Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output: usual timeout during connect
My web server is (include version): Nginx 1.15.12
The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0
I previously asked a question about Switching Challenge Methods. In answering that, it was discovered that I didn’t have IPv6 configured properly on my server. I tried to fix it, but finally gave up and removed all the IPv6 DNS entries on my domain. However I still can’t renew my certificate! Now I get a big Python dump. I’ve attached the log to this post since there’s no way to format it nicely.
Port 80 is open, /.well-known/acme-challenge/unknown-file answers with a correct http status 404 - not found.
Your first error:
NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f70f3d2e160>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution
Looks like your running Certbot can't connect Letsencrypt. Your dns configuration may be wrong.
I’ve been using Let’s Encrypt for quite a while now. What changed that would suddenly make this fail? The only thing I changed in my DNS was to remove the A/AAAA records for the IPv6 IP when it appeared that they were causing the problem. I haven’t touched the IPv4 stuff since I first set up the domain.
It really looks like Certbot or Let’s Encrypt won’t switch to IPv4. Is there any way to force it?
Finally got it fixed! I opened a ticket with Linode and they helped me get IPv6 configured. My situation is a little more complicated because I have two public IP’s on my server. It was the second IP that has the SSL certificate that had the renewal problems. For additional IPv6 addresses, Linode provides customers with a pool, not a single address and you have to pick an IP from the pool and configure it as a static IP. That was my first issue. Not being very familiar with IPv6, I didn’t know how to pick an IP from the pool and Linode explained that to me.
Now the fun starts. I’m running Ubuntu 16.04, so I have to edit the interfaces file, reboot and let Ubuntu create the resolver file with resolvconf. I’m using SSH to access my server, so I couldn’t bring down eth0 and bring it back up again. I could if I used Linode’s LISH console, but it’s clunky. Anyway after rebooting, Ubuntu wasn’t creating the resolver file - it was empty! I tried various things, but it seemed that as soon as I defined the second IPv6 IP in the interfaces file, Ubuntu couldn’t process it. I finally fixed the problem by disabling the resolvconf package. This allowed me to create a resolv.conf file manually. Voila!
When I tried to renew the certificate after setting up the interfaces file and resolv.conf, it still failed, but it was a new error message. I needed to fix one last thing: Nginx. I had to edit my Nginx server files to listen on the IPv6 addresses. As soon as I did that, the certificate renewal worked like a charm.