Problèmes de connexions :

Veuillez remplir les champs ci-dessous pour que nous puissions vous aider. Remarque : vous devez fournir votre nom de domaine pour obtenir de l’aide. Les noms de domaine des certificats émis sont tous rendus publics dans les journaux de Transparence de Certificat (par exemple, crt.sh | example.com). Par conséquent, le fait de ne pas indiquer votre nom de domaine ici n’aide pas à le garder secret, mais rend plus difficile pour nous le fait de vous aider.

Je peux lire des réponses en Anglais :oui

Mon nom de domaine est :jcz.fr

Mon serveur Web est (inclure la version) :WampServer / Apache 2.4.55

Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) : Windows 10 Pro

Mon hébergeur, le cas échéant, est : chez moi, sur mon ordinateur.

Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) : batch windows

J’utilise un panneau de configuration pour gérer mon site (non, ou fournit le nom et la version du panneau de configuration) :non

Bonjour à toutes l'équipe let's encrypt et à la communauté.

Depuis quelques temps, je n'arrive plus à me connecter. J'obtiens un timeout.
J'ai pourtant ouvert le pare-feu et fait une redirection du DMZ de ma box vers mon ordinateur, rien n'y fait.
Le répertoire ".well-known" est créé puis disparait lorsque j'obtiens un "fail" lors de la création du certificat.

Je ne pense pas avoir un problème d'accessibilité car cela fait longtemps que j'utilise l'outil pour créer mon certificat.

Il m'affiche parfois une mauvaise adresse IPv6.
Du coup, je ne sais plus quoi faire pour me connecter.
D'où mon inscription dans ce forum et l'aide attendue.

Merci.
Cordialement.
Artemus24.
@+

Welcome @Artemus24

Can you explain more about the problem you want help with?

Because I can see your site just fine. And, this SSL Checker site (link here) shows the certificate is good.

Does the happen over the Internet OR just locally?

I know that the "chez.jcz.fr" certificate is good.
I don't have a problem with creating the certificate when I manage to create it.

When I use the "wacs.exe" tool, it gives me two errors:

a) a timeout
b) and sometimes a wrong local address.

I don't know how to solve this problem.
I opened the windows firewall and redirected the DMZ from my box to my computer. Nothing works.

no problem with the internet, just locally with the "wacs.exe" tool.

A simple Windows ACMEv2 client (WACS)
Software version 2.1.23.1315 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task points to different location for .exe and/or working directory
Scheduled task random delay mismatch
Scheduled task exists but does not look healthy
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
Running in mode: Unattended
Source generated using plugin Manual: chez.jcz.fr

Terms of service: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.3-September-21-2022.pdf
[chez.jcz.fr] Authorizing...
[chez.jcz.fr] Authorizing using http-01 validation (FileSystem)
Answer should now be browsable at http://chez.jcz.fr/.well-known/acme-challenge/NepjD2TK1iXB9EnOKoQxDhkXlv3IdjFFSHGCkS5pMlg
Preliminary validation looks good, but the ACME server will be more thorough
[chez.jcz.fr] Authorization result: invalid
[chez.jcz.fr] {
"type": "urn:ietf:params:acme:error:connection",
"detail": "109.16.70.70: Fetching https://chez.jcz.fr/.well-known/acme-challenge/NepjD2TK1iXB9EnOKoQxDhkXlv3IdjFFSHGCkS5pMlg: Timeout during connect (likely firewall problem)",
"status": 400
}
[chez.jcz.fr] Deactivating pending authorization
Create certificate failed

Appuyez sur une touche pour continuer...

You have a problem with IPv6 connections to your domain. You should fix that or remove the AAAA record from your DNS.

The error shows your IPv4 address but a Let's Debug test (link here) also shows the IPv6 error. I can reproduce the IPv6 problem from my own test server.

Your DNS:

nslookup chez.jcz.fr
A    Address: 109.16.70.70
AAAA Address: 2a02:8435:342:3801::100

Supplemental information:
The domain name has an IPv4 and an IPv6 Address
I am not seeing the IPv6 Address responding.

