Renewal (acme-challenge)

My domain is:
cloud.hopf-its.de

I ran this command:
certbot certonly --webroot -w /var/www/vhosts/cloud.hopf-its.de/html/ -d cloud.hopf-its.de --dry-run

It produced this output:

-(/home/daniel:#)-> certbot certonly --webroot -w /var/www/vhosts/cloud.hopf-its.de/html/ -d cloud.hopf-its.de --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Simulating renewal of an existing certificate for cloud.hopf-its.de

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: cloud.hopf-its.de
  Type:   connection
  Detail: 178.18.253.223: Fetching https://cloud.hopf-its.de/.well-known/acme-challenge/cC-QCBi7Bom6ehuRwUmuVK9nGQaoalWkt1CFhPJaAaU: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):

Server version: Apache/2.4.52 (Ubuntu)
Server built:   2022-06-14T12:30:21

The operating system my web server runs on is (include version):
Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-25-generic x86_64)

My hosting provider, if applicable, is:
Contabo (VPS)

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.21.0


I ran multiple letsencrypt-enabled domains previously on an older VPS (also provided by my hoster Contabo). Certificate generation/renewal always worked (I'm using the webroot / .well-known / acme variant of challenge for renewal).
I now moved all of the config (Apache + vhosts + certbot) to a new VPS. Now all attempts of succeeding the acme-challenge fails (see log above).

I placed a test txt file into the acme-challenge folder and verified that I'm able to access it (so no redirect happening from my nextcloud installation etc.):
https://cloud.hopf-its.de/.well-known/acme-challenge/test.txt

When I run the certbot command with the --debug-challenges command, I see that the challenge file is created successfully. Also, I am able to access it via a webbrowser.

I don't know what the issue here is.

Permissions:

-(/home/daniel:#)-> ls -la /var/www/vhosts/cloud.hopf-its.de/html/.well-known/acme-challenge/
total 16
drwxr-xr-x 2 www-data www-data 4096 Nov  6 11:32 .
drwxr-xr-x 3 www-data www-data 4096 May 24  2018 ..
-rwxr-xr-x 1 root     root       46 May 28  2018 .htaccess
-rw-r--r-- 1 www-data www-data    9 Nov  5 23:09 test.txt

Content of .htaccess file in acme-challenge:

AuthType None
Require all granted
Satisfy any

The vhost config file for cloud.hopf-its.de:

-(/home/daniel:#)-> cat /etc/apache2/sites-enabled/cloud.hopf-its.de.conf
<VirtualHost *:80>
DocumentRoot /var/www/vhosts/cloud.hopf-its.de/html
ServerName cloud.hopf-its.de
Redirect / https://cloud.hopf-its.de/
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /var/www/vhosts/cloud.hopf-its.de/html
ServerName cloud.hopf-its.de
Alias /.well-known/acme-challenge/ /var/www/vhosts/cloud.hopf-its.de/html/.well-known/acme-challenge/
<Directory "/var/www/vhosts/cloud.hopf-its.de/html">
        Options +FollowSymLinks
        AllowOverride All
<IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
</IfModule>
</Directory>
<Directory "/var/www/vhosts/cloud.hopf-its.de/html/.well-known/acme-challenge/">
        Options +FollowSymLinks
        AllowOverride All
</Directory>
ServerAdmin webmaster@hopf-its.de
ErrorLog /var/www/vhosts/cloud.hopf-its.de/log/apache2/error.log
LogLevel emerg
TransferLog /var/www/vhosts/cloud.hopf-its.de/log/apache2/access.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/cloud.hopf-its.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/cloud.hopf-its.de/privkey.pem
</VirtualHost>

Welcome to the community @dhopf

First, your DNS has an AAAA record for IPv6 but it does not work. You should fix your IPv6 config or remove that AAAA record. The Let's Encrypt servers will try IPv6 first but for certain failures will then try IPv4 A record. The error message relates to the IPv4 address but I don't see anything else to cause the timeout problem. You should address this AAAA record and try again just in case.

My attempts using IPv4 for your test file all succeed. But, IPv6 time out

Let us know if that does not help.

4 Likes

Thanks a lot for checking my setup and hinting on the IPv6 connectivity problem @MikeMcQ. Indeed I had to enable IPv6 explicitly on the Server first (which I didn't have to do with the old VPS a couple of years back).

Don't ask me why, but enabling IPv6 solved the issue. Maybe there's a quirk in my IPv4 connectivity, but I'm satisfied with the status now. Thanks!

3 Likes