Renew: timeout on :443

Both ip(6)tables in both mangle/filter tables have the OUTPUT policy set to ACCEPT

Well, it’s working from here and there’s no known outage reported https://letsencrypt.status.io/ currently. Can you access https://acme-v01.api.letsencrypt.org/directory from your server via curl/wget etc?

Without problem, but you were right with iptables (I have such a strict rules…), next error:

Attempting to renew cert (rict.cz) from /etc/letsencrypt/renewal/rict.cz.conf produced an unexpected error: Failed authorization procedure. rict.cz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://rict.cz/.well-known/acme-challenge/1Kr2fvl5N5YPXtCA7n6LyztA_r1zsY20AnLIYltpG2Y: Timeout, www.rict.cz (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.rict.cz/.well-known/acme-challenge/PvoBn628AKRZMK8eiwislWbih-XE4yF9dLJLG0zt8aM: Timeout. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)

I dunno why my server replies with forbidden…
Is it ok to have redirect from :80 to :443 ssl?

location ~ /.well-known/ {
            try_files $uri $uri/ =404;
}

Edit: it responses with 404 on /.well-known/acme-challenge/

It’s fine to redirect from 80 to 443. I’m not familiar enough with nginx to know if your configuration is correct. But the error message you got seems to indicate that the validation server didn’t even get as far as the 404… which might possibly indicate a firewall issue again? Possibly specific to ipv6 as that’s what the validation server uses if you have an aaaa record.

A post was split to a new topic: Timeout fetching HTTP-01 challenge

The LE error is not 404; it is timeout on port 80.
You can't redirect from 80 to 443 when 80 is blocked.
The server could not connect to the client to verify the domain :: Fetching http://www.rict.cz/.well-known/acme-challenge/PvoBn628AKRZMK8eiwislWbih-XE4yF9dLJLG0zt8aM: Timeout. Skipping.

I do see 404 from my systems...
As the site has multiple redirects (302 and 301 - see below) I would try placing a test.txt (with minimal content) file at:
http://www.rict.cz/.well-known/acme-challenge/test.txt
and if different location also at:
https://www.rict.cz/.well-known/acme-challenge/test.txt
I think the second redirect may be causing a problem.

MULTIPLE REDIRECTS:
wget http://www.rict.cz/
-2017-10-12 22:45:53-- http://www.rict.cz/
Resolving www.rict.cz (www.rict.cz)... 93.153.32.250, 2001:1ae9:5a:cd00:8e:4ff:fe03:2f6
Connecting to www.rict.cz (www.rict.cz)|93.153.32.250|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://rict.cz/ [following]
-2017-10-12 22:45:58-- https://rict.cz/
Resolving rict.cz (rict.cz)... 93.153.32.250, 2001:1ae9:5a:cd00:8e:4ff:fe03:2f6
Connecting to rict.cz (rict.cz)|93.153.32.250|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://rict.cz/index.html [following]
-2017-10-12 22:45:59-- https://rict.cz/index.html
Reusing existing connection to rict.cz:443.
HTTP request sent, awaiting response... 200 OK
Length: 125 [text/html]
Saving to: ‘index.html’

And as the site already has a valid cert (expiring soon), you could probably just use HTTPS auth and avoid (at least one of) the redirections.

These redirects are correct and well tested. So I can redirect http:80 to https:443 except /.well-kwown/acme-challenge/ location? Because on http:80 there is just location block that test if it’s public or home traffic and then redirects to https:443 for public or http:xxx for home traffic.
How can I change to tls-sni-01 challenge if I’m using webroot plugin?

Edit: suggested test with test.txt files works for me perfectly.

To use port 443, you could try:
--preferred-challenges tls-sni

But I'm pretty sure webroot is only http.
That said, there may be another way, try having a look at:
http://letsencrypt.readthedocs.io/en/latest/using.html
or
https://certbot.eff.org/docs/using.html

I get zero bytes:
wget http://rict.cz/.well-known/acme-challenge/test.txt
URL transformed to HTTPS due to an HSTS policy
--2017-10-13 09:17:45-- https://rict.cz/.well-known/acme-challenge/test.txt
Resolving rict.cz (rict.cz)... 93.153.32.250, 2001:1ae9:5a:cd00:8e:4ff:fe03:2f6
Connecting to rict.cz (rict.cz)|93.153.32.250|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 0 [text/plain]

Also, I see now that IPv6 is in use.
Please note that LE will prefer IPv6 over IPv4 and will not fallback to IPv4 should IPv6 fail.

I have read this a while ago. I guess I would need to recertificate this, but it would be great to not leave webroot plugin

YES - that would be preferred.

It was created with touch, but is accessible. IPv6 is online for one week without problem

Can you add “this works” into the file and access it from the Internet via IPv6?

For the record: Even if it does work via IPv6, I still think that the way you have implemented the multiple redirects is part of the problem.
But maybe you can avoid all that by excluding /.well-known/acme-challenge/ from the redirection.

Done, just to make it clear: behind http/https and ipv4/ipv6 is still the same server (devided into http:80 and https:443, mentioned above) with same root folder

I do see “this works” but I’m using only IPv4…

So what is the current status of:
sudo certbot-auto renew
(not sudo certbot renew)

> sudo certbot-auto renew
sudo: certbot-auto: command not found

> sudo certbot -auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/rict.cz.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The requested uto plugin does not appear to be installed
Attempting to renew cert (rict.cz) from /etc/letsencrypt/renewal/rict.cz.conf produced an unexpected error: The requested uto plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)

-------------------------------------------------------------------------------

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/rict.cz/fullchain.pem (failure)
-------------------------------------------------------------------------------
1 renew failure(s), 0 parse failure(s)

please also show this log:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

You said ipv6 is working but how did you test it? Because http://ipv6-test.com/validate.php seems to indicate your server is not accessible by its ipv6 address on either port 80 or 443, and that would be consistent with the error message you got earlier.

1 Like

After fixing the IPv6 issue, you should be using certbot-auto

find / -name certbot-auto

Also which version of certbot are you running?
sudo certbot --version