Renewal of certs fail

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: burg.tinohendricks.de

I ran this command: certbot renew
I also tried: certbot certonly --webroot -w /var/www/html -d burg.tinohendricks.de

It produced this output: Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
Domain: burg.tinohendricks.de
Type: connection
Detail: During secondary validation: 217.235.241.94: Fetching http://burg.tinohendricks.de/.well-known/acme-challenge/It4R67m8FsnYresA3BqEr7Wx7nz27ZpYqNTl7EmxXR0: Connection refused

My web server is (include version): Apache/2.4.61 (Debian) OpenSSL/3.0.13

The operating system my web server runs on is (include version): Debian bookworm

My hosting provider, if applicable, is: My Home, Deutsche Telekom DSL

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, plain console

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0

First I tried the standalone version, now I tried the apache web root challenge several times.

Certbot:

Create a file containing just this data:

7ku_mwKFX_be64V87KzzTLasstoBfEramGoJoeBn874.PI6fNo98OdvGmgT2lsQX54ItpGAfpZ6AE9s63o0M-0M

And make it available on your web server at this URL:

http://burg.tinohendricks.de/.well-known/acme-challenge/7ku_mwKFX_be64V87KzzTLasstoBfEramGoJoeBn874

Did as requested, checked from a server sitting in a hosting company:

wget http://burg.tinohendricks.de/.well-known/acme-challenge/7ku_mwKFX_be64V87KzzTLasstoBfEramGoJoeBn874
--2024-08-07 14:41:26--  http://burg.tinohendricks.de/.well-known/acme-challenge/7ku_mwKFX_be64V87KzzTLasstoBfEramGoJoeBn874
Auflösen des Hostnamens burg.tinohendricks.de (burg.tinohendricks.de)… 217.235.241.94
Verbindungsaufbau zu burg.tinohendricks.de (burg.tinohendricks.de)|217.235.241.94|:80 … verbunden.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
Länge: 88
Wird in »7ku_mwKFX_be64V87KzzTLasstoBfEramGoJoeBn874« gespeichert.

7ku_mwKFX_be64V87KzzTLasstoBfEramGoJoeBn874                                      100%

Certbot:

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:
  Domain: burg.tinohendricks.de
  Type:   connection
  Detail: 217.235.241.94: Fetching http://burg.tinohendricks.de/.well-known/acme-challenge/7ku_mwKFX_be64V87KzzTLasstoBfEramGoJoeBn874: Connection refused

I' seeing traffic:

15:43:31.841568 IP6 p200300dc6f1cb900d25099fffeac96b6.dip0.t-ipconnect.de.35070 > g2a02-26f0-e600-0000-0000-0000-48f7-9aa9.deploy.static.akamaitechnologies.com.http: Flags [S], seq 2002761696, win 64440, options [mss 1432,sackOK,TS val 2005076391 ecr 0,nop,wscale 7], length 0
15:43:31.851782 IP6 g2a02-26f0-e600-0000-0000-0000-48f7-9aa9.deploy.static.akamaitechnologies.com.http > p200300dc6f1cb900d25099fffeac96b6.dip0.t-ipconnect.de.35070: Flags [S.], seq 3229599432, ack 2002761697, win 64260, options [mss 1432,sackOK,TS val 3656390914 ecr 2005076391,nop,wscale 7], length 0
15:43:31.851927 IP6 p200300dc6f1cb900d25099fffeac96b6.dip0.t-ipconnect.de.35070 > g2a02-26f0-e600-0000-0000-0000-48f7-9aa9.deploy.static.akamaitechnologies.com.http: Flags [.], ack 1, win 504, options [nop,nop,TS val 2005076401 ecr 3656390914], length 0

and so on.
I'm out of ideas. Can I switch to DNS challenge, desperate as I am?

Why is it IPv6 traffic but certbot complaining about a IPv4 address?

Currently I closed the ports but as you can see they were open when I tried.

Thanks for any ideas!

1 Like

Sure. But the problem is that connections to your domain are failing. It would be best to fix that so people will be able to connect to your site.

Because Let's Encrypt will retry a failed IPv6 connection with IPv4. But, it only retries the first failed request and not if you redirect the HTTP challenge to HTTPS. I agree it is not clear. IPv6 Support - Let's Encrypt

Can you leave them open so we can test connections?

Does your ISP allow inbound connections on port 80? Is there anything blocking requests from other parts of the world (like outside Germany?)

4 Likes

You should be seeing at least 5 connections. The "secondary validation" in the message you're getting indicates that only some of the checks aren't arriving. So there is some kind of firewall or other networking equipment which is blocking connections from some places.

5 Likes

And yet the name resolves to:

Name:      burg.tinohendricks.de
Addresses: 2003:dc:6f1c:b900:d250:99ff:feac:96b6
           217.235.241.94

As such, LE would prefer the IPv6 address.
So, it seems that IPv6 is completely blocked and IPv4 is only partially accessible.

2 Likes

Hi Mike,

thank you so much for taking your time!

The main purpose of the server is local network so the ports are normally closed. I opened them now, please check again. (Looks ok to me).

When I started certbot standalone I watched the output of netstat seeing that there was only one process listening to tcp6 :::80. No one listening on IPv4.
I tried certbot renew --dry-run --http-01-address <LOCAL_IP>.
Then there was a listening socket on the IPv4 address – but none on IPv6.

How do I switch to DNS challenge?

There is no firewall involved on my end. If Deutsche Telekom (the national Telcom in Germany) blocks traffic from Let's Encrypt servers there would be many more people having the same problem.

1 Like

Well, it looks like it's only accessible from some places around the world.

4 Likes

Wow, so I need to yell at the Deutsche Telekom... Unbelievable...

I'm sure they'll come up with "... uuuh, consumer product... not meant for..." :face_with_raised_eyebrow:

1 Like

Interestingly I can connect from an Amazon AWS region on the US East Coast but only using IPv6.

Many of Let's Encrypt's auth servers are also in AWS but not all and not all are in the USA

It is not unusual for a residential ISP to block IPv4 for port 80. Could they be using CGNAT?

curl -i6 -m6 http://burg.tinohendricks.de/.well-known/acme-challenge/TEst404
HTTP/1.1 404 Not Found
Server: Apache/2.4.61 (Debian)
Content-Length: 283
(other data omitted)

curl -i4 -m6 http://burg.tinohendricks.de/.well-known/acme-challenge/TEst404
curl: (7) Failed to connect to burg.tinohendricks.de port 80 after 180 ms: 
Connection refused
4 Likes

So assuming that your DNS is publicly available and not similarly limited in global access, you would need a plugin for certbot (or use some other client) for your DNS server that has credentials to automatically update a TXT record for your domain.

4 Likes

I don't see a plugin for afraid DNS with Certbot, lego, or acme.sh which are all popular ACME Clients

You may have to use the --manual --preferred-challenges dns method in Certbot and be stuck with manual renewals.

You said this was for internal server so maybe not important that world-wide HTTP(s) traffic won't work

4 Likes

Yes, I can do it manually every 3 months, no problem. Keeps my fingers fit! :wink:

Thank you all so much for your incredibly fast and competent help!

I'm glad my company donated to LE already. :heart_hands:

3 Likes

Let's Encrypt recommend every 2 months but 2.5 probably fine in your case. Waiting until last day doesn't give any time to deal with problems (LE might even be down)

5 Likes

The afraid dns website links to a plugin for acme.sh for it.

5 Likes

Ah, I was looking for something named afraid not freedns - good catch

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.