy
https://webdev.mediathekview.de/.well-known/acme-challenge/test.txt
HTTP request sent, awaiting response… 301 Moved Permanently
Location: http://le-auth.mediathekview.de/.well-known/acme-challenge/test.txt [following]
HTTP request sent, awaiting response… 200 OK

Regardless, try to renew it again now.

#Show any failures.

i have deactivate hsts for now. But no other reaction from letsencrypt.

Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/wagC55nih-O59g6hFvmhQJb3OlUOIIXIJOl6lMdYhIY.
https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/wagC55nih-O59g6hFvmhQJb3OlUOIIXIJOl6lMdYhIY HTTP/1.1" 200 1805
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1805
Boulder-Request-Id: eMvzkd3JO8eJKKD4A02WblgNgST_DozWdQeVHUS8xxQ
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: bYc2rRXD-wlnmz-nano-4fHLwSQFXixHcKhZd2PGFuM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Mon, 19 Jun 2017 10:28:33 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 19 Jun 2017 10:28:33 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "webdev.mediathekview.de"
  },
  "status": "invalid",
  "expires": "2017-06-26T10:28:24Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/wagC55nih-O59g6hFvmhQJb3OlUOIIXIJOl6lMdYhIY/44625053",
      "token": "bLv3rK7hZhbiAadx0Xk7p3q5SCRPJbJ7yEJtt8MmkWU"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/wagC55nih-O59g6hFvmhQJb3OlUOIIXIJOl6lMdYhIY/44625054",
      "token": "1LS-9C-norV31lH0TZT57Q1froCxc0T88Aa7qeKJHS0"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "Fetching http://webdev.mediathekview.de/.well-known/acme-challenge/PIg2qplmMv69SLWzjiqSFROsyvx2xZMfN4YeoY2qqpo: Timeout",
        "status": 400
      },
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/wagC55nih-O59g6hFvmhQJb3OlUOIIXIJOl6lMdYhIY/44625055",
      "token": "PIg2qplmMv69SLWzjiqSFROsyvx2xZMfN4YeoY2qqpo",
      "keyAuthorization": "PIg2qplmMv69SLWzjiqSFROsyvx2xZMfN4YeoY2qqpo.NihnW21AV9wjCIiiEe2DsisKVHPIjjY1rM3oec6RebE",
      "validationRecord": [
        {
          "url": "http://webdev.mediathekview.de/.well-known/acme-challenge/PIg2qplmMv69SLWzjiqSFROsyvx2xZMfN4YeoY2qqpo",
          "hostname": "webdev.mediathekview.de",
          "port": "80",
          "addressesResolved": [
            "5.1.76.243",
            "2a00:f820:417::18e6:9ec3"
          ],
          "addressUsed": "2a00:f820:417::18e6:9ec3",
          "addressesTried": []
        }
      ]
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}
Reporting to user: The following errors were reported by the server:

Domain: mailadmin.mediathekview.de
Type:   connection
Detail: Fetching http://le-auth.mediathekview.de/.well-known/acme-challenge/3Q4IhvQYYDOF8bXBo0bD3gTerQ6bvGzQqf5asumVGXg: Timeout

Domain: forum.mediathekview.de
Type:   connection
Detail: Fetching http://le-auth.mediathekview.de/.well-known/acme-challenge/zHGvc8QibgXecOI8tcXmLGq0Ng3qjzqfMF9OxRHU8YE: Timeout

Domain: mediathekview.de
Type:   connection
Detail: Fetching http://mediathekview.de/.well-known/acme-challenge/i7ENzVaBG-nWH1dW7yMjmFuA4LO5s-WIc6jJH71exIo: Timeout

Domain: iframely.mediathekview.de
Type:   connection
Detail: Fetching http://le-auth.mediathekview.de/.well-known/acme-challenge/e_qF1kFplzeVJY4xu2bbhmsvfZ7a9K6IhX6Jx26XQAc: Timeout

Domain: www.mediathekview.de
Type:   connection
Detail: Fetching http://www.mediathekview.de/.well-known/acme-challenge/ZlAw-CBf1_-919ElKdNljBlMKjnal9R_2ilDYYqE3dA: Timeout

Domain: archiv.mediathekview.de
Type:   connection
Detail: Fetching http://archiv.mediathekview.de/.well-known/acme-challenge/ll1zm_MFBE29qwmFyhlcWQKiUyHgkRonEGANXGbF594: Timeout

Domain: mail.mediathekview.de
Type:   connection
Detail: Fetching http://mail.mediathekview.de/.well-known/acme-challenge/m11E5fZrqPm9egiuuhO8-Umrftn1r4zfsvhvL4sS7mk: Timeout

Domain: webdev.mediathekview.de
Type:   connection
Detail: Fetching http://webdev.mediathekview.de/.well-known/acme-challenge/PIg2qplmMv69SLWzjiqSFROsyvx2xZMfN4YeoY2qqpo: Timeout

Domain: imap.mediathekview.de
Type:   connection
Detail: Fetching http://imap.mediathekview.de/.well-known/acme-challenge/AR0NaZwVzpQGe45e-VyNxN10dz-iUe-VzPdRwq-7Dz4: Timeout

Domain: res.mediathekview.de
Type:   connection
Detail: Fetching http://le-auth.mediathekview.de/.well-known/acme-challenge/ZQK40K37b-_xArTfBxsF--wxdYqwqI0iSzKNvrc4do8: Timeout

Domain: repo.mediathekview.de
Type:   connection
Detail: Fetching http://repo.mediathekview.de/.well-known/acme-challenge/EL7MrMBH9zhGpvzPBuhIdeRRV0xrHSdgzKcAmrrgze0: Timeout

