Error getting validation data only on some sites - port 80 ok

for some reason, this has just started to happen, when I try and renew 2 of my sites give this issue.

I have 8 sites on server and they renew ok… so I guess not a port 80 issue

My domain is: www.3dvision.org.uk

I ran this command: renew

It produced this output:

Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/byBBlOSUCvBNwV06tPlC5n5s0rcmxZibRQYDZotL-H0.
Details:
Type: urn:acme:error:connection
Status: 400
Detail: Fetching http://www.3dvision.org.uk/.well-known/acme-challenge/n6no6XcxcyrRvOpL5ERaOPZ9YbWDGejNbhOPED7DO_s: Error getting validation data

https://letsdebug.net/www.3dvision.org.uk/32112

Looks like you have an AAAA record for IPv6, but it’s not working. So you need to fix your IPv6, or remove the AAAA record.

thank you for quick response - if I show you my DNS records do these help figure why i get this issue?

You have A and AAAA records. Your A records point to an IPv4 address and your AAAA records point to an IPv6 address. Maybe your site seems to work fine because your local connection uses IPv4, and your site works fine over IPv4. But if you have both types of records, Let’s Encrypt will try to connect over IPv6, and that’s not working currently on your server (or you have the wrong address).

So check if your server really has an IPv6 address, if the one listed for your AAAA records is the correct one, and if your web server is actually listening and responding on IPv6.

If you don’t intend to support IPv6, remove both of the AAAA records and Let’s Encrypt will connect over IPv4.

1 Like

Thanks John for your help. As I am out my depth!
So I removed both AAAA records linked to IPv6.
Ran Renew again via Plesk and it worked!

So I presume if I was to Add records back and then remove the A records linked to IPv4 this might be a good test to prove the issue is with IPv6?

I think the fact that you removed the AAAA records and it worked, is enough to prove the issue was with IPv6 :slight_smile:

If you remove the A records then IPv4 will stop working; you might not want to do that as lots of people have only IPv4 and won’t be able to reach your site :frowning:

If you want to try to fix your IPv6 you could just put the records back and try to access your site via an IPv6 connection, or if you don’t have access to one, a proxy such as http://www.ipv6proxy.net/

thanks John, is there a simple command I can run to check my server is actually listening and responding on IPv6.?

many thanks

Hi @rfollett

you can use my online tool - with your ipv6 address and your domain as additional hostname - https://check-your-website.server-daten.de/?q=2001%3A8d8%3A9b0%3Ae800%3A%3Aae%3A987c&h=3dvision.org.uk

Then you can check your ipv6 - without having a (not working) AAAA record.

If all works -> add the AAAA.

But now - there are only timeouts:

Domainname Http-Status redirect Sec. G
• http://2001:8d8:9b0:e800::ae:987c/
2001:8d8:9b0:e800::ae:987c -14 10.030 T
Timeout - The operation has timed out
• https://2001:8d8:9b0:e800::ae:987c/
2001:8d8:9b0:e800::ae:987c -14 10.027 T
Timeout - The operation has timed out
• http://2001:8d8:9b0:e800::ae:987c/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:8d8:9b0:e800::ae:987c -14 10.026 T
Timeout - The operation has timed out
Visible Content:
2 Likes

ok thanks Juergen - Back to my server to try and work out what is going on!

hi Juergen
I hope I have fixed.
With your expert knowledge are you able to check again?
I did a check and now it just says Forbidden…
many thanks again for your help

I don’t see a Forbidden - https://check-your-website.server-daten.de/?q=2001%3A8d8%3A9b0%3Ae800%3A%3Aae%3A987c&h=www.3dvision.org.uk

Without the domain name as hostname the certificate is wrong.

But adding the www-domain:

Domainname Http-Status redirect Sec. G
http://www.3dvision.org.uk/ 302 https://3dvision.org.uk/ 0.087 A
• http://2001:8d8:9b0:e800::ae:987c/
2001:8d8:9b0:e800::ae:987c 301 http://www.3dvision.org.uk/ 0.464 D
https://3dvision.org.uk/ 301 https://www.3dvision.org.uk/ 0.270 B
• https://2001:8d8:9b0:e800::ae:987c/
2001:8d8:9b0:e800::ae:987c 301 https://www.3dvision.org.uk/ 0.416 B
https://www.3dvision.org.uk/ 200 0.613 I
• http://2001:8d8:9b0:e800::ae:987c/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:8d8:9b0:e800::ae:987c 301 http://www.3dvision.org.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.043 D
Visible Content: 301 Moved Permanently nginx
http://www.3dvision.org.uk/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 0.056 A
Not Found
Visible Content: 404 Not Found nginx

Ipv6 works, the certificate is correct.

There is a Grade I - two small errors:

og:image should be https

http://www.3dvision.org.uk/images/architecture/slider/slide-6-fs.jpg

Same with google-maps:

http://maps.googleapis.com/maps/api/js?v=3

Same with your non-www domain - https://check-your-website.server-daten.de/?q=2001%3A8d8%3A9b0%3Ae800%3A%3Aae%3A987c&h=3dvision.org.uk

So add the AAAA entry and recheck your (non-www) domain (www is added).

thank you for your detailed answers.
AAAA back in DNS
changed 2 small errors.
so now hopefully all good.

many many thanks

Yep, now your domain has an A and an AAAA record and the basics are good:

Domainname Http-Status redirect Sec. G
http://3dvision.org.uk/
217.160.109.114 301 http://www.3dvision.org.uk/ 0.043 D
http://3dvision.org.uk/
2001:8d8:9b0:e800::ae:987c 301 http://www.3dvision.org.uk/ 0.044 D
http://www.3dvision.org.uk/
217.160.109.114 302 https://3dvision.org.uk/ 0.047 E
http://www.3dvision.org.uk/
2001:8d8:9b0:e800::ae:987c 302 https://3dvision.org.uk/ 0.043 E
https://3dvision.org.uk/
217.160.109.114 301 https://www.3dvision.org.uk/ 0.250 B
https://3dvision.org.uk/
2001:8d8:9b0:e800::ae:987c 301 https://www.3dvision.org.uk/ 0.253 B
https://www.3dvision.org.uk/
217.160.109.114 200 0.423 B
https://www.3dvision.org.uk/
2001:8d8:9b0:e800::ae:987c 200 0.426 B

Redirects http -> https, both ip addresses are correct.

Perhaps reorganize your redirects, these are not optimal.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.