$ nslookup
> server dns1.alwaysdata.com.
Default server: dns1.alwaysdata.com.
Address: 185.31.43.1#53
> set q=any
> chez.jcz.fr
;; Truncated, retrying in TCP mode.
Server:         dns1.alwaysdata.com.
Address:        185.31.43.1#53

chez.jcz.fr     has AAAA address 2a02:8435:342:3801::100
Name:   chez.jcz.fr
Address: 109.16.70.70
>

>curl -4 -Ii http://chez.jcz.fr/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Fri, 03 Feb 2023 17:01:26 GMT
Server: Apache
Location: https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

>curl -4 -Ii https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
HTTP/2 404
x-powered-by: PHP/8.2.1
vary: Accept-Encoding,User-Agent
cache-control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
pragma: no-cache
expires: 0
content-length: 239
content-type: text/html
content-language: fr
date: Fri, 03 Feb 2023 17:01:29 GMT
server: Apache

curl -6 -Ii http://chez.jcz.fr/.well-known/acme-challenge/sometestfile
curl: (28) Failed to connect to chez.jcz.fr port 80 after 75002 ms: Couldn't connect to server

>nmap -4 -Pn chez.jcz.fr
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 16:57 UTC
Nmap scan report for chez.jcz.fr (109.16.70.70)
Host is up (0.19s latency).
Other addresses for chez.jcz.fr (not scanned): 2a02:8435:342:3801::100
rDNS record for 109.16.70.70: 70.70.16.109.rev.sfr.net
Not shown: 998 filtered tcp ports (no-response)
PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 108.49 seconds

>nmap -6 -Pn chez.jcz.fr
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-03 16:59 UTC
Nmap scan report for chez.jcz.fr (2a02:8435:342:3801::100)
Host is up.
Other addresses for chez.jcz.fr (not scanned): 109.16.70.70
rDNS record for 2a02:8435:342:3801::100: 2a02-8435-0342-3801-0000-0000-0000-0100.rev.sfr.net
All 1000 scanned ports on chez.jcz.fr (2a02:8435:342:3801::100) are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 411.33 seconds

Let's Debug is getting similar results https://letsdebug.net/chez.jcz.fr/1360879

Thanks for the recommendations.
The IPv6 in my box no longer works at all.
I'll see what I can do and get back to you.

A simple Windows ACMEv2 client (WACS)
Software version 2.1.23.1315 (release, pluggable, standalone, 64-bit)
Connecting to https://acme-v02.api.letsencrypt.org/...
Connection OK!
Scheduled task points to different location for .exe and/or working directory
Scheduled task random delay mismatch
Scheduled task exists but does not look healthy
Please report issues at GitHub - win-acme/win-acme: A simple ACME client for Windows (for use with Let's Encrypt et al.)
Running in mode: Unattended
Source generated using plugin Manual: chez.jcz.fr

Terms of service: C:\ProgramData\win-acme\acme-v02.api.letsencrypt.org\LE-SA-v1.3-September-21-2022.pdf
[chez.jcz.fr] Authorizing...
[chez.jcz.fr] Authorizing using http-01 validation (FileSystem)
Answer should now be browsable at http://chez.jcz.fr/.well-known/acme-challenge/MI3OPZm33hdFTCjbvRqyCIib2hbjbEruJWcduTDvtIc
Preliminary validation looks good, but the ACME server will be more thorough
[chez.jcz.fr] Authorization result: valid
Downloading certificate [Manual] chez.jcz.fr
Store with PemFiles...
Exporting .pem files to K:\Utilitaires_Wamp\07.Certificats\04.Lets-Encrypt\04.Store\02.Reel
Scheduled task points to different location for .exe and/or working directory
Scheduled task random delay mismatch
Scheduled task exists but does not look healthy
Proceeding with unhealthy scheduled task, automatic renewals may not work until this is addressed
Adding renewal for [Manual] chez.jcz.fr
Next renewal due at 2023/3/30 19:27:36
Certificate [Manual] chez.jcz.fr created

Appuyez sur une touche pour continuer...

