Renewal fails on Nextcloudpi

I can't renew my certificate for my nextcloud server. It is reachable from the internet, only certbot complains. I don't know where to start.

My domain is:

I ran this command:
Internal Nextcloudpi script to renew letsencrypt
It produced this output:
(Excerpt vom letsencrypt.log)

2020-11-28 06:21:30,892:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/8919947537 HTTP/1.1" 200 1885
2020-11-28 06:21:30,896:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Sat, 28 Nov 2020 06:21:30 GMT
Content-Type: application/json
Content-Length: 1885
Connection: keep-alive
Boulder-Requester: 96457715
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0103iCddPfzeiIKn18q6At8TIX67T_mDEh9STrCFCey75q0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "ericsowncloud.ddns.net"
  },
  "status": "invalid",
  "expires": "2020-12-05T06:21:07Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching https://ericsowncloud.ddns.net/.well-known/acme-challenge/266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI: Timeout during connect (likely firewall problem)",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8919947537/BfSusA",
      "token": "266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI",
      "validationRecord": [
        {
          "url": "http://ericsowncloud.ddns.net/.well-known/acme-challenge/266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI",
          "hostname": "ericsowncloud.ddns.net",
          "port": "80",
          "addressesResolved": [
            "78.35.84.165",
            "2001:4dd1:c811:0:c128:5fa7:7acd:9579"
          ],
          "addressUsed": "2001:4dd1:c811:0:c128:5fa7:7acd:9579"
        },
        {
          "url": "http://ericsowncloud.ddns.net/.well-known/acme-challenge/266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI",
          "hostname": "ericsowncloud.ddns.net",
          "port": "80",
          "addressesResolved": [
            "78.35.84.165",
            "2001:4dd1:c811:0:c128:5fa7:7acd:9579"
          ],
          "addressUsed": "78.35.84.165"
        },
        {
          "url": "https://ericsowncloud.ddns.net/.well-known/acme-challenge/266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI",
          "hostname": "ericsowncloud.ddns.net",
          "port": "443",
          "addressesResolved": [
            "78.35.84.165",
            "2001:4dd1:c811:0:c128:5fa7:7acd:9579"
          ],
          "addressUsed": "2001:4dd1:c811:0:c128:5fa7:7acd:9579"
        }
      ]
    }
  ]
}
2020-11-28 06:21:30,898:DEBUG:acme.client:Storing nonce: 0103iCddPfzeiIKn18q6At8TIX67T_mDEh9STrCFCey75q0
2020-11-28 06:21:30,902:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: ericsowncloud.ddns.net
Type:   connection
Detail: Fetching https://ericsowncloud.ddns.net/.well-known/acme-challenge/266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2020-11-28 06:21:30,906:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. ericsowncloud.ddns.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://ericsowncloud.ddns.net/.well-known/acme-challenge/266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI: Timeout during connect (likely firewall problem)

2020-11-28 06:21:30,907:DEBUG:certbot.error_handler:Calling registered functions
2020-11-28 06:21:30,907:INFO:certbot.auth_handler:Cleaning up challenges
2020-11-28 06:21:30,908:DEBUG:certbot.plugins.webroot:Removing /var/www/nextcloud/.well-known/acme-challenge/266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI
2020-11-28 06:21:30,911:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2020-11-28 06:21:30,913:WARNING:certbot.renewal:Attempting to renew cert (ericsowncloud.ddns.net) from /etc/letsencrypt/renewal/ericsowncloud.ddns.net.conf produced an unexpected error: Failed authorization procedure. ericsowncloud.ddns.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://ericsowncloud.ddns.net/.well-known/acme-challenge/266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI: Timeout during connect (likely firewall problem). Skipping.
2020-11-28 06:21:30,922:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 452, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1193, in renew_cert
    renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert
    renewal.renew_cert(config, domains, le_client, lineage)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 310, in renew_cert
    new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. ericsowncloud.ddns.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://ericsowncloud.ddns.net/.well-known/acme-challenge/266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI: Timeout during connect (likely firewall problem)

2020-11-28 06:21:30,923:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed:
2020-11-28 06:21:30,924:ERROR:certbot.renewal:  /etc/letsencrypt/live/ericsowncloud.ddns.net/fullchain.pem (failure)
2020-11-28 06:21:30,926:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1272, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 477, in handle_renewal_request
    len(renew_failures), len(parse_failures)))
certbot.errors.Error: 1 renew failure(s), 0 parse failure(s)

My web server is (include version): nginx (?)

The operating system my web server runs on is (include version): Nextcloudpi v.1.31.0

My hosting provider, if applicable, is: noip.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

Hi @Eric-Sommer

I can open your url. If Letsencrypt can't, you have a blocking firewall, may be a regional setting.

Or a .htaccess, failban etc. Find and remove that.

Thanks.
I checked ufw, it is disabled. I frankly don't know what to do with your other hints.

Your IPv4 works fine indeed, but your IPv6 address isn't reachable:

osiris@server ~ $ curl -LIv6 http://ericsowncloud.ddns.net/.well-known/acme-challenge/266EsTmDJSevVvhAH3Asow6lwyL986BFzoDmpFUyguI    
*   Trying 2001:4dd6:8743:0:df7b:5509:25b6:da74:80...
* connect to 2001:4dd6:8743:0:df7b:5509:25b6:da74 port 80 failed: Permission denied
* Failed to connect to ericsowncloud.ddns.net port 80: Permission denied
* Closing connection 0 curl: (7) Failed to connect to ericsowncloud.ddns.net port 80: Permission denied
osiris@server ~ $
1 Like

I inserted the ip6 address by hand for the DNS server. It's what ifconfig returns

Well, it's not working, a host is blocking access to your IPv6 address:

server ~ # ping6 ericsowncloud.ddns.net
PING ericsowncloud.ddns.net(2001-4dd6-8743-0-df7b-5509-25b6-da74.ipv6dyn.netcologne.de (2001:4dd6:8743:0:df7b:5509:25b6:da74)) 56 data bytes
From 2001-4dd0-af1b-822-cece-1eff-fef6-ffe3.ipv6dyn.netcologne.de (2001:4dd0:af1b:822:cece:1eff:fef6:ffe3) icmp_seq=1 Destination unreachable: Administratively prohibited
From 2001-4dd0-af1b-822-cece-1eff-fef6-ffe3.ipv6dyn.netcologne.de (2001:4dd0:af1b:822:cece:1eff:fef6:ffe3) icmp_seq=2 Destination unreachable: Administratively prohibited
From 2001-4dd0-af1b-822-cece-1eff-fef6-ffe3.ipv6dyn.netcologne.de (2001:4dd0:af1b:822:cece:1eff:fef6:ffe3) icmp_seq=3 Destination unreachable: Administratively prohibited
From 2001-4dd0-af1b-822-cece-1eff-fef6-ffe3.ipv6dyn.netcologne.de (2001:4dd0:af1b:822:cece:1eff:fef6:ffe3) icmp_seq=4 Destination unreachable: Administratively prohibited
^C
--- ericsowncloud.ddns.net ping statistics ---
4 packets transmitted, 0 received, +4 errors, 100% packet loss, time 3002ms

server ~ # 

This is not a Let's Encrypt issue. Please fix your IPv6 first or disable it altogether and try again.

1 Like

There is a check of your domain, ~~30 minutes old - https://check-your-website.server-daten.de/?q=ericsowncloud.ddns.net#url-checks

Ipv4 works, ipv6 doesn't. So remove your ipv6 AAAA entry if it isn't possible to fix that.

1 Like

Did you test IPv6 access after that?
Has IPv6 access ever worked?

Yep that was me :slight_smile:

I can't say for sure whether ipv6 access ever worked. But at least I managed to create the certificate in the first place.

Removing the AAAA entry indeed worked! Thanks a lot!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.