Issuing for subdomain tries to issue for main domain as well and fails

My domain is:

I ran this command: --issue -d --standalone --listen-v6 --test

It produced this output:
[Mo 8. Jul 13:26:45 CEST 2019] Using stage ACME_DIRECTORY:
[Mo 8. Jul 13:26:45 CEST 2019] Standalone mode.
[Mo 8. Jul 13:26:46 CEST 2019] Single domain=‘
[Mo 8. Jul 13:26:46 CEST 2019] Getting domain auth token for each domain
[Mo 8. Jul 13:26:47 CEST 2019] Getting webroot for domain=‘
[Mo 8. Jul 13:26:47 CEST 2019] Verifying:
[Mo 8. Jul 13:26:47 CEST 2019] Standalone mode server
[Mo 8. Jul 13:26:50 CEST 2019] Pending
[Mo 8. Jul 13:26:53 CEST 2019] Pending
[Mo 8. Jul 13:26:55 CEST 2019] Pending
[Mo 8. Jul 13:26:57 CEST 2019] Pending
[Mo 8. Jul 13:27:00 CEST 2019] Pending
[Mo 8. Jul 13:27:02 CEST 2019] error:Fetching Connection refused

My web server is (include version): 2.8.1 (standalone)

The operating system my web server runs on is (include version): openSUSE Leap 15.0

My hosting provider, if applicable, is: None

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 2.8.1


I cannot issue a certificate for my domain But it seems that Let’s Encrypt wants to add to the cert as well, as seen in the challenge: Since the server behind is a different one than, this fails. Is it possible to deactivate this behaviour? I don’t need the main domain on my mail certificate.


Hi @Takios

your configuration is wrong.

No, that’s not the problem.

You have ipv4- and ipv6 - addresses ( ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout A Falkenstein/Bavaria/Germany (DE) - Hetzner Hostname: yes 1 0
AAAA 2a01:4f8:162:61a4::15c Bückeburg/Lower Saxony/Germany (DE) - Hetzner yes

And your ipv4 redirects to your main domain

Domainname Http-Status redirect Sec. G 301 0.046 E
2a01:4f8:162:61a4::15c -14 10.027 T

your ipv6 has a timeout.

Same with /.well-known/acme-challenge/random-filename:

|| •| 301|| 0.047| E|Visible Content: Moved Permanently The document has moved here .
|| •
2a01:4f8:162:61a4::15c -14| 10.030| T Timeout - The operation has timed out|
Visible Content:

Letsencrypt follows such redirects.

So remove that redirect and fix your ipv6. Normally, Letsencrypt prefers ipv6

Following redirects doesn’t add the main domain to the certificate.


Thanks for the answer! The configuration itself was not wrong (there’s NAT going on for IPv4…) but there was a firewall that decided to block port 80 to the mailserver. :man_facepalming: I created an allow rule and issuing works again. :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.