Renewal Problems

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command: auto renew

It produced this output: usual timeout during connect

My web server is (include version): Nginx 1.15.12

The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

I previously asked a question about Switching Challenge Methods. In answering that, it was discovered that I didn’t have IPv6 configured properly on my server. I tried to fix it, but finally gave up and removed all the IPv6 DNS entries on my domain. However I still can’t renew my certificate! Now I get a big Python dump. I’ve attached the log to this post since there’s no way to format it nicely.

letsencryptlog.txt (8.4 KB)

Hi @AndalayBay

checking your domain all looks good ( ): There is a Grade C (no preferred version www / non-www), but that's not critical.

Port 80 is open, /.well-known/acme-challenge/unknown-file answers with a correct http status 404 - not found.

Your first error:

NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f70f3d2e160>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

Looks like your running Certbot can't connect Letsencrypt. Your dns configuration may be wrong.

Perhaps add a static entry in your hosts file:

I’ve been using Let’s Encrypt for quite a while now. What changed that would suddenly make this fail? The only thing I changed in my DNS was to remove the A/AAAA records for the IPv6 IP when it appeared that they were causing the problem. I haven’t touched the IPv4 stuff since I first set up the domain.

It really looks like Certbot or Let’s Encrypt won’t switch to IPv4. Is there any way to force it?

Finally got it fixed! I opened a ticket with Linode and they helped me get IPv6 configured. My situation is a little more complicated because I have two public IP’s on my server. It was the second IP that has the SSL certificate that had the renewal problems. For additional IPv6 addresses, Linode provides customers with a pool, not a single address and you have to pick an IP from the pool and configure it as a static IP. That was my first issue. Not being very familiar with IPv6, I didn’t know how to pick an IP from the pool and Linode explained that to me.

Now the fun starts. I’m running Ubuntu 16.04, so I have to edit the interfaces file, reboot and let Ubuntu create the resolver file with resolvconf. I’m using SSH to access my server, so I couldn’t bring down eth0 and bring it back up again. I could if I used Linode’s LISH console, but it’s clunky. Anyway after rebooting, Ubuntu wasn’t creating the resolver file - it was empty! I tried various things, but it seemed that as soon as I defined the second IPv6 IP in the interfaces file, Ubuntu couldn’t process it. I finally fixed the problem by disabling the resolvconf package. This allowed me to create a resolv.conf file manually. Voila!

When I tried to renew the certificate after setting up the interfaces file and resolv.conf, it still failed, but it was a new error message. I needed to fix one last thing: Nginx. I had to edit my Nginx server files to listen on the IPv6 addresses. As soon as I did that, the certificate renewal worked like a charm.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.