In my zone file, I changed the "AAAA" IPv6 address of my site "chez.jcz.fr".
Then I launched the creation of a new certificate.
This time it was much faster.
The creation of the certificate has been done!
I thought that if IPv6 no longer worked, the "wacs.exe" tool would automatically switch to IPv4.

I frequently have instability with my ISP's IPv6.

Problem solved.
Thanks !

Cordially.
Artemus24.
@+

The wacs client might do that for outbound connects to the Let's Encrypt servers (I am not expert with wacs).

But, the wacs client does not control which comms protocol the Let's Encrypt servers use to contact your domain for validation. The LE Servers first use IPv6 if AAAA is present. In some IPv6 failures they will also try IPv4 but not for every kind of failure. There are several LE servers in different areas of the world that attempt validation.

This shows a failure via IPv4:

This is what I see via IPv4

$ curl -Ii http://chez.jcz.fr/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Fri, 03 Feb 2023 17:58:50 GMT
Server: Apache
Location: https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

$ curl -Ii https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
HTTP/2 404
x-powered-by: PHP/8.2.1
vary: Accept-Encoding,User-Agent
cache-control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
pragma: no-cache
expires: 0
content-length: 239
content-type: text/html
content-language: fr
date: Fri, 03 Feb 2023 17:58:55 GMT
server: Apache

The IPv6 path is broken:

• It doesn't return the same content as IPv4 for HTTP.
• It is serving HTTP content via port 443:

curl -Ii6 https://chez.jcz.fr:443/
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

curl -Ii6 http://chez.jcz.fr:443/
HTTP/1.1 200 OK
Date: Fri, 03 Feb 2023 18:00:09 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
X-Powered-By: PHP/8.2.1
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Pragma: no-cache
Expires: 0
Vary: User-Agent
Content-Type: text/html
Content-Language: fr

And https://letsdebug.net/chez.jcz.fr/1360950 agrees with @rg305
"chez.jcz.fr has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=2001:470:c94a::100,Address Type=IPv6,Server=Apache,HTTP Status=404] vs [Address=109.16.70.70,Address Type=IPv4,Server=Apache,HTTP Status=301,Number of Redirects=1,Final HTTP Status=404] "

This is what I presently see

$ nslookup
> server dns1.alwaysdata.com.
Default server: dns1.alwaysdata.com.
Address: 185.31.43.1#53
> set q=aaaa
> chez.jcz.fr
Server:         dns1.alwaysdata.com.
Address:        185.31.43.1#53

chez.jcz.fr     has AAAA address 2001:470:c94a::100
>

I will try to answer all your questions.

a) at home, I have a box and my ISP is SFR. The IP addresses of my box are:
--> IPv4: 109.16.70.70.
--> IPv6: 2a02:8435:342:3801::100
The ipv6 address of my box no longer works.

b) I configured in my computer, under windows 10 pro, the Hurricane Electric ipv6 tunnel.
--> IPv6: 2001:470:c94a:100
This ipv6 address is operational.

c) We find the IP addresses of my box by doing:

[code]C:>nslookup chez.jcz.fr
Server: box
Address: 192.168.1.1

Non-authoritative answer:
Name: chez.jcz.fr
Addresses: 2001:470:c94a::100
109.16.70.70

C:>[/code]

d) I have a site which is hosted by alwaysdata in Paris.
The name of my domain is "www.jcz.fr".
You can access it by also putting "jcz.fr".

e) the IP addresses of this site where my site is hosted are:
--> ipv6: 185.31.40.11
--> ipv6: 2a00:b6e0:1:20:2::1

e) we find these same ones by doing:

[code]C:>nslookup jcz.fr
Server: box
Address: 192.168.1.1

Non-authoritative answer:
Name: jcz.fr
Addresses: 2a00:b6e0:1:20:2::1
185.31.40.11

C:>[/code]

f) in my computer, so at home, I installed WampServer:
--> Apache 2.4.55
--> MySQL: 8.0.32
--> PHP: 8.2.1
--> Phpmyadmin: 5.2.0

g) I have a local site, accessible from the internet, which is called "chez.jcz.fr".
I installed a let's encrypt certificate named "chez.jcz.fr".
On my other sites, not accessible from the internet, I created a Ca certificate named "Artemus & Cie" with OPENSSL.

