Renew failure (Failed authorization procedure)


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.agileindubai.com (mail.agileindubai.me; mail.runberg.dk)

I ran this command:
certbot renew --post-hook ‘service postfix restart; service nginx restart; service dovecot restart’

It produced this output:
Attempting to renew cert (mail.agileindubai.com) from /etc/letsencrypt/renewal/mail.agileindubai.com.conf produced an unexpected error: Failed authorization procedure. mail.agileindubai.me (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://mail.agileindubai.me/.well-known/acme-challenge/1r807NXWZoBKd6EomWL1d7KgZvy_WDleyuOXcF1ZJ4Y: Error getting validation data, mail.runberg.dk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://mail.runberg.dk/.well-known/acme-challenge/HYo6H5hbeOcJ800667Pz_pYkN_CjDRI8zY_eSEgjv_M: Error getting validation data, mail.agileindubai.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://mail.agileindubai.com/.well-known/acme-challenge/Scr6HkAXSH2DAOhzFWlt3sQWmzJMWYB_3hrt6WNjEhk: Error getting validation data. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mail.agileindubai.com/fullchain.pem (failure)

My web server is (include version): nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.1 LTS

My hosting provider, if applicable, is: Kimsumi

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.26.1

After browsing similar issues I believe this is a Nginx configuration issue, but I can’t figure out how to solve it. I have verified that I can access https://mail.agileindubai.com/.well-know/acme-challenge/test.html and I can see that the folders and files are being created when running the renewal command …

Any help would be much appreciated. Thanks!


#2

Hi @Runberg

your server doesn’t answer ( https://check-your-website.server-daten.de/?q=mail.agileindubai.com ):

Domainname Http-Status redirect Sec. G
http://mail.agileindubai.com/
51.38.124.82 301 https://mail.agileindubai.com/ 0.040 A
http://mail.agileindubai.com/
2001:41d0:701:1100::e21 -14 10.027 T
Timeout - The operation has timed out
https://mail.agileindubai.com/
51.38.124.82 200 0.563 B
https://mail.agileindubai.com/
2001:41d0:701:1100::e21 -14 10.027 T
Timeout - The operation has timed out
http://mail.agileindubai.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
51.38.124.82 301 https://mail.agileindubai.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.037 A
Visible Content: 301 Moved Permanently nginx
http://mail.agileindubai.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2001:41d0:701:1100::e21 -14 10.027 T
Timeout - The operation has timed out
Visible Content:
https://mail.agileindubai.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de -14 10.026 T
Timeout - The operation has timed out
Visible Content:

You have redirects http -> https, that’s ok, Letsencrypt follows these redirects.

But https doesn’t answer.

Perhaps remove the redirects, if https isn’t configured.


#3

Thanks for checking, but that sounds strange to me? - What do you exactly mean by not answering?
If I put https://mail.agileindubai.com/.well-known/acme-challenge/test.html in my browser I get my test site nice an easy? - Can’t you access that page?

It’s a mail server, so https://mail.agileindubai.com/ should redirect you to https://mail.agileindubai.com/SOGo/ (the webmail)


#4

That’s your ipv4 address.

But you have ipv4 and ipv6,

Host T IP-Address is auth. ∑ Queries ∑ Timeout
mail.agileindubai.com A 51.38.124.82 yes 1 0
AAAA 2001:41d0:701:1100::e21 yes
www.mail.agileindubai.com Name Error yes 1 0

ipv6 doesn’t answer:

So configure your ipv6 server, check, if there is something like

Listen [::]:80
Listen [::]:443

or remove your ipv6 AAAA entry, create a certificate, then fix your ipv6.


#5

Okay - So it needs to respons on all IPs - That make sense!

I have tried to update my Nginx confs to the following:

# HTTP
server {
    listen [::]:80;
    server_name _;
    return 301 https://$host$request_uri;
}

# HTTPS
server {
    listen [::]:443;
    server_name _;

    root /var/www/html;
    index index.php index.html;

    include /etc/nginx/templates/misc.tmpl;
    include /etc/nginx/templates/ssl.tmpl;
    include /etc/nginx/templates/iredadmin.tmpl;
    include /etc/nginx/templates/roundcube.tmpl;
    include /etc/nginx/templates/sogo.tmpl;
    include /etc/nginx/templates/netdata.tmpl;
    include /etc/nginx/templates/php-catchall.tmpl;

}

It seems to be working …

netstat -nlp | grep nginx
tcp6 0 0 :::80 :::* LISTEN 4688/nginx: master
tcp6 0 0 :::443 :::* LISTEN 4688/nginx: master

Hopefully this will help - If not I will simply remove the IPv6 record. Might be simpler :slight_smile:


#6

Ended up removing the IPv6 records from the DNS, and then the update worked.

Once I have more time on my hand I will figure out the right IPv6 configuration!

A thousand thanks for guiding me in the right direction! Much appreciated.