No contact from acme-v01 when initiating a renew

Help
1

I’m having issues renewing my existing certificates, from my nginx logs I can see that there is no attempts being made to access my server at all. The DNS records have not changed since I first set up the renewal and are resolving correctly. I have no clue why the acme server isn’t talking to my server.

My domain is:

lutzee.net (37.59.55.63)

I ran this command:

# letsencrypt renew
or starting from scratch
# letsencrypt --test-cert certonly -a webroot --webroot-path=/usr/share/nginx/lutzee.net -d lutzee.net

It produced this output:

Renew :
IMPORTANT NOTES:
The following errors were reported by the server:
letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/lutzee.net.conf produced an unexpected error: Failed authorization procedure. lutzee.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://lutzee.net/.well-known/acme-challenge/oUUBbWFaIg9HqWuZdqqlpKIH-oySPW37-hsszvtMXXI: Timeout. Skipping.
Start from scratch:
   Domain: lutzee.net
   Type:   connection
   Detail: Fetching http://lutzee.net/.well-known/acme-
   challenge/I7guHoj1IlLkGm6bX6w0YmXqhOW3E7RjnG7BV_ifd2Q: Timeout

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

My web server is (include version):

nginx/1.13.0

The operating system my web server runs on is (include version):

Ubuntu Server 16.04.2 LTS

My hosting provider, if applicable, is:

Kimsufi

I can login to a root shell on my machine (yes or no, or I don’t know):

Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

2

Hi @lutzee,

(As a side note, the acme-v01 machine is not the same machine that will actually make the connection.)

The problem here is that, although you’re advertising the IPv6 address 2001:41d0:8:723f::1 in DNS, you’re not accepting connections on it.

2 Likes
3

It looks like you publish an IPv6 address:

$> dig +short AAAA lutzee.net
2001:41d0:8:723f::1

We recently began preferring IPv6 addresses.

It appears like there's no connectivity to this IPv6 address:


PING 2001:41d0:8:723f::1(2001:41d0:8:723f::1) 32 data bytes

--- 2001:41d0:8:723f::1 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3010ms

I think the best option is to fix this connectivity problem. Alternatively if you aren't prepared to offer your website over IPv6 you should remove the AAAA record.

Hope that helps!

1 Like
4

Ahh! That might be it then, I’ll investigate down that route, thanks, will get back to you if its the case.

5

Seems like theres routing issues with kimsufi and IPv6, I could have sworn I testing it when I turned it on (would have been last year some time), deleted the AAAA record for the time being. Would have been nice if the acme error response would report what IP address it resolved for the challenge, would have probably saved me a trip here! :smile:

Certificates renewed now :thumbsup:

1 Like
6

This should be in the full Certbot logs. If I remember right it prints out the whole JSON authorization object which itself has validation record fields that have an addressUsed value. Maybe a little bit buried but it's there somewhere :smiley:

1 Like
7

Just found it, very busy as I can see, at least I know its there for the next time, thanks :slight_smile:

1 Like
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.