Domain: smtp.mediathekview.de
Type:   connection
Detail: Fetching http://smtp.mediathekview.de/.well-known/acme-challenge/ePbA8X0l-RpV7DHVU_SGZFOJhyTdpu_ZxRJigpEYnzE: Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Cleaning up challenges
Removing /var/www/acme-challenges/.well-known/acme-challenge/i7ENzVaBG-nWH1dW7yMjmFuA4LO5s-WIc6jJH71exIo
Removing /var/www/acme-challenges/.well-known/acme-challenge/ZlAw-CBf1_-919ElKdNljBlMKjnal9R_2ilDYYqE3dA
Removing /var/www/acme-challenges/.well-known/acme-challenge/3Q4IhvQYYDOF8bXBo0bD3gTerQ6bvGzQqf5asumVGXg
Removing /var/www/acme-challenges/.well-known/acme-challenge/EL7MrMBH9zhGpvzPBuhIdeRRV0xrHSdgzKcAmrrgze0
Removing /var/www/acme-challenges/.well-known/acme-challenge/m11E5fZrqPm9egiuuhO8-Umrftn1r4zfsvhvL4sS7mk
Removing /var/www/acme-challenges/.well-known/acme-challenge/ePbA8X0l-RpV7DHVU_SGZFOJhyTdpu_ZxRJigpEYnzE
Removing /var/www/acme-challenges/.well-known/acme-challenge/AR0NaZwVzpQGe45e-VyNxN10dz-iUe-VzPdRwq-7Dz4
Removing /var/www/acme-challenges/.well-known/acme-challenge/ll1zm_MFBE29qwmFyhlcWQKiUyHgkRonEGANXGbF594
Removing /var/www/acme-challenges/.well-known/acme-challenge/ZQK40K37b-_xArTfBxsF--wxdYqwqI0iSzKNvrc4do8
Removing /var/www/acme-challenges/.well-known/acme-challenge/SxZjI54K5wRk0XTI81L4hcq9z8C3xCkcoSpj90qh0LA
Removing /var/www/acme-challenges/.well-known/acme-challenge/zHGvc8QibgXecOI8tcXmLGq0Ng3qjzqfMF9OxRHU8YE
Removing /var/www/acme-challenges/.well-known/acme-challenge/PIg2qplmMv69SLWzjiqSFROsyvx2xZMfN4YeoY2qqpo
Removing /var/www/acme-challenges/.well-known/acme-challenge/e_qF1kFplzeVJY4xu2bbhmsvfZ7a9K6IhX6Jx26XQAc
Removing /var/www/acme-challenges/.well-known/acme-challenge/hMMBVFiaFxlvNRAZ52uoREtrS3ZOzWP7Hfj44Qu4S60
Unable to clean up challenge directory /var/www/acme-challenges/.well-known/acme-challenge
Error was: [Errno 39] Directory not empty: '/var/www/acme-challenges/.well-known/acme-challenge'
Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 743, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 670, in certonly
    cert_path, fullchain_path = _csr_get_and_save_cert(config, le_client)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 622, in _csr_get_and_save_cert
    certr, chain = le_client.obtain_certificate_from_csr(config.domains, csr)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 268, in obtain_certificate_from_csr
    authzr = self.auth_handler.get_authorizations(domains)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. mailadmin.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://le-auth.mediathekview.de/.well-known/acme-challenge/3Q4IhvQYYDOF8bXBo0bD3gTerQ6bvGzQqf5asumVGXg: Timeout, forum.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://le-auth.mediathekview.de/.well-known/acme-challenge/zHGvc8QibgXecOI8tcXmLGq0Ng3qjzqfMF9OxRHU8YE: Timeout, mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mediathekview.de/.well-known/acme-challenge/i7ENzVaBG-nWH1dW7yMjmFuA4LO5s-WIc6jJH71exIo: Timeout, iframely.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://le-auth.mediathekview.de/.well-known/acme-challenge/e_qF1kFplzeVJY4xu2bbhmsvfZ7a9K6IhX6Jx26XQAc: Timeout, www.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.mediathekview.de/.well-known/acme-challenge/ZlAw-CBf1_-919ElKdNljBlMKjnal9R_2ilDYYqE3dA: Timeout, archiv.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://archiv.mediathekview.de/.well-known/acme-challenge/ll1zm_MFBE29qwmFyhlcWQKiUyHgkRonEGANXGbF594: Timeout, mail.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.mediathekview.de/.well-known/acme-challenge/m11E5fZrqPm9egiuuhO8-Umrftn1r4zfsvhvL4sS7mk: Timeout, webdev.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://webdev.mediathekview.de/.well-known/acme-challenge/PIg2qplmMv69SLWzjiqSFROsyvx2xZMfN4YeoY2qqpo: Timeout, imap.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://imap.mediathekview.de/.well-known/acme-challenge/AR0NaZwVzpQGe45e-VyNxN10dz-iUe-VzPdRwq-7Dz4: Timeout, res.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://le-auth.mediathekview.de/.well-known/acme-challenge/ZQK40K37b-_xArTfBxsF--wxdYqwqI0iSzKNvrc4do8: Timeout, repo.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://repo.mediathekview.de/.well-known/acme-challenge/EL7MrMBH9zhGpvzPBuhIdeRRV0xrHSdgzKcAmrrgze0: Timeout, smtp.mediathekview.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://smtp.mediathekview.de/.well-known/acme-challenge/ePbA8X0l-RpV7DHVU_SGZFOJhyTdpu_ZxRJigpEYnzE: Timeout
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mailadmin.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://le-auth.mediathekview.de/.well-known/acme-challenge/3Q4IhvQYYDOF8bXBo0bD3gTerQ6bvGzQqf5asumVGXg:
   Timeout

   Domain: forum.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://le-auth.mediathekview.de/.well-known/acme-challenge/zHGvc8QibgXecOI8tcXmLGq0Ng3qjzqfMF9OxRHU8YE:
   Timeout

   Domain: mediathekview.de
   Type:   connection
   Detail: Fetching
   http://mediathekview.de/.well-known/acme-challenge/i7ENzVaBG-nWH1dW7yMjmFuA4LO5s-WIc6jJH71exIo:
   Timeout

   Domain: iframely.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://le-auth.mediathekview.de/.well-known/acme-challenge/e_qF1kFplzeVJY4xu2bbhmsvfZ7a9K6IhX6Jx26XQAc:
   Timeout

