My server can't be seen by the LetsEncrypt DNS queryservers

My domain is: www.lombaoestudios.com

I downloaded the latest version of certbot from its official website. I’m not interested in the autoconfig options so I ran this command:

certbot-auto --apache certonly

It produced this output:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.lombaoestudios.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.lombaoestudios.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.lombaoestudios.com/.well-known/acme-challenge/k-MaLAn2WwXSzC6EIEBFGfMK7KTgGxxDxdG7hCENM_Y: Timeout after connect (your server may be slow or overloaded)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.lombaoestudios.com
   Type:   connection
   Detail: Fetching
   http://www.lombaoestudios.com/.well-known/acme-challenge/k-MaLAn2WwXSzC6EIEBFGfMK7KTgGxxDxdG7hCENM_Y:
   Timeout after connect (your server may be slow or overloaded)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

My web server is (include version):
Apache 2.4
The operating system my web server runs on is (include version):
opensuse 42.3 Leap

My hosting provider, if applicable, is:
1and1

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes, it’s a dedicated server

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

I found out that the LetsEncrypt service queries the Google DNS service. I went there and queried my domain name and it fully resolves to the right IP: 74.208.68.209 both with A records and AAAA records as the error message suggests. So, I don’t know what the issue might be. In other previous scenarios where I created the manual .well_know/acme-challenge key I even put the expected url in my browser and it opens perfectly. My guess is LetsEncrypt isn’t resolving my server’s DNS record properly.

Any ideas ?

Hi @teratux,

Connection over IPv4 works fine but connection over IPv6 gives me a timeout:

$ curl -IkLv6 -m24 http://www.lombaoestudios.com/.well-known/acme-challenge/k-MaLAn2WwXSzC6EIEBFGfMK7KTgGxxDxdG7hCENM_Y
*   Trying 2607:f1c0:864:d800::30:f9c6...
* TCP_NODELAY set
* Connection timed out after 24001 milliseconds
* Curl_http_done: called premature == 1
* stopped the pause stream!
* Closing connection 0
curl: (28) Connection timed out after 24001 milliseconds

Let’s Encrypt prefers IPv6 over IPv4 so you should re-check the IPv6 conf for your server. If you want to bypass it and get your certificate, remove the AAAA record for your domain till you can get IPv6 working in your server.

Cheers,
sahsanu

1 Like

Well internally the server does have that same ipv6 address fixed so it’s an issue with the ISP and the outside world then. I deleted the AAAA section in my DNS records and will see when it no longer resolves, hopefully in a couple of days to try again. However, my main instinct tells me that LetsEncrypt should fallback to ipv4 or at least give the user an option to select it’s preferred method. Is there such an option?

Let’s Encrypt queries your authoritative nameservers, so it should be gone much sooner than that. I’d expect no more than 20 minutes or so.

In fact - it’s already gone:

# dig @ns1095.ui-dns.de www.lombaoestudios.com AAAA

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.5 <<>> @ns1095.ui-dns.de www.lombaoestudios.com AAAA
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27658
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.lombaoestudios.com.                IN      AAAA

;; AUTHORITY SECTION:
lombaoestudios.com.     600     IN      SOA     ns1095.ui-dns.de. hostmaster.1and1.com. 2017061202 28800 7200 604800 600

;; Query time: 20 msec
;; SERVER: 217.160.80.95#53(217.160.80.95)
;; WHEN: Mon Apr 23 15:44:40 2018
;; MSG SIZE  rcvd: 109
1 Like

Yep … noticed it a while ago. Already managed to create the certificates. Thanks for the help, glad these 3 hours trying different commands were not in vain.

1 Like

LE doesn't cache DNS responses, well it does but as far as I know only 60 seconds.

LE has a timeout limit but for the overall process, if the connection to IPv6 consumes all the timeout it won't fallback to IPv4.... and no, there is no option to select if you prefer IPv4 over IPv6.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.