Getting timeout during authorization - can't figure out the problem

dolphone · September 5, 2017, 3:25pm

I don’t know what else to check. Setup is nginx/Debian 9. I have both A and AAAA records for my domain (tor.enallt.unam.mx), I’m seeing what I suppose is Let’s Encrypt reaching my server, but the connection is very weird:

10:06:50.067043 IP 64.78.149.164.60630 > 132.247.187.217.80: Flags [S]
10:06:50.067285 IP 132.247.187.217.80 > 64.78.149.164.60630: Flags [S.]
10:06:50.116606 IP 64.78.149.164.60630 > 132.247.187.217.80: Flags [.]
10:06:50.116711 IP 64.78.149.164.60630 > 132.247.187.217.80: Flags [F.]
10:06:50.117349 IP 132.247.187.217.80 > 64.78.149.164.60630: Flags [F.]
10:06:50.166579 IP 64.78.149.164.60630 > 132.247.187.217.80: Flags [.]

So the standard three way handshake, and then… Let’s Encrypt sends a FIN/ACK? Not one HTTP request in there. It’s not the firewall, otherwise there wouldn’t be responses from my server. And it’s not nginx, I don’t think, because there’s not even a GET/POST in there anywhere.

It’s like LE is giving up before even requesting the challenge. Can anyone give me any insight on this? I have multiple certs with LE, in this and other networks, FWIW.

Thanks!

sahsanu · September 5, 2017, 3:41pm

Hi @dolphone,

As your domain advertises A and AAAA records, Let’s Encrypt will prefer IPv6 over IPv4 but your site is not answering IPv6 requests.

$ curl -6IkL http://tor.enallt.unam.mx/.well-known/acme-challenge/test
curl: (7) Failed to connect to tor.enallt.unam.mx port 80: No route to host

It does if trying to reach it using IPv4 (but the web server is Apache not nginx as you said):

$ curl -4IkL http://tor.enallt.unam.mx/.well-known/acme-challenge/test
HTTP/1.1 404 Not Found
Date: Tue, 05 Sep 2017 15:36:01 GMT
Server: Apache/2.4.25 (Debian)
Content-Type: text/html; charset=iso-8859-1

So seems you have some IPv6 issues that need to be fixed before trying to issue a certificate… or maybe you could remove the AAAA record.

Cheers,
sahsanu

cpu · September 5, 2017, 3:42pm

From our side I'm seeing the error as:
net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

I've seen this issue once in the past when something between the Let's Encrypt validation authority and the remote server is doing a bad 6to4 translation. That specific error message indicates to me that the VA did make a request but that no response was received.

FWIW I'm also unable to reach the host on the IPv6 address that the VA resolved and observe a timeout with curl (testing from a random IPv6 box I have laying around):

curl [2001:1218:4000:20:1000:600:0:1]:80
curl: (7) Failed to connect to 2001:1218:4000:20:1000:600:0:1 port 80: No route to host

dolphone · September 5, 2017, 3:56pm

That’s it! That’s dumb of me

Thanks a lot!!

dolphone · September 5, 2017, 3:57pm

Thanks! It’s IPv6 that’s the problem.

Thanks a lot for the help!

system · October 5, 2017, 3:57pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.