Implemented HSTS now cant renew


#1

My domain is: dezorgagenda.nl

I ran this command: certbot certonly --dry-run --manual

It produced this output: Failed authorization procedure. www.dezorgagenda.nl (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.dezorgagenda.nl/.well-known/acme-challenge/ifM-TTublDVlYz73VBcj3XIPUqzCySqRWQXX0gtY43M: Timeout

My web server is (include version): nginx/1.10.2

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, terminal

I tried : certbot certonly --dry-run --standalone --preferred-challenges http-01 --http-01-port 80 and
certbot certonly --dry-run --webroot --webroot-path=_PATH -d www.dezorgagenda.nl

and same reply. Failed authorization procedure…

I removed the HSTS from nginx and is now running bare port 80 setting, still no fix.
In the browser i can receive and download the acme file, when i use the manual option, but still LE doesnt connect to the server. Any ideas?


#2

Hello @noblestreet,

Yes, your site has an AAAA record (IPv6) but your server is not reachable using the advertised IPv6 address (Let’s Encrypt prefers IPv6 if both, IPv6 and IPv4 addresses are being resolved):

$ curl -vIkL6 http://www.dezorgagenda.nl/.well-known/acme-challenge/bla
* Hostname was NOT found in DNS cache
*   Trying 2a03:b0c0:0:1010::87d:a001...
* connect to 2a03:b0c0:0:1010::87d:a001 port 80 failed: Connection timed out
* Failed to connect to www.dezorgagenda.nl port 80: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to www.dezorgagenda.nl port 80: Connection timed out

You have 2 options, fix the IPv6 issues so your server can be reachable using IPv6 address or remove the AAAA records for your domain.

Cheers,
sahsanu


#3

Thanks for the reply. Will try it right away and let you know.


#4

Or switch to a TLS-SNI-01 challenge. That will fallback to IPv4 successfully. The HTTP-01 fallback will be fixed shortly (likely Thursday).


#5

@cpu Thanks for sharing the info :wink:


#6

@sahsanu Thanks for helping out initially! :tada:


#7

Dear sahsanu,
Thanks for the great tip. It was as you said. The moment we got the ipv6 to work everything fell into place.
You made my day!
Arnaud


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.