Problems renewing via IPv6

KleinerWarden · May 28, 2022, 3:11am

I've been auto-renewing sebastiandetering.com since February and just got this problem as well.

Here is my nginx renewal log:

Processing /etc/letsencrypt/renewal/sebastiandetering.com.conf

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Simulating renewal of an existing certificate for sebastiandetering.com
Performing the following challenges:
http-01 challenge for sebastiandetering.com
Waiting for verification...
Challenge failed for domain sebastiandetering.com
http-01 challenge for sebastiandetering.com
Cleaning up challenges
Failed to renew certificate sebastiandetering.com with error: Some challenges have failed.

The following simulated renewals succeeded:
/etc/letsencrypt/live/peertube.sebastiandetering.com/fullchain.pem (success)

The following simulated renewals failed:
/etc/letsencrypt/live/sebastiandetering.com/fullchain.pem (failure)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: sebastiandetering.com
Type: unauthorized
Detail: 2001:19f0:6001:559a:5400:3ff:fe7c:3818: Invalid response
from
http://sebastiandetering.com/.well-known/acme-challenge/NdoCoeeEBm_5PiamNMFnPGgnPO51zrjM4xlLDUAXhEg:
404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

rg305 · May 28, 2022, 3:46am

Hi @KleinerWarden, and welcome to the LE community forum

There is a discrepancy with the way IPv6 handles the challenge files:

curl -Ii4 sebastiandetering.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Sat, 28 May 2022 03:43:15 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://sebastiandetering.com/.well-known/acme-challenge/Test_File-1234

curl -Ii6 sebastiandetering.com/.well-known/acme-challenge/Test_File-1234
HTTP/1.1 404 Not Found
Server: nginx/1.18.0
Date: Sat, 28 May 2022 03:43:22 GMT
Content-Type: text/html
Content-Length: 153
Connection: keep-alive

Osiris · May 28, 2022, 7:36am

Accessing your site using IPv4 results in a page with title "Sebastian's Site" and using IPv6 results in a page with title "PeerTube".

KleinerWarden · May 28, 2022, 11:52pm

I see thank you for having a look. Is what you are saying that this problem may have to do with how I have my DNS records setup in epik?

rg305 · May 29, 2022, 3:21am

DNS should only have IP(s) that can reach your system.
Furthermore, the web server must be able to serve its' sites via all the IP(s) found in DNS.

9peppe · May 29, 2022, 9:01am

Or with how your webserver is handling different virtualhosts. Is your server block for sebastiandetering.com listening on ipv6?

Osiris · May 29, 2022, 9:40am

That's the easiest part to check: check if the IPv4 and IPv6 addresses resolved by DNS are actually the IP addresses of the server. If that's the case, then DNS is not the issue. If that's not the case, then DNS is an issue. (Maybe not THE issue though, there may be more issues elsewhere.)

Chances are it's a misconfiguration in your webserver as @rg305 and @9peppe also already pointed out.

KleinerWarden · May 31, 2022, 12:41am

I checked Epik, and it seems set right

I am almost certain the rails server is not listening on IPv6 since I did no setup on that end.

root@vultr:~# cat /etc/nginx/sites-enabled/rails-demo 
upstream rails-demo {
	server unix:/home/rails-demo/app/shared/unicorn.sock fail_timeout=0;
}

server {
	server_name sebastiandetering.com;

	root /home/rails-demo/app/current/public;
	  
	location /assets/  {
		gzip_static on; # serve pre-gzipped version
		expires 1M;
		add_header Cache-Control public;
	}

	location / {
		try_files $uri @app;
	}

	location @app {
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_set_header Host $http_host;
		proxy_redirect off;
		proxy_pass http://rails-demo;
	}

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/sebastiandetering.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/sebastiandetering.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}

#server {
#	listen 80;
#	server_name www.sebastiandetering.com;
#	return 301 http://$host$request_uri;
#
#}

server {
    if ($host = sebastiandetering.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


	listen 80;
	server_name sebastiandetering.com;
    return 404; # managed by Certbot


}

Above is my nginx config for the rails-demo server.
Does anyone know how to get this set up correctly, or if I dont want to deal with IPv6, a way to just disable it altogether?

rg305 · May 31, 2022, 1:14am

KleinerWarden · May 31, 2022, 1:52am

Brilliant! I added listen [::]:80;.
root@vultr:~# vim /etc/nginx/sites-available/rails-demo

server {
    if ($host = sebastiandetering.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
       
	listen 80;
        # added
        listen [::]:80;

	server_name sebastiandetering.com;
    return 404; # managed by Certbot
}

root@vultr:~# systemctl restart nginx
root@vultr:~# sudo certbot renew --dry-run
...

Congratulations, all simulated renewals succeeded: 
  /etc/letsencrypt/live/peertube.sebastiandetering.com/fullchain.pem (success)
  /etc/letsencrypt/live/sebastiandetering.com/fullchain.pem (success)

root@vultr:~# sudo certbot renew

root@vultr:~# sudo certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/peertube.sebastiandetering.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/sebastiandetering.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate for sebastiandetering.com
Performing the following challenges:
http-01 challenge for sebastiandetering.com
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/sebastiandetering.com/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/peertube.sebastiandetering.com/fullchain.pem expires on 2022-08-26 (skipped)
Congratulations, all renewals succeeded: 
  /etc/letsencrypt/live/sebastiandetering.com/fullchain.pem (success)

And I checked, it worked! Thanks rg305, I see you are very active on other posts too. We need more mods like you

system · June 30, 2022, 1:53am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.