Renew cert timeout on ipv6

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ix.zxinc.org

I ran this command: certbot renew

It produced this output:

 - The following errors were reported by the server:

   Domain: ix.zxinc.org
   Type:   connection
   Detail: 2406:840:803:1::2: Fetching
   http://ix.zxinc.org/.well-known/acme-challenge/zJMumfrZADgalt_2Q4zyXSqz6xiNQNHcBhJaxnIjhQI:
   Timeout after connect (your server may be slow or overloaded)

My web server is (include version): nginx 1.20.1

The operating system my web server runs on is (include version): centos 7.9

My hosting provider, if applicable, is: tencent cloud

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

The full log file is here: Ubuntu Pastebin

I confirm the IPv6 address is reachable globally:

[root@zx ~]# curl -I6v http://ix.zxinc.org
* About to connect() to ix.zxinc.org port 80 (#0)
*   Trying 2406:840:803:1::2...
* Connected to ix.zxinc.org (2406:840:803:1::2) port 80 (#0)
> HEAD / HTTP/1.1
> User-Agent: curl/7.29.0
> Host: ix.zxinc.org
> Accept: */*
> 
< HTTP/1.1 200 OK

all is ok with online website checker: https://check-your-website.server-daten.de/?q=ix.zxinc.org%2F.well-known%2Facme-challenge%2Ffwg6jifl5hrtg0bccgygqxlcis8jov57ot5lzmd7tgs

however the site constantly reporting non-helpful errors: Let's Debug

Hmm. I get IPv4 responses instantly but cannot get a response using IPv6. I can connect but never get a response. Same message as Let's Debug.

The Let's Encrypt servers will contact your server from (currently) 4 locations around the globe. They should all work.

I am trying from US East Coast (AWS region)

curl -I6v http://ix.zxinc.org
*   Trying 2406:840:803:1::2:80...
* Connected to ix.zxinc.org (2406:840:803:1::2) port 80 (#0)
> HEAD / HTTP/1.1
> Host: ix.zxinc.org
> User-Agent: curl/7.79.1
> Accept: */*
>
* Recv failure: Connection reset by peer
* Closing connection 0
curl: (56) Recv failure: Connection reset by peer
(this failure is reported a long time after request - several minutes at least)

curl -I6v -m15 http://ix.zxinc.org  (adding 15s timeout limit)
*   Trying 2406:840:803:1::2:80...
* Connected to ix.zxinc.org (2406:840:803:1::2) port 80 (#0)
> HEAD / HTTP/1.1
> Host: ix.zxinc.org
> User-Agent: curl/7.79.1
> Accept: */*
>
* Operation timed out after 15000 milliseconds with 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 15000 milliseconds with 0 bytes received
6 Likes

Hmmm, it's really ridiculous. But I can open the url from many locations. I don't have any idea what happened.

Via IPv4 or IPv6 (or both) ?

5 Likes

via both.

I get the same problem @MikeMcQ found:
[IPv4 works, but IPv6 fails]

curl -Ii4 ix.zxinc.org
HTTP/1.1 200 OK
Server: nginx/1.20.1
Date: Sun, 10 Jul 2022 18:40:35 GMT
Content-Type: text/html
Content-Length: 35376
Last-Modified: Sat, 05 Feb 2022 15:02:22 GMT
Connection: keep-alive
ETag: "61fe917e-8a30"
Accept-Ranges: bytes

curl -Ii6 -m9 ix.zxinc.org
curl: (28) Operation timed out after 9001 milliseconds with 0 bytes received

Since LE will prefer IPv6 over IPv4 (when available), it stands to reason that is where the problem lies.

7 Likes

Thank you all very much for checking the problem. It's solved. The problem was due to an asymmetric route causing one of the problematic router dropping the third TCP handshaking (ACK) packet, so all traffic from USA to the site got broken TCP connections.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.