Please fill out the fields below so we can help you better.

My domain is: steinhaisl.eu

I ran this command: /opt/letsencrypt/letsencrypt-auto renew

It produced this output:
Processing /etc/letsencrypt/renewal/steinhaisl.eu.conf

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for steinhaisl.eu
http-01 challenge for www.steinhaisl.eu
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (steinhaisl.eu) from /etc/letsencrypt/renewal/steinhaisl.eu.conf produced an unexpected error: Failed authorization procedure. steinhaisl.eu (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://steinhaisl.eu/.well-known/acme-challenge/INqptB_qGgDfy6FZU6x7zili7-XlFYctkwqikEd1tH8: "

Not Found

My web server is (include version): nginx/1.10.3

The operating system my web server runs on is (include version): Debian Stretch - 9.1

My hosting provider, if applicable, is: VPS is in forpsi.com, domain is from wedos.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Is there some change in DNS query from let’s encrypt server side? I use this command for renewal successfully for a year. But now it don’t work.
Server setup is correct (i don’t change it), .well-known is accesible, when i run renewal i can see, that it creates dir acme-challenge and two files (one is for root domain and second is for alias/subdirectory www, www in dns is CNAME of root domain and for this renewal success) in it.
So i think that problem is only in resolve the dns query - but i don’t know what to doo. It is root record so i don’t understand it why for subdomain it works without any problem and root have trouble.

Have someone some idea, how to solve it?

Hi @JSteinhaisl,

Your main domain steinhaisl.eu and www.steinhaisl.eu have AAAA records (IPv6 address) but other subdomains that you use like default, mail and wiki don't have AAAA records and that is the reason you can't issue the certs.

One server is reachable using IPv6 address but it is not configured in the same way as if you try to reach your domain using IPv4.

Using IPv4:

$ curl -IkL4 http://steinhaisl.eu/.well-known/acme-challenge/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Mon, 07 Aug 2017 18:22:48 GMT
Content-Type: text/html
Content-Length: 178
Connection: keep-alive
Location: https://steinhaisl.eu/.well-known/acme-challenge/

HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 07 Aug 2017 18:22:48 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive

Using IPv6:

$ curl -IkL6 http://steinhaisl.eu/.well-known/acme-challenge/
HTTP/1.1 404 Not Found
Date: Mon, 07 Aug 2017 18:23:38 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

So using IPv4 you reach a nginx server but using IPv6 you reach an Apache server... since a couple of months ago, Let's Encrypt prefers IPv6 over IPv4 so you have 2 options, remove AAAA records for your domains or configure your server correctly so you can answer both requests, via IPv4 and via IPv6.

Cheers,
sahsanu

Hi @sahsanu,
many thanks for your help.

I saw ivp6 AAA in DNS record, but server use only ipv4 so I never think about it.
Im so stupid that i never think about ivp6 record.
You have my greatest thanks.

Best regards
Steinhaisl

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.