Issue with renew the certificate


#1

Hello, i see today in my logs strange issue with renew the certificate :worried:

i setup a cronjob and this was month well working. But now some is still broken! Is anyone able to help me?

Thanks

2016/06/12 21:55:12 [error] 3092#0: connect() to [2a02:26f0:f4::58dd:9013]:80 failed (101: Network is unreachable) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2016/06/13 09:22:16 [error] 3091#0: connect() to [2a02:26f0:f4::58dd:9013]:80 failed (101: Network is unreachable) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2016/06/13 09:45:27 [error] 3093#0: connect() to [2a02:26f0:f4::58dd:902a]:80 failed (101: Network is unreachable) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org
2016/06/13 10:04:33 [error] 3092#0: connect() to [2a02:26f0:f4::58dd:9013]:80 failed (101: Network is unreachable) while requesting certificate status, responder: ocsp.int-x3.letsencrypt.org


#2

Is your domain reachable from everywhere outside - or could you have a firewall or something that has for some reason blocked access from letsencrypt ?


#3

@serverco hmm i have fail2ban installed


#4

These errors aren’t related to certificate renewal. They’re reports that a system (maybe your web server?) is unable to talk to the Let’s Encrypt OCSP responder which is an Akamai-fronted web service. It’s not clear to me that they’re fatal (it may be succeeding quietly when talking to the responder on another address) and they definitely won’t cause renewal problems on their own.

The addresses listed are IPv6 addresses, you should confirm that IPv6 is either configured and working (can reach IPv6 test pages) on the system where you get these error messages or that the system isn’t trying to use IPv6 at all.


#5

Check your Fail2Ban log, I run Fail2Ban too but it does nothing to block letsencrypt unless you set up jails in Fail2Ban to check for bots trying to access locations like ./ or /. … then it is probably blocking letsencrypt from accessing the /.well-known/acme-challenge/

Your logs should tell you though.


#6

It might be worth checking your fail2ban logs - although by default that should only ban for a limited period of time.

if you check what IP ocsp.int-x3.letsencrypt.org is on

host ocsp.int-x3.letsencrypt.org

(I’m saying that, as letsencrypt does use different IP’s for different users / locations) And then check if the IP’s provided are blocked in your iptables.

I’m just going on the error " Network is unreachable" suggests a firewall issue in that it couldn’t reach you.


#7

Any chance your IPv6 interface is misconfigured?

Try ping6 google.com. If that fails, it would appear that IPv6 is configured on your server but does not actually work. You should be able to either fix that configuration (details would depend on your provider) or disable it entirely if there’s no way to fix it (i.e. if it’s your provider’s fault).


#8

ping6 google.com
connect: Network is unreachable


#9

Yep, your IPv6 connectivity is broken. I’m afraid I won’t be able to help you much when it comes to fixing that, as it is mostly dependent on your provider, so you’re probably better off looking for support documentation your provider might have on that topic.

Alternatively, you can disable IPv6 completely. The steps necessary to do that depend a bit on your OS/distribution. You’ll probably find a good enough guide just googling for "disable ipv6 ", but feel free to ask for help if you get stuck along the way.


#10

this error came new up

2016/06/13 19:04:48 [crit] 3425#0: *755 SSL_do_handshake() failed (SSL: error:14094085:SSL routines:SSL3_READ_BYTES:ccs received early) while SSL handshaking, client: 64.41.200.106, server: 0.0.0.0:443


#11

This error is a client of your HTTPS server doing something a little strange. If you want an analogy if your HTTPS server is like a store on a street corner, and this client is a person on the street who walked into the store backwards then said “And goodbye to you too” and left. It’s weird, but probably you shouldn’t spend too long wondering about it.

In this particular case the client was 64.41.200.106 which is the SSL lab test system, so either you or another person who was testing things asked the SSL labs site to test things. And one of those tests resulted in that error message.

So it is nothing to be concerned about, and isn’t related to Let’s Encrypt particularly.


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.