   Domain: www.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://www.mediathekview.de/.well-known/acme-challenge/ZlAw-CBf1_-919ElKdNljBlMKjnal9R_2ilDYYqE3dA:
   Timeout

   Domain: archiv.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://archiv.mediathekview.de/.well-known/acme-challenge/ll1zm_MFBE29qwmFyhlcWQKiUyHgkRonEGANXGbF594:
   Timeout

   Domain: mail.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://mail.mediathekview.de/.well-known/acme-challenge/m11E5fZrqPm9egiuuhO8-Umrftn1r4zfsvhvL4sS7mk:
   Timeout

   Domain: webdev.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://webdev.mediathekview.de/.well-known/acme-challenge/PIg2qplmMv69SLWzjiqSFROsyvx2xZMfN4YeoY2qqpo:
   Timeout

   Domain: imap.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://imap.mediathekview.de/.well-known/acme-challenge/AR0NaZwVzpQGe45e-VyNxN10dz-iUe-VzPdRwq-7Dz4:
   Timeout

   Domain: res.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://le-auth.mediathekview.de/.well-known/acme-challenge/ZQK40K37b-_xArTfBxsF--wxdYqwqI0iSzKNvrc4do8:
   Timeout

   Domain: repo.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://repo.mediathekview.de/.well-known/acme-challenge/EL7MrMBH9zhGpvzPBuhIdeRRV0xrHSdgzKcAmrrgze0:
   Timeout

   Domain: smtp.mediathekview.de
   Type:   connection
   Detail: Fetching
   http://smtp.mediathekview.de/.well-known/acme-challenge/ePbA8X0l-RpV7DHVU_SGZFOJhyTdpu_ZxRJigpEYnzE:
   Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

www.mediathekview.de is indeed inaccessible over IPv6 and that is causing your problems.

Please ensure the AAAA records for your domains point to the correct IPv6 address, that ports 80 and 443 are open for IPv6 in your firewall, and that nginx is listening on IPv6 (e.g. listen [::]:80;).

If you cannot resolve your IPv6 issues you will need to remove the invalid AAAA records for these domains in order to complete validation.

P.S. @rg305 I use this utility to check for this.

2 Likes

Hi do you have any idea left on how I could solve my problem with the timeout?

ok thanks that was the problem.

I am unable to reproduce any connectivity issues to your domain either.

Since you say some validations on your server succeeded, and several of the domains in question
appear to have succeeded previously, I think it’s unlikely you have a misconfiguration anywhere.

Have you tried again? A day has passed, maybe there were transient network issues.

If it still doesn’t work, I would go ahead and file a support ticket with your VPS provider and let them know that for some reason the Let’s Encrypt servers are unable to connect to your server while connections seem to working from the rest of the Internet. Perhaps some firewall or intrusion detection system of theirs is blocking Let’s Encrypt automatically after some number of requests in quick succession.

Thanks for your reaction!

I did it the last few days on a daily base but without any luck. I will contact my VPS provider maybe it has something to do with an intrusion system. I did however contacted them in the past when I had a similar issue, they ensured me that there was noting blocking or could blovk the acces to the server.

I had the same problem a few months ago, after an update of certbot/letsencrypt the issue was gone and I got a valid certificate. I noticed last week that before I did the request there was an update again, maybe it is an issue with the update as well.

Certbot prints a bunch of debugging information between curly braces right before the error you shared with us. Perhaps it might reveal something we’ve missed.

I did a run again with the same result, below I posted a few chunks out the log file which contains one of the refused domains.

