Renew certificate OCSP failure

JiP · July 10, 2023, 8:06am

My domain is:

https://patera.name

I ran this command:

certbot renew -v

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/patera.name.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OCSP check failed for /etc/letsencrypt/archive/patera.name/cert2.pem (are we offline?)
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 174, in _new_conn
    conn = connection.create_connection(
  File "/usr/local/lib/python3.10/site-packages/urllib3/util/connection.py", line 72, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/local/lib/python3.10/socket.py", line 955, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 398, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 239, in request
    super(HTTPConnection, self).request(method, url, body=body, headers=headers)
  File "/usr/local/lib/python3.10/http/client.py", line 1282, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/local/lib/python3.10/http/client.py", line 1328, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.10/http/client.py", line 1277, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.10/http/client.py", line 1037, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.10/http/client.py", line 975, in send
    self.connect()
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 205, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 186, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fad480820>: Failed to establish a new connection: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='r3.o.lencr.org', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fad480820>: Failed to establish a new connection: [Errno -3] Try again'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/src/certbot/certbot/ocsp.py", line 172, in _check_ocsp_cryptography
    response = requests.post(url, data=request_binary,
  File "/usr/local/lib/python3.10/site-packages/requests/api.py", line 115, in post
    return request("post", url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/adapters.py", line 565, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='r3.o.lencr.org', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fad480820>: Failed to establish a new connection: [Errno -3] Try again'))
Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator webroot, Installer None
Failed to renew certificate patera.name with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fad483eb0>: Failed to establish a new connection: [Errno -3] Try again'))

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/patera.name/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

nginx version: nginx/1.23.4

The operating system my web server runs on is (include version):

Debian GNU/Linux 11

My hosting provider, if applicable, is:

N/A (I host the system myself)

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 2.5.0

bruncsak · July 10, 2023, 8:36am

You seem to have outbound connection issue from your system. What output do the following programs:
curl -s -v -4 http://ifconfig.co
and
curl -s -v -6 http://ifconfig.co
give?

JiP · July 10, 2023, 8:46am

$ curl -s -v -4 http://ifconfig.co

*   Trying 172.64.163.15:80...
* Connected to ifconfig.co (172.64.163.15) port 80 (#0)
> GET / HTTP/1.1
> Host: ifconfig.co
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 10 Jul 2023 08:45:19 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 12
< Connection: keep-alive
< CF-Cache-Status: DYNAMIC
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3KYomJMqYsn6D2Lf7U6kC%2FHj1QmO0PwGpzdvkIaTeDe9MWa2ZYyNNPEDsJ6yN3mtgWyZbgliN6KuT7HzV%2FxlzG98YybJ4eG7lan%2BwKDKK8CAceTpfAEABH99RZSTew%3D%3D"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: 7e4787a2eb3bb34d-PRG
< alt-svc: h3=":443"; ma=86400
< 
93.99.25.51
* Connection #0 to host ifconfig.co left intact

$ curl -s -v -6 http://ifconfig.co

*   Trying 2606:4700:e4::ac40:a20f:80...
* Immediate connect fail for 2606:4700:e4::ac40:a20f: Network is unreachable
*   Trying 2606:4700:e4::ac40:a30f:80...
* Immediate connect fail for 2606:4700:e4::ac40:a30f: Network is unreachable
* Closing connection 0

Osiris · July 10, 2023, 8:59am

Can you do the same but for http://r3.o.lencr.org/?

Currently it looks like your IPv6 connectivity is malfunctioning/non-existent. Python probably tries to use IPv6 for the OCSP requests and fails.

JiP · July 10, 2023, 9:03am

$ curl -s -v -4 http://r3.o.lencr.org/

*   Trying 2.16.2.73:80...
* Connected to r3.o.lencr.org (2.16.2.73) port 80 (#0)
> GET / HTTP/1.1
> Host: r3.o.lencr.org
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Content-Length: 0
< Cache-Control: max-age=4839
< Expires: Mon, 10 Jul 2023 10:21:47 GMT
< Date: Mon, 10 Jul 2023 09:01:08 GMT
< Connection: keep-alive
< 
* Connection #0 to host r3.o.lencr.org left intact

$ curl -s -v -6 http://r3.o.lencr.org/

*   Trying 2a02:26f0:e300::5f64:9229:80...
* Immediate connect fail for 2a02:26f0:e300::5f64:9229: Network is unreachable
*   Trying 2a02:26f0:e300::5f64:9242:80...
* Immediate connect fail for 2a02:26f0:e300::5f64:9242: Network is unreachable
* Closing connection 0

Interesting, I thought IPv4 is the primary choice when available... I will try to look into IPv6 configuration on my system then...

JiP · July 10, 2023, 9:53am

Well, I have no public IPv6 addres from my provider. I have only the local one:

inet6 fe80::4e81:...  prefixlen 64  scopeid 0x20<link>

Can I somehow force OSCP request to use IPv4?

Osiris · July 10, 2023, 10:09am

If you don't have IPv6 connectivity, you probably should disable IPv6 entirely, unless it's somehow required for local usage (but that would be pretty uncommen I think).

Certbot probably isn't be the only application having problems with this situation.

bruncsak · July 10, 2023, 11:05am

It isn't only the OCSP failing alone. In the log you sent there is the following too:

JiP:

Failed to renew certificate patera.name with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fad483eb0>: Failed to establish a new connection: [Errno -3] Try again'))

So you have to fix your IPv6, because many other things are going to fail. (Of course, fixing can be to disable it.)

I beleive that the output of the command ip -6 addr show scope global is empty, as you mentioned that you have only local scope IPv6 address.
What does the command ip -6 route give as output?

JiP · July 10, 2023, 11:14am

So I disabled IPv6 completely "ipv6.disable=1". Now there are no IPv6 addresses in "ifconfig" output. Yet the "certbot renew" problem is still the same.

$ ip -6 addr show scope global
$ ip -6 route
$ curl -s -v -4 http://ifconfig.co

*   Trying 172.64.162.15:80...
* Connected to ifconfig.co (172.64.162.15) port 80 (#0)
> GET / HTTP/1.1
> Host: ifconfig.co
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 10 Jul 2023 11:10:47 GMT
< Content-Type: text/plain; charset=utf-8
< Content-Length: 12
< Connection: keep-alive
< CF-Cache-Status: DYNAMIC
< Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=UgJImeBImXdJdLs73iL30Juyo28Kqe9Cw4b%2F%2BunxtnJPDQ7xoxMlXtflJ1fjokbxTiUudVecLOh3aD4SpzXxPlXKRP9tXrwT7P5LwrMfw53jv%2B7WJIQ9gBVtH2tydw%3D%3D"}],"group":"cf-nel","max_age":604800}
< NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
< Server: cloudflare
< CF-RAY: 7e485cbcfa5f18e4-FRA
< alt-svc: h3=":443"; ma=86400
< 
93.99.25.51
* Connection #0 to host ifconfig.co left intact

$ curl -s -v -6 http://ifconfig.co
* Couldn't resolve host 'ifconfig.co'
* Closing connection 0

bruncsak · July 10, 2023, 11:20am

You may sill have a stale AAAA type DNS entry for r3.o.lencr.org in your resolver cache. Please retry after two minutes.

JiP · July 10, 2023, 1:49pm

Still no luck, error seems to be exactly the same. I tried to call it with more verbose logging, see the output below:

$ certbot renew -vvv

Root logging level set at 0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Notifying user: Processing /etc/letsencrypt/renewal/patera.name.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/patera.name.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7fb5c9f7c0> and installer <certbot._internal.cli.cli_utils._Default object at 0x7fb5c9f7c0>
Starting new HTTP connection (1): r3.o.lencr.org:80
OCSP check failed for /etc/letsencrypt/archive/patera.name/cert2.pem (are we offline?)
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 174, in _new_conn
    conn = connection.create_connection(
  File "/usr/local/lib/python3.10/site-packages/urllib3/util/connection.py", line 72, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/local/lib/python3.10/socket.py", line 955, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 398, in _make_request
    conn.request(method, url, **httplib_request_kw)
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 239, in request
    super(HTTPConnection, self).request(method, url, body=body, headers=headers)
  File "/usr/local/lib/python3.10/http/client.py", line 1282, in request
    self._send_request(method, url, body, headers, encode_chunked)
  File "/usr/local/lib/python3.10/http/client.py", line 1328, in _send_request
    self.endheaders(body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.10/http/client.py", line 1277, in endheaders
    self._send_output(message_body, encode_chunked=encode_chunked)
  File "/usr/local/lib/python3.10/http/client.py", line 1037, in _send_output
    self.send(msg)
  File "/usr/local/lib/python3.10/http/client.py", line 975, in send
    self.connect()
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 205, in connect
    conn = self._new_conn()
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 186, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPConnection object at 0x7fb5c7b6a0>: Failed to establish a new connection: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPConnectionPool(host='r3.o.lencr.org', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb5c7b6a0>: Failed to establish a new connection: [Errno -3] Try again'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/src/certbot/certbot/ocsp.py", line 172, in _check_ocsp_cryptography
    response = requests.post(url, data=request_binary,
  File "/usr/local/lib/python3.10/site-packages/requests/api.py", line 115, in post
    return request("post", url, data=data, json=json, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/api.py", line 59, in request
    return session.request(method=method, url=url, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/adapters.py", line 565, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPConnectionPool(host='r3.o.lencr.org', port=80): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fb5c7b6a0>: Failed to establish a new connection: [Errno -3] Try again'))
Should renew, less than 30 days before certificate expiry 2023-07-13 09:00:21 UTC.
Certificate is due for renewal, auto-renewing...
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Saves the necessary validation files to a .well-known/acme-challenge/ directory within the nominated webroot path. A seperate HTTP server must be running and serving files from the webroot path. HTTP challenge only (wildcards not supported).
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7fb5eb2fb0>
Prep: True
Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7fb5eb2fb0> and installer None
Plugins selected: Authenticator webroot, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/1059877387', new_authzr_uri=None, terms_of_service=None), 00220d733296bbe27fcfe191dccfcb9d, Meta(creation_dt=datetime.datetime(2023, 4, 14, 8, 57, 34, tzinfo=<UTC>), creation_host='4466a1e62f16', register_to_eff=None))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
Failed to renew certificate patera.name with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fb5c7a290>: Failed to establish a new connection: [Errno -3] Try again'))
Traceback was:
Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 174, in _new_conn
    conn = connection.create_connection(
  File "/usr/local/lib/python3.10/site-packages/urllib3/util/connection.py", line 72, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/local/lib/python3.10/socket.py", line 955, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 703, in urlopen
    httplib_response = self._make_request(
  File "/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 1042, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 358, in connect
    self.sock = conn = self._new_conn()
  File "/usr/local/lib/python3.10/site-packages/urllib3/connection.py", line 186, in _new_conn
    raise NewConnectionError(
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7fb5c7a290>: Failed to establish a new connection: [Errno -3] Try again

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.10/site-packages/requests/adapters.py", line 489, in send
    resp = conn.urlopen(
  File "/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py", line 787, in urlopen
    retries = retries.increment(
  File "/usr/local/lib/python3.10/site-packages/urllib3/util/retry.py", line 592, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fb5c7a290>: Failed to establish a new connection: [Errno -3] Try again'))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 533, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1545, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 835, in _init_le_client
    return client.Client(config, acc, authenticator, installer, acme=acme)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 297, in __init__
    acme = acme_from_config_key(config, self.account.key, self.account.regr)
  File "/opt/certbot/src/certbot/certbot/_internal/client.py", line 72, in acme_from_config_key
    directory = acme_client.ClientV2.get_directory(config.server, net)
  File "/opt/certbot/src/acme/acme/client.py", line 331, in get_directory
    return messages.Directory.from_json(net.get(url).json())
  File "/opt/certbot/src/acme/acme/client.py", line 706, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/opt/certbot/src/acme/acme/client.py", line 648, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/sessions.py", line 587, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/sessions.py", line 701, in send
    r = adapter.send(request, **kwargs)
  File "/usr/local/lib/python3.10/site-packages/requests/adapters.py", line 565, in send
    raise ConnectionError(e, request=request)
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x7fb5c7a290>: Failed to establish a new connection: [Errno -3] Try again'))

Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/patera.name/fullchain.pem (failure)
Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot', 'console_scripts', 'certbot')())
  File "/opt/certbot/src/certbot/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1864, in main
    return config.func(config, plugins)
  File "/opt/certbot/src/certbot/certbot/_internal/main.py", line 1636, in renew
    renewal.handle_renewal_request(config)
  File "/opt/certbot/src/certbot/certbot/_internal/renewal.py", line 559, in handle_renewal_request
    raise errors.Error(
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

bruncsak · July 10, 2023, 2:08pm

I do not know how disabling the IPv6 stack works that way, sorry. I would have suggested instead fixing the IPv6 connection. You mentioned that your ISP does not provide IPv6 connectivity. I do not know your infrastructre, but may be you have to disable the IPv6 on your router instead of disabling on the host?

JiP · July 10, 2023, 3:29pm

I really appreciate your support guys, but... I don't see any AAAA DNS record on the domain. My router does not use IPv6. My host does not use IPv6. Error messages do not mention IPv6, they suggest max retries exceeded and that I should try again. I used this same host with the same setup to generate the first certificate (and solve the chinken and egg problem) almost 3 months ago. I am really confused and I cannot move even a bit forward.

bruncsak · July 10, 2023, 4:20pm

Please re-enable IPv6. Check the IPv6 addresses and IPv6 routes with the commands I wrote earlier.

rg305 · July 10, 2023, 4:20pm

Seems like you enabled IPv6 since your last renewal.
DNS provides your system with IPv6 and IPv4 addresses.
Your system favors IPv6 and that path fails.
Your system doesn't revert to IPv4 afterwards.

I would [actually] disable IPv6
OR
Prefer IPv4 [when both are available (from DNS)]

You've already tried to disable IPv6 but that may require some additional steps.
To prefer IPv4, see:

JiP · July 11, 2023, 8:18am

I re-enabled IPv6 and took the "#" out from line: #precedence ::ffff:0:0/96 100 in /etc/gai.conf. Yet it did not bring any change to the outcome. If I try to ping and ping6 various addresses I get the following outputs:

$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.88.10  netmask 255.255.255.0  broadcast 192.168.88.255
        inet6 fe80::4e81:43a3:fdcb:f13b  prefixlen 64  scopeid 0x20<link>

$ ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.194 ms

$ ping acme-v02.api.letsencrypt.org
PING ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com (172.65.32.248) 56(84) bytes of data.
64 bytes from 172.65.32.248 (172.65.32.248): icmp_seq=1 ttl=54 time=4.30 ms

$ ping6 localhost
PING localhost(localhost (::1)) 56 data bytes
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.130 ms

$ ping6 acme-v02.api.letsencrypt.org
ping6: connect: Network is unreachable

rg305 · July 11, 2023, 1:25pm

Show:
curl -s -v http://r3.o.lencr.org/

JiP · July 11, 2023, 1:31pm

$ curl -s -v http://r3.o.lencr.org/

*   Trying 2.16.2.73:80...
* Connected to r3.o.lencr.org (2.16.2.73) port 80 (#0)
> GET / HTTP/1.1
> Host: r3.o.lencr.org
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx
< Content-Length: 0
< Cache-Control: max-age=14425
< Expires: Tue, 11 Jul 2023 17:30:47 GMT
< Date: Tue, 11 Jul 2023 13:30:22 GMT
< Connection: keep-alive
< 
* Connection #0 to host r3.o.lencr.org left intact

rg305 · July 11, 2023, 1:54pm

There you go!
It's preferring IPv4 now.

rg305 · July 11, 2023, 2:09pm

Please show:
certbot certificates

And retry:
certbot renew