Renewal fails with "urn:ietf:params:acme:error:connection" (Plesk)

degobbis · February 13, 2020, 6:45am

The renewal of the certificate https://acme-v02.api.letsencrypt.org/acme/authz-v3/2791430098 could not be carried out
The error occurs because a colon ( : ) is appended to the URL during validation and the call therefore does not work anymore.

Is the error caused by you?

Thanks a lot
Guido

_az · February 13, 2020, 6:57am

Hmm. Why do you say that?

The error message "Timeout during connect (likely firewall problem)" suggests that there is a network timeout.

If we follow the flow of the validation of your domain:

Let's Encrypt makes a request to http://schattmeier.de/.well-known/acme-challenge/it0qfKZbTgt5K0wNo2188TEac7_B26_KlueB6-puuwc over IPv6, but it times out.
Let's Encrypt makes a request to http://schattmeier.de/.well-known/acme-challenge/it0qfKZbTgt5K0wNo2188TEac7_B26_KlueB6-puuwc over IPv4 as a fallback.
Your server responds with a redirect to HTTPS (https://schattmeier.de/.well-known/acme-challenge/it0qfKZbTgt5K0wNo2188TEac7_B26_KlueB6-puuwc)
Let's Encrypt makes a request to that URL, using your domain's IPv6 address.
The IPv6 address times out.
The validation fails.

For "reasons", after an HTTP redirect, Let's Encrypt's validation service will not retry connections to different address families (IPv4/IPv6) if it hits a non-functional address. So in step (4), it hit your non-functional IPv6 address, and just gave up.

I can connect to your domain's IPv6 address from Australia, but I can't connect from the US - I get the same timeout as Let's Encrypt does, and the traceroute does not get very far:

root@letsdebug:~# mtr -c10 --report 2001:4178:2:1204:62:116:186:29
Start: 2020-02-13T06:56:26+0000
HOST: letsdebug.net               Loss%   Snt   Last   Avg  Best  Wrst StDev
  1.|-- 2600:3c03::8678:acff:fe0d  0.0%    10    1.0   1.9   0.8  10.9   3.2
  2.|-- 2600:3c03:6666:14::1       0.0%    10    0.6   0.5   0.4   0.7   0.1
  3.|-- 2600:3c03:6666:5::1        0.0%    10    0.4   0.6   0.4   1.0   0.2
  4.|-- ???                       100.0    10    0.0   0.0   0.0   0.0   0.0

If you temporarily remove your domain's AAAA record, does the process succeed? This could help confirm the cause of your failure.

degobbis · February 13, 2020, 7:05am

I thought it had something to do with that, because when you click on the URL in the error block, it ends with a colon and the call throws back an error.

The IPv6 seems to be everywhere so far: DNS Checker - DNS Check Propagation Tool
Which nameserver do you query?

_az · February 13, 2020, 7:19am

Yes, the domain's IPv6 record resolves OK.

I meant to convey that the actual IPv6 TCP connection is failing to open.

As you can see in the traceroute I posted, my server's network did not even know where to begin routing packets to reach your server.

JuergenAuer · February 13, 2020, 7:55am

Hi @degobbis

that's irrelevant. The colon is only added in the output.

Checking your domain your ipv6 works - https://check-your-website.server-daten.de/?q=schattmeier.de - that looks ok.

Via tracert:

D:>tracert 2001:4178:2:1204:62:116:186:29

1 <1 ms <1 ms <1 ms fritz.box [2003:e9:ef22:4000:f2b0:14ff:fe0e:fe2c]
2 5 ms 5 ms 5 ms 2003:0:8003:9800::1
3 * 19 ms 18 ms 2003:0:1808:a::1
4 19 ms 19 ms 19 ms 2003:0:1808:a::2
5 47 ms 46 ms 46 ms 2001:4178:1::112
6 20 ms 20 ms 19 ms server5.kunze-marketing.de [2001:4178:2:1204:62:116:186:29]

That works.

Do you have a regional blocking or filter? So US-sources are blocked?

degobbis · February 13, 2020, 8:21am

Nope, no regional blocking installed.

degobbis · February 13, 2020, 8:51am

The renewal was triggered again, now it has worked. No idea why

Thank you for your efforts.

system · March 14, 2020, 8:51am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.