Getting timeout during authorization - can't figure out the problem

I don’t know what else to check. Setup is nginx/Debian 9. I have both A and AAAA records for my domain (, I’m seeing what I suppose is Let’s Encrypt reaching my server, but the connection is very weird:

10:06:50.067043 IP > Flags [S]
10:06:50.067285 IP > Flags [S.]
10:06:50.116606 IP > Flags [.]
10:06:50.116711 IP > Flags [F.]
10:06:50.117349 IP > Flags [F.]
10:06:50.166579 IP > Flags [.]

So the standard three way handshake, and then… Let’s Encrypt sends a FIN/ACK? Not one HTTP request in there. It’s not the firewall, otherwise there wouldn’t be responses from my server. And it’s not nginx, I don’t think, because there’s not even a GET/POST in there anywhere.

It’s like LE is giving up before even requesting the challenge. Can anyone give me any insight on this? I have multiple certs with LE, in this and other networks, FWIW.


Hi @dolphone,

As your domain advertises A and AAAA records, Let’s Encrypt will prefer IPv6 over IPv4 but your site is not answering IPv6 requests.

$ curl -6IkL
curl: (7) Failed to connect to port 80: No route to host

It does if trying to reach it using IPv4 (but the web server is Apache not nginx as you said):

$ curl -4IkL
HTTP/1.1 404 Not Found
Date: Tue, 05 Sep 2017 15:36:01 GMT
Server: Apache/2.4.25 (Debian)
Content-Type: text/html; charset=iso-8859-1

So seems you have some IPv6 issues that need to be fixed before trying to issue a certificate… or maybe you could remove the AAAA record.


1 Like

From our side I'm seeing the error as:
net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

I've seen this issue once in the past when something between the Let's Encrypt validation authority and the remote server is doing a bad 6to4 translation. That specific error message indicates to me that the VA did make a request but that no response was received.

FWIW I'm also unable to reach the host on the IPv6 address that the VA resolved and observe a timeout with curl (testing from a random IPv6 box I have laying around):

curl [2001:1218:4000:20:1000:600:0:1]:80
curl: (7) Failed to connect to 2001:1218:4000:20:1000:600:0:1 port 80: No route to host

1 Like

That’s it! That’s dumb of me :confused:

Thanks a lot!!

1 Like

Thanks! It’s IPv6 that’s the problem.

Thanks a lot for the help!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.