Error getting validation data (http-01)

Hi all,

Just looking to get some assistance if possible - It’s not the first time I’ve renewed, but it’s the first time I’ve had trouble with it.

My domain is:

I ran this command: ./certbot-auto renew --dry-run

It produced this output:

Attempting to renew cert from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching Error getting validation data. Skipping.

My web server is (include version): nginx/1.4.6

The operating system my web server runs on is (include version): Ubuntu 14.04.5 LTS

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I’ve followed a few other threads on here, but none have seemed to help. The webroot seems correct in the LE conf, I have created a test page in acme-challenge and it is accessible via browser/curl via ipv4 and ipv6 at (redirects to https):

curl -IkL6
HTTP/1.1 301 Moved Permanently
Server: nginx/1.4.6 (Ubuntu)
Date: Tue, 20 Jun 2017 22:55:02 GMT
Content-Type: text/html
Content-Length: 193
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx/1.4.6 (Ubuntu)
Date: Tue, 20 Jun 2017 22:55:03 GMT
Content-Type: text/html
Content-Length: 12
Last-Modified: Tue, 20 Jun 2017 22:35:47 GMT
Connection: keep-alive
ETag: "5949a343-c"
Accept-Ranges: bytes

Thanks in advance for any help!

This domain uses Digital Ocean’s DNS service, which is having problems today:

It might work if you try again, or you might have to wait awhile for them to resolve their issues.

1 Like

Still no change after 24 hours - is there something else that could be affecting the renewal attempt?

I believe so. Looking at the server logs I see that the validation authority tries to connect to your challenge server on IPv6 address 2604:a880:800:10::3401:4001 and then IPv4 address and receives a connection refused error.

Hm, seems like the IPv6 redirect to https wasn’t working correctly for some reason. I’ve removed the AAAA record for now, so it shouldn’t try to use IPv6, but still no change ~18 hours after updating it.

What error does Let’s Encrypt give now?

Still the same one as in the first post:

Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain

Apologies for letting this thread sleep a little - been a busy few weeks. Unfortunately, this problem does still persist. Is there any other suggestion to remedy this?

The error message may have been updated on the server side to give more detail—what error do you see now?

Can you confirm from server logs that the CA is trying to connect to you to test your domain?

Are you sure that the webroot directory you specified is the right one? (The directory that contains .well-known, rather than .well-known or acme-challenge itself?)

1 Like

Hmm - I have solved this with your hint of it being the webroot, but I’m not entirely sure of the root cause.

It was certainly using the correct directory from the config file, but the server was indeed getting no hits in the log. In the config file, it was specified in a way that I couldn’t find any documentation of?

[[webroot_map]] = /path/to/webroot/

I ended up using the same details with certonly: certbot-auto certonly -w /path/to/webroot/ -d which authenticated correctly. Now I have a new line in my conf with webroot_path = /path/to/webroot, (comma included) which was not previously there. Doing a --dry-run of renew also now appears to work.

Edit: Some more digging with that information shows that you helped someone else with almost the same issue over a year ago: Help us test renewal with "letsencrypt renew"

Greatly appreciated your help on this, got it solved just in the nick of time! :slight_smile:



I’m glad it worked. I’m also not sure of what was wrong, since the webroot_map should also have worked.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.