Nextcloudbox - Unable to Complete HTTP-01 Challenge due to IPV6

pumpkin999 · June 2, 2017, 3:43pm

I got a nextcloudbox from WD (with a raspberry) and my certificate is due for renewal.
Unfortunately it produces an error while trying to do so.

I tried to seek help there, but in the end it seems to come down to lets encrypt.
(read here: https://github.com/nextcloud/nextcloud-snap/issues/289 )

I have not tried to install certbot a second time, as it must be installed. (it uses it when trying to autoupdate)
Even when I don’t find it in the system so don’t know how to read a better log.

That is the output, when I try to run the wizard again (sudo nextcloud.enable-https lets-encrypt):

Detail: Could not connect to ***.myfritz.net

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you’re using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-05-31 16:19:34,793:INFO:certbot.auth_handler:Cleaning up challenges
2017-05-31 16:19:34,794:DEBUG:certbot_nextcloud_plugin.webroot:Removing /var/snap/nextcloud/current/certs/certbot/.well-known/acme-challenge/MJ2042CxcsaiQLv5YSJ1uQfEWlqR35jh9Bc_lPw2mU8
2017-05-31 16:19:34,797:DEBUG:certbot_nextcloud_plugin.webroot:All challenges cleaned up, removing /var/snap/nextcloud/current/certs/certbot/.well-known/acme-challenge
2017-05-31 16:19:34,798:WARNING:certbot.renewal:Attempting to renew cert from /var/snap/nextcloud/current/certs/certbot/config/renewal/***.myfritz.net.conf produced an unexpected error: Failed authorization procedure. ***.myfritz.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to ***.myfritz.net. Skipping.
2017-05-31 16:19:34,805:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/renewal.py”, line 418, in handle_renewal_request
main.renew_cert(lineage_config, plugins, renewal_candidate)
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/main.py”, line 640, in renew_cert
_get_and_save_cert(le_client, config, lineage=lineage)
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/main.py”, line 77, in _get_and_save_cert
renewal.renew_cert(config, domains, le_client, lineage)
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/renewal.py”, line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/client.py”, line 313, in obtain_certificate
self.config.allow_subset_of_names)
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/auth_handler.py”, line 81, in get_authorizations
self._respond(resp, best_effort)
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/auth_handler.py”, line 138, in _respond
self._poll_challenges(chall_update, best_effort)
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/auth_handler.py”, line 202, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. ***.myfritz.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to ***.myfritz.net

2017-05-31 16:19:34,806:INFO:certbot.hooks:Running post-hook command: restart-apache
2017-05-31 16:19:36,258:ERROR:certbot.hooks:Error output from restart-apache:
ERROR: ld.so: object ‘/usr/lib/arm-linux-gnueabihf/libarmmem.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object ‘/usr/lib/arm-linux-gnueabihf/libarmmem.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object ‘/usr/lib/arm-linux-gnueabihf/libarmmem.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object ‘/usr/lib/arm-linux-gnueabihf/libarmmem.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object ‘/usr/lib/arm-linux-gnueabihf/libarmmem.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object ‘/usr/lib/arm-linux-gnueabihf/libarmmem.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
ERROR: ld.so: object ‘/usr/lib/arm-linux-gnueabihf/libarmmem.so’ from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.

2017-05-31 16:19:36,260:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/snap/nextcloud/1476/bin/certbot”, line 11, in
sys.exit(main())
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/main.py”, line 742, in main
return config.func(config, plugins)
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/main.py”, line 692, in renew
renewal.handle_renewal_request(config)
File “/snap/nextcloud/1476/lib/python2.7/site-packages/certbot/renewal.py”, line 435, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)

Anyone got a idea for this?

sahsanu · June 3, 2017, 6:45am

Hello @pumpkin999,

Without your real domain is impossible to test your site but I would like to quote something you said in github:

All green (A and AAAA) except from Rio de Janeiro. Is there another port than 80 or 443 that the nextcloudbox needs to talk to the letsencrypt servers?

So seems you have an ipv6 for your domain, are you sure your site is reachable using the ipv6 address?. Since a few weeks ago, if Let's Encrypt sees both records, A and AAAA it would prefer ipv6 (AAAA). If your box is not configured to work with ipv6 it could be the reason for the errors you are seeing.

Configure your servers correctly to be able to answer requests made to your ipv6 address or remove the AAAA record for your domain and try again.

Cheers,
sahsanu

pumpkin999 · June 3, 2017, 12:37pm

Hello sahsanu,

thank you for your reply.
to test it, i just changed my router to nativ ip v6.
Testing from my mobile phone the nextcloud is still available and refreshes folder content perfectly.

Tried on the CLI to renew. Still same error.
1rzxiriyc7xv4fwq.myfritz.net is the domain.

sahsanu · June 3, 2017, 1:10pm

Hi @pumpkin999,

Sorry but I can’t reach your ipv6 site.

 $ curl -vIkL6 1rzxiriyc7xv4fwq.myfritz.net
* Rebuilt URL to: 1rzxiriyc7xv4fwq.myfritz.net/
* Hostname was NOT found in DNS cache
*   Trying 2003:45:497f:c5a4:be05:43ff:fee5:d8fe...
* connect to 2003:45:497f:c5a4:be05:43ff:fee5:d8fe port 80 failed: Connection timed out
* Failed to connect to 1rzxiriyc7xv4fwq.myfritz.net port 80: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to 1rzxiriyc7xv4fwq.myfritz.net port 80: Connection timed out

I can reach it using ipv4 so seems something is not working for ipv6.

You could try to remove AAAA record for your domain, wait 1 hour (Lets Encrypt usually caches dns records during this time) and try again.

Cheers,
sahsanu

pumpkin999 · June 3, 2017, 2:53pm

Okay, perfect. Seemed to fix it.

I told my router to use only IPv4. After that, a new certificate was imported to the nextcloud snap. Checked it in my browser and in the log.

So perfect for now. Thx a lot!
Finally, I really have to learn IPv6.

system · July 3, 2017, 2:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.