I'm looking to configure the SSL protocol in my WampServer.
I managed to do it with my OPENSSL "Artemus & Cie" certificate.
But I can't do it with the Let's Encrypt "chez.jcz.fr" certificate.

h) my site "chez.jcz.fr" is not accessible from the internet.
I have disabled the NAT rules concerning the redirection of HTTP and HTTPS ports to my computer.
This is why my site "chez.jcz.fr" is not accessible with the IPv4 address.

i) access test by IPv4:

[code]C:>curl -Ii http://chez.jcz.fr/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Sat, 04 Feb 2023 18:15:40 GMT
Server: Apache
Location: https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

C:>curl -Ii http://chez.jcz.fr:80/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Sat, 04 Feb 2023 18:15:46 GMT
Server: Apache
Location: https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

C:>curl -Ii http://chez.jcz.fr:443/.well-known/acme-challenge/sometestfile
HTTP/1.1 400 Bad Request
Date: Sat, 04 Feb 2023 18:15:54 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, close
X-Powered-By: PHP/8.2.1
Vary: Accept-Encoding,User-Agent
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Pragma: no-cache
Expires: 0
Content-Length: 228
Content-Type: text/html
Content-Language: fr

C:>curl -Ii https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
HTTP/1.1 200 OK
Date: Sat, 04 Feb 2023 18:16:02 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade
Last-Modified: Sat, 04 Feb 2023 18:08:15 GMT
Accept-Ranges: bytes
Content-Length: 168
Vary: Accept-Encoding,User-Agent
Content-Language: fr

C:>curl -Ii https://109.16.70.70:443/.well-known/acme-challenge/sometestfile
curl: (28) Failed to connect to 109.16.70.70 port 443 after 21009 ms: Timed out

C:>[/code]

j) access test by IPv6.
I am still under my old IPv6 address 2a02:8435:342:3801::100 which no longer works.

[code]C:>curl -Ii6 http://[2001:470:c94a::100]/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Sat, 04 Feb 2023 18:28:42 GMT
Server: Apache
Location: https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

C:>curl -Ii6 http://[2001:470:c94a::100]:80/.well-known/acme-challenge/sometestfile
HTTP/1.1 301 Moved Permanently
Date: Sat, 04 Feb 2023 18:28:51 GMT
Server: Apache
Location: https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
Content-Type: text/html; charset=iso-8859-1

C:>curl -Ii6 http://[2001:470:c94a::100]:443/.well-known/acme-challenge/sometestfile
HTTP/1.1 400 Bad Request
Date: Sat, 04 Feb 2023 18:28:56 GMT
Server: Apache
Upgrade: h2,h2c
Connection: Upgrade, close
X-Powered-By: PHP/8.2.1
Vary: Accept-Encoding,User-Agent
Cache-Control: no-store, no-cache, must-revalidate, max-age=0, post-check=0, pre-check=0
Pragma: no-cache
Expires: 0
Content-Length: 228
Content-Type: text/html
Content-Language: fr

C:>curl -Ii6 https://[2001:470:c94a::100]/.well-known/acme-challenge/sometestfile
curl: (60) schannel: SNI or certificate check failed: SEC_E_WRONG_PRINCIPAL (0x80090322) - Le nom principal de la cible n'est pas correct.
More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

C:>curl -Ii6 http://chez.jcz.fr/.well-known/acme-challenge/sometestfile
curl: (28) Failed to connect to chez.jcz.fr port 80 after 42034 ms: Timed out

C:>curl -Ii6 https://chez.jcz.fr/.well-known/acme-challenge/sometestfile
curl: (28) Failed to connect to chez.jcz.fr port 443 after 42068 ms: Timed out

C:>[/code]

k) I still have some problems with IPv6.
My old IPv6 address is still present in the windows hosts file.
As for the let's encrypt certificate, I can create one again.

Thank you all for your participation.

Cordially.
Artemus24.
@+

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.