Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
kriebel.mooo.com
I ran this command:
sudo certbot renew
It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/kriebel.mooo.com.conf
Renewing an existing certificate for kriebel.mooo.com
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: kriebel.mooo.com
Type: connection
Detail: 2a00:6020:a583:b000:6b4a:4b95:e3fc:5be9: Fetching http://kriebel.mooo.com/.well-known/acme-challenge/xxxx: Error getting validation dataHint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.
Failed to renew certificate kriebel.mooo.com with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/kriebel.mooo.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
My web server is:
apache2 -v
Server version: Apache/2.4.59 (Raspbian)
Server built: 2024-04-05T12:08:04
The operating system my web server runs on is (include version):
lsb_release -a
No LSB modules are available.
Distributor ID: Raspbian
Description: Raspbian GNU/Linux 11 (bullseye)
Release: 11
Codename: bullseye
My hosting provider, if applicable, is:
It is my own local server (raspberry pi) behind a router
I can login to a root shell on my machine:
yes
I'm using a ssh terminal to connect to the RPi
The version of my client is:
certbot --version
certbot 2.8.0
Additonal Info:
I guess this is an IPV6 issue with certbot in standalone mode.
I have a new provider which uses CGNAT for 6 weeks now. Since then I have this issue. Before, with the old provider and dynamic IPV4, certbot was running fine.
I have an working entry for kriebel.mooo.com at freedns, my apache2 webiste running on my RPI which can be successfully accessed from outside, i.e. if you call https://kriebel.mooo.com, you'll see "Hello world" from my server. To my view that proves that the RPI can be accessed via IPV6 and that DNS offers the correct IP.
In the letsencrypt.log I found these suspicious lines:
2024-07-24 16:19:38,998:INFO:certbot._internal.auth_handler:Performing the following challenges:
2024-07-24 16:19:38,999:INFO:certbot._internal.auth_handler:http-01 challenge for kriebel.mooo.com
2024-07-24 16:19:39,001:DEBUG:acme.standalone:Successfully bound to :80 using IPv6
2024-07-24 16:19:39,002:DEBUG:acme.standalone:Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
I don't know how to convince certbox to use IPV6.
My renewal params are
[renewalparams]
account = xxxxxxxxx
authenticator = standalone
server = https://acme-v02.api.letsencrypt.org/directory
key_type = ecdsa