Renewal stopped working

Hi, the renewal of one domain has been working for years and suddenly fails.
Current certificate from letsencrypt is still valid until 20th july.

I've tried many times, over last few days.
It says it cannot fetch the file but anyone can: https://stp.li/.well-known/acme-challenge/ctHso_lqoTVxoOYGD5ios3OUd9ayDHcjp827uI_9Zls
(I kept a copy of that file on purpose since certbot deletes it)

Please also note other domains & subdomains are still getting their renewal on this server, using the exact same configuration file (include shared in nginx).
For some reason only this one fails and I have no clue.

Please help.

My domain is:
stp.li

I ran this command:

sudo -u letsencrypt certbot certonly --config-dir /var/www/letsencrypt/ --logs-dir /var/www/letsencrypt --work-dir /var/www/letsencrypt/ --webroot -w /var/www/letsencrypt/ --csr /path/to/certs/stp.li.csr -d stp.li --cert-path /path/to/certs/stp.li.crt --chain-path /path/to/certs/stp.li-chain.crt --fullchain-path /path/to/certs/stp.li-fullchain.crt

It produced this output:

Saving debug log to /var/www/letsencrypt/letsencrypt.log
Requesting a certificate for stp.li

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: stp.li
  Type:   connection
  Detail: 46.105.105.207: Fetching https://stp.li/.well-known/acme-challenge/ctHso_lqoTVxoOYGD5ios3OUd9ayDHcjp827uI_9Zls: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/www/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
nginx version: nginx/1.23.3

The operating system my web server runs on is (include version):
Gentoo Base System release 2.13

My hosting provider, if applicable, is:
myself

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, