New setup, failed to renew first time

ericleslie · August 14, 2017, 5:35pm

Domain: ericleslie.com
Server: Ubuntu 16.04/nginx 1.10.3

I ran “certbot renew” and had the following output

Processing /etc/letsencrypt/renewal/ericleslie.com.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for ericleslie.com
http-01 challenge for www.ericleslie.com
Waiting for verification…
Cleaning up challenges
Unable to clean up challenge directory /var/www/ericleslie.com/html/.well-known/acme-challenge
Attempting to renew cert from /etc/letsencrypt/renewal/ericleslie.com.conf produced an unexpected error: Failed authorization procedure. www.ericleslie.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.ericleslie.com/.well-known/acme-challenge/SY_zSr5KrqulgdT95ET4IEQGN4pxs3NAM76vSSxWbkg: Timeout, ericleslie.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://ericleslie.com/.well-known/acme-challenge/-dRIjgmkfgSCdkpY_Mtgc8CDw1sbox0Nip-Mrk3yND4: Timeout. Skipping.

IMPORTANT NOTES:

I’m not sure what my next move is. Thank you.

rg305 · August 14, 2017, 5:48pm

Does this directory still exist?
Have the permissions changed on it?

ericleslie · August 14, 2017, 6:36pm

That directory was not present. I manually created it and gave it full permissions. Same errors.

schoen · August 14, 2017, 6:46pm

It’s a classic IPv6 issue. You have an AAAA record that says that your site can be reached at 2604:a880:1:20::17c:1001 … but it can’t!

ericleslie · August 14, 2017, 6:56pm

Thank you, that seams to have moved the ball down the field removing those IP6 entries.

It’s now getting a 403 error.

IMPORTANT NOTES:

schoen · August 14, 2017, 7:06pm

Great, now that is likely to be a web server configuration problem, for example a configuration that forbids serving items that start with a dot.

ericleslie · August 14, 2017, 7:16pm

Ok, Thanks again. I got it into the endzone by updating the following nginx config rule from

location ~ /.well-known {
            allow all;
    }

to

location ^~ /.well-known {
            allow all;
    }

Certs are renewed. Thank you for your quick help!

system · September 13, 2017, 7:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Cert renew fails Help	3	1421	August 2, 2017
Renew problems with nginx and certbot Server	2	1138	August 2, 2017
Getting Errors While Trying to Renew Help	3	1100	July 16, 2017
Failed authorization procedure all domains Help	3	788	May 18, 2018
[SOLVED] Can't renew SSL certificate Help	19	6610	April 11, 2018