2017-06-21 14:13:59,041:DEBUG:acme.client:Storing nonce: t3z22Sn69biTV7qhFSeR0LspKKmKRHnSsKb5ATmyXpI
2017-06-21 14:13:59,042:DEBUG:acme.client:JWS payload:
{
  "identifier": {
    "type": "dns", 
    "value": "www.pcpokrimpenerwaard-academie.nl"
  }, 
  "resource": "new-authz"
}
2017-06-21 14:13:59,046:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
  "protected": "eyJub25jZSI6ICJ0M3oyMlNuNjliaVRWN3FoRlNlUjBMc3BLS21LUkhuU3NLYjVBVG15WHBJIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAiNFpHZ2tPN2dNaEtQQVJzeDBJSi1FM01wRERaZnAwODZLamVjWmJCT1g5M09yWTZNQmtHaVNqdGpaTmxDeWdDbEstMTQ3blZhR0d0UGRnZWQtUkRydTB1YjBsR3ZfLUx0NTNGQU9FbjdHWmZtaE1iVU9XdEtHaDBlbThtRHpBbXZmUDRjLWZ2ZVFjMVNKbVd1Y1pwUUR4ZDNuUHJPOFpPTHdtZUlXbHJ6U05yZTJzVU02QVBUa0ZCYmdYZjktVzF0ZGdsZTg0eGpIRVEwQ1lNOEY4bU5TRWdHZ2M1bXJWdnJ5NU1ZdkpMYmo0N1V2VktoQnc1NXJUbVhZR3FFUEhiRmhtOWZyZnp4N3dyVFNtbFh1RmVKazR4S29RSWlJWElESlVZb2hPSFZqd2dOdzZoVXc4blZ5eUlWaWtteERkWEozaTlhUzJYUFYxSklZTUZqVV9QdWJRIn19", 
  "payload": "ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAid3d3LnBjcG9rcmltcGVuZXJ3YWFyZC1hY2FkZW1pZS5ubCIKICB9LCAKICAicmVzb3VyY2UiOiAibmV3LWF1dGh6Igp9", 
  "signature": "vtmj4AS-qr24SqiWTYYxGyZyp3-SvQI8VdBRBiwL-fOf-5w_7nn5QVUXgT2PwUMdQdxcg3F9AAzO08iKDHS8GP9_vyqyS8Y4Tr5fUVUqHH_Afp8znC-qyZmWLr3_keTVMRycTVIBqSXHpDFCW6ewx8qYY1YM63H8PxxBEXTBGaoJwZocjnBiKQIg2fJd-SoVDDmPPp6gzXcAlJAcKu3OG6IbUokzsSaRyVyIIk1VNKkLpJvDiLT9sb9H5OZooI_Xo_eKiP3Gj96RX_G4hZH7sGSREbDGCBeplOeIpdcVgRVRXXRIs-OWD09a7ndzNBpK1XUhklMKaUAgw1C4mEY1EQ"
}
2017-06-21 14:13:59,262:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1022
2017-06-21 14:13:59,263:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 1022
Boulder-Request-Id: qc_XCc3XM_mrRj6c-3y8W0ycMQBKI88zB2X2_LbTXtA
Boulder-Requester: 7952757
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/SZgYrzf01FNAEkqnhfB7mOzJ2CceJUui-GwQn9ewK8o
Replay-Nonce: WdvkoAq7sz-LrMuprBUksKe-Qim19y5DU_lXQ7s-RiU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 21 Jun 2017 14:13:59 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 21 Jun 2017 14:13:59 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "www.pcpokrimpenerwaard-academie.nl"
  },
  "status": "pending",
  "expires": "2017-06-28T14:13:59.162279378Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/SZgYrzf01FNAEkqnhfB7mOzJ2CceJUui-GwQn9ewK8o/1389484988",
      "token": "1ceSh5Bj7zsTT2zMeUbpqNEzYMfAs6PQGdYYN6_9PMU"
    },
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/SZgYrzf01FNAEkqnhfB7mOzJ2CceJUui-GwQn9ewK8o/1389484989",
      "token": "KRIv-lyiBHXuaWwAe8xnIXqRcxsR2Rek_wucItkBwys"
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/SZgYrzf01FNAEkqnhfB7mOzJ2CceJUui-GwQn9ewK8o/1389484990",
      "token": "QreuF25AUN2CJw9hW4eiAwhtdiYg-x2Q7vIRJv-CnJo"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}

Chunk2

<VirtualHost www.pcpokrimpenerwaard-academie.nl:443>
    ServerName 70c13cb3bd2cf23b3e221f2c0354c9fd.673c6c6f50ad12537c2bb8909d4e1369.acme.invalid
    UseCanonicalName on
    SSLStrictSNIVHostCheck on

    LimitRequestBody 1048576

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /var/lib/letsencrypt/KRIv-lyiBHXuaWwAe8xnIXqRcxsR2Rek_wucItkBwys.crt
    SSLCertificateKeyFile /var/lib/letsencrypt/KRIv-lyiBHXuaWwAe8xnIXqRcxsR2Rek_wucItkBwys.pem

    DocumentRoot /var/lib/letsencrypt/tls_sni_01_page/
</VirtualHost>

chunk3

2017-06-21 14:15:34,440:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/SZgYrzf01FNAEkqnhfB7mOzJ2CceJUui-GwQn9ewK8o.
2017-06-21 14:15:34,629:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/authz/SZgYrzf01FNAEkqnhfB7mOzJ2CceJUui-GwQn9ewK8o HTTP/1.1" 200 1544
2017-06-21 14:15:34,630:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1544
Boulder-Request-Id: azPbmn9CiEgCCg01fM_NhpDa6XW1iE9-eyzVpA5aCtw
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: XbA06yDUjPlCXa0cjnyKKr1VpY6RT8yKNbI8fJewwW0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 21 Jun 2017 14:15:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 21 Jun 2017 14:15:34 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "www.pcpokrimpenerwaard-academie.nl"
  },
  "status": "invalid",
  "expires": "2017-06-28T14:13:59Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/SZgYrzf01FNAEkqnhfB7mOzJ2CceJUui-GwQn9ewK8o/1389484988",
      "token": "1ceSh5Bj7zsTT2zMeUbpqNEzYMfAs6PQGdYYN6_9PMU"
    },
    {
      "type": "tls-sni-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "Timeout",
        "status": 400
      },
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/SZgYrzf01FNAEkqnhfB7mOzJ2CceJUui-GwQn9ewK8o/1389484989",
      "token": "KRIv-lyiBHXuaWwAe8xnIXqRcxsR2Rek_wucItkBwys",
      "keyAuthorization": "KRIv-lyiBHXuaWwAe8xnIXqRcxsR2Rek_wucItkBwys.l4alHBeez3TUw9G725fitfajwLvAUgUuqXVqLkGUBnY",
      "validationRecord": [
        {
          "hostname": "www.pcpokrimpenerwaard-academie.nl",
          "port": "443",
          "addressesResolved": [
            "149.210.230.215"
          ],
          "addressUsed": "149.210.230.215",
          "addressesTried": []
        }
      ]
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/SZgYrzf01FNAEkqnhfB7mOzJ2CceJUui-GwQn9ewK8o/1389484990",
      "token": "QreuF25AUN2CJw9hW4eiAwhtdiYg-x2Q7vIRJv-CnJo"
    }
  ],
  "combinations": [
    [
      0
    ],
    [
      1
    ],
    [
      2
    ]
  ]
}
2017-06-21 14:15:34,632:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/VGPhENPbrT-JREtTrnNNEqMlQwmJpgAXcdPeM1ObZa4.
2017-06-21 14:15:34,829:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/authz/VGPhENPbrT-JREtTrnNNEqMlQwmJpgAXcdPeM1ObZa4 HTTP/1.1" 200 1414
2017-06-21 14:15:34,830:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1414
Boulder-Request-Id: 8xqIVffNnpTsjw_wvFZ342NVD5KVPgIVn4TwZ6IXotA
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: uYfAtggze3PBY9L50Yrn33pFAGQmermAfij_DD5m2cA
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Wed, 21 Jun 2017 14:15:34 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Wed, 21 Jun 2017 14:15:34 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "www.margrietschool.cadenza-hs.nl"
  },
  "status": "valid",
  "expires": "2017-07-13T13:06:59Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/VGPhENPbrT-JREtTrnNNEqMlQwmJpgAXcdPeM1ObZa4/1331841038",
      "token": "KN8b-n8w6EnpTxQsJSgD6HcoE7zRi9ZDANGY6Bd0X9E"
    },
    {
      "type": "tls-sni-01",
      "status": "valid",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/VGPhENPbrT-JREtTrnNNEqMlQwmJpgAXcdPeM1ObZa4/1331841047",
      "token": "FOG9zTuAtIHox9EQQiLSeXf2rmdUaJg01DI-In4ctZE",
      "keyAuthorization": "FOG9zTuAtIHox9EQQiLSeXf2rmdUaJg01DI-In4ctZE.l4alHBeez3TUw9G725fitfajwLvAUgUuqXVqLkGUBnY",
      "validationRecord": [
        {
          "hostname": "www.margrietschool.cadenza-hs.nl",
          "port": "443",
          "addressesResolved": [
            "149.210.230.215"
          ],
          "addressUsed": "149.210.230.215",
          "addressesTried": []
        }
      ]
    },
    {
      "type": "http-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/VGPhENPbrT-JREtTrnNNEqMlQwmJpgAXcdPeM1ObZa4/1331841064",
      "token": "ryK8O1-nH_8lyJt0ss0qXn00TaHoLVo673CHxDTNiVA"
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      2
    ],
    [
      0
    ]
  ]
}

chunk4

2017-06-21 14:15:41,455:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.pcpokrimpenerwaard-academie.nl
Type:   connection
Detail: Timeout

Domain: www.pcbovroomshoop-academie.nl
Type:   connection
Detail: Timeout

Domain: www.scoh-academie.nl
Type:   connection
Detail: Timeout

Domain: www.prisma-academie.nl
Type:   connection
Detail: Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-06-21 14:15:41,455:INFO:certbot.auth_handler:Cleaning up challenges
2017-06-21 14:16:18,058:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 743, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 598, in run
    certname, lineage)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 82, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 344, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 313, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.pcpokrimpenerwaard-academie.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.pcbovroomshoop-academie.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.scoh-academie.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.prisma-academie.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

I can see the problem is solved now:

$ check_http --ssl -C 30,14 -H www.prisma-academie.nl
OK - Certificate 'www.3lacademie-elearning.nl' will expire on Sun 27 Aug 2017 10:36:00 AM GMT +0000.

What was the solution?

I got connection timeout myself. cerbot version 0.10.2 on Debian 8 Jessie. I have no IPv6. I have added some new domains yesterday and they works fine.

$ curl -I w0.dk
HTTP/1.1 301 Moved Permanently
Date: Mon, 26 Jun 2017 16:00:01 GMT
Server: Apache/2.4.10 (Debian)
Location: https://w0.dk/
Content-Type: text/html; charset=iso-8859-1

$ curl -I https://w0.dk
HTTP/1.1 200 OK
Date: Mon, 26 Jun 2017 16:00:09 GMT
Server: Apache/2.4.10 (Debian)
Content-Type: text/html; charset=UTF-8

$ check_http --ssl -C 30,14 -H w0.dk
WARNING - Certificate 'www.w0.dk' expires in 27 day(s) (Sun 23 Jul 2017 09:29:00 PM GMT +0000).

From the output after “cerbot renew”

Domain: w0.dk
Type:   connection
Detail: Timeout

I was away for a few days and couldn’t react.
Tried but this morning again but still getting the same errors. Not sure but it might have tot do with the latest update, I had this problem before but it disappeared after an other update, but after the latest update they are back again.
I think the current version is 0.15 and the previous version which worked was 0.14.2, not 100% sure about the versions.

Solved: “renew” did not work but “certonly” works fine. So instead of having all domains in one .pem-file, I now have one .pem-file per domain.

I ran commands like this and changed the apache conf to use the associated cert files:

certbot certonly --webroot -w /var/www/example.org -d example.org -d www.example.org
certbot certonly --webroot -w /var/www/example.net -d example.net -d www.example.net

It is good to learn more about how it actually works.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.