I get this eorr when I try to update my certificate:
Cleaning up challenges
Unable to clean up challenge directory /var/www/html/public/lostingames/.well-known/acme-challenge
Failed authorization procedure. finalfantasydojo.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://finalfantasydojo.de/.well-known/acme-challenge/NEtL2vaT3AZcu9xqTaROuoLwH-fPRfTUvTCk773ifXQ: Timeout, www.finalfantasydojo.de (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.finalfantasydojo.de/.well-known/acme-challenge/Qg72h2yrrpw_fnW3MpdUJzcBe5DLfsuCQz-uf4QbgzU: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: finalfantasydojo.de
Type: connection
Detail: Fetching
http://finalfantasydojo.de/.well-known/acme-challenge/NEtL2vaT3AZcu9xqTaROuoLwH-fPRfTUvTCk773ifXQ:
Timeout
Domain: www.finalfantasydojo.de
Type: connection
Detail: Fetching
http://www.finalfantasydojo.de/.well-known/acme-challenge/Qg72h2yrrpw_fnW3MpdUJzcBe5DLfsuCQz-uf4QbgzU:
Timeout
this is my conf:
server {
listen 80;
listen [::]:80;
server_name www.finalfantasydojo.de finalfantasydojo.de;
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/html/public/lostingames;
try_files $uri /$1;
}
location / {
return 301 https://finalfantasydojo.de$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name www.finalfantasydojo.de;
ssl_certificate /etc/letsencrypt/live/finalfantasydojo.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/finalfantasydojo.de/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/finalfantasydojo.de/fullchain.pem;
location / {
return 301 https://finalfantasydojo.de$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name finalfantasydojo.de;
ssl_certificate /etc/letsencrypt/live/finalfantasydojo.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/finalfantasydojo.de/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/finalfantasydojo.de/fullchain.pem;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 10s;
root /var/www/html/public/lostingames;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm;
include php.conf;
include wordpress.conf;
include yoast.conf;
include forum.conf;
location / {
try_files $uri $uri/ /index.php?$args;
}
location = /nginx.conf { deny all; }
}
This failure is due to IPv6. Even though you do have the listen [::]:80; directive, for some reason your web server is answering requests only via IPv4, not IPv6. Perhaps your IPv6 routing is messed up or there’s a firewall rule that applies to IPv6 and not IPv4.
Well, it looks like you last renewed that certificate on May 29 (almost a month ago); are you sure that you already had an IPv6 record for it then? IPv6 connections to validate the other domain name would also fail today.
(Edit: that is, what makes you say today that you can renew the certificate for the other name, if you haven’t done so for about a month?)
I have tried to renew about 5 minutes ago. I used the command to get a new certificate. Certbot asked me to keep the old cert or load a new, I choosed to keep the cert. That is why I wrote, that it worked for the another domain. For the first domain, I get the error before I can choose anything.
I have got 11 domains and the indiedojo is the only one where I can renew the cert. And I did not change anything on the ip configs or anything else for a while. That its why I am so confused about it.
(Edit: is there a way to get the cert manualy? I am going to transfer to a new server in a week, but I need a cert for the domain until 9 PM (german time).)
The difference in behavior that you're seeing is not about your ability to renew successfully. I believe all of your certificates will fail to renew due to the IPv6 problem. The difference in behavior is because of when each certificate expires. If you ask for a new certificate less than 30 days before the expiry of the current certificate, Certbot proceeds to try to renew without asking you. If you ask for a new certificate more than 30 days before, Certbot will ask. However, that does not mean that it necessarily succeeds if you say yes!
You need to be able to prove that you control the domain name, which either involves receiving an inbound connection (which won't work if your site advertises an IPv6 address but doesn't answer at that address) or updating a DNS record. You could certainly do the latter, but if you can update the DNS, perhaps you should simply remove your AAAA record from your DNS zone temporarily for a moment while completing the renewal. It should work fine as soon as the AAAA record is removed. Once the renewal is complete, you can restore the AAAA record and look into why you're having connectivity problems in IPv6.