Renewal fails with "urn:ietf:params:acme:error:connection" (Plesk)

The domain is: schattmeier.de

The renewal of the certificate https://acme-v02.api.letsencrypt.org/acme/authz-v3/2791430098 could not be carried out
The error occurs because a colon ( : ) is appended to the URL during validation and the call therefore does not work anymore.

Is the error caused by you?

Thanks a lot
Guido

Hmm. Why do you say that?

The error message "Timeout during connect (likely firewall problem)" suggests that there is a network timeout.

If we follow the flow of the validation of your domain:

  1. Let’s Encrypt makes a request to http://schattmeier.de/.well-known/acme-challenge/it0qfKZbTgt5K0wNo2188TEac7_B26_KlueB6-puuwc over IPv6, but it times out.
  2. Let’s Encrypt makes a request to http://schattmeier.de/.well-known/acme-challenge/it0qfKZbTgt5K0wNo2188TEac7_B26_KlueB6-puuwc over IPv4 as a fallback.
  3. Your server responds with a redirect to HTTPS (https://schattmeier.de/.well-known/acme-challenge/it0qfKZbTgt5K0wNo2188TEac7_B26_KlueB6-puuwc)
  4. Let’s Encrypt makes a request to that URL, using your domain’s IPv6 address.
  5. The IPv6 address times out.
  6. The validation fails.

For “reasons”, after an HTTP redirect, Let’s Encrypt’s validation service will not retry connections to different address families (IPv4/IPv6) if it hits a non-functional address. So in step (4), it hit your non-functional IPv6 address, and just gave up.

I can connect to your domain’s IPv6 address from Australia, but I can’t connect from the US - I get the same timeout as Let’s Encrypt does, and the traceroute does not get very far:

root@letsdebug:~# mtr -c10 --report 2001:4178:2:1204:62:116:186:29
Start: 2020-02-13T06:56:26+0000
HOST: letsdebug.net               Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 2600:3c03::8678:acff:fe0d  0.0%    10    1.0   1.9   0.8  10.9   3.2
  2.|-- 2600:3c03:6666:14::1       0.0%    10    0.6   0.5   0.4   0.7   0.1
  3.|-- 2600:3c03:6666:5::1        0.0%    10    0.4   0.6   0.4   1.0   0.2
  4.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0

If you temporarily remove your domain’s AAAA record, does the process succeed? This could help confirm the cause of your failure.

1 Like

I thought it had something to do with that, because when you click on the URL in the error block, it ends with a colon and the call throws back an error.

The IPv6 seems to be everywhere so far: https://dnschecker.org/#AAAA/schattmeier.de
Which nameserver do you query?

Yes, the domain’s IPv6 record resolves OK.

I meant to convey that the actual IPv6 TCP connection is failing to open.

As you can see in the traceroute I posted, my server’s network did not even know where to begin routing packets to reach your server.

1 Like

Hi @degobbis

that’s irrelevant. The colon is only added in the output.

Checking your domain your ipv6 works - https://check-your-website.server-daten.de/?q=schattmeier.de - that looks ok.

Via tracert:

D:>tracert 2001:4178:2:1204:62:116:186:29

1 <1 ms <1 ms <1 ms fritz.box [2003:e9:ef22:4000:f2b0:14ff:fe0e:fe2c]
2 5 ms 5 ms 5 ms 2003:0:8003:9800::1
3 * 19 ms 18 ms 2003:0:1808:a::1
4 19 ms 19 ms 19 ms 2003:0:1808:a::2
5 47 ms 46 ms 46 ms 2001:4178:1::112
6 20 ms 20 ms 19 ms server5.kunze-marketing.de [2001:4178:2:1204:62:116:186:29]

That works.

Do you have a regional blocking or filter? So US-sources are blocked?

Nope, no regional blocking installed.

The renewal was triggered again, now it has worked. No idea why

Thank you for your efforts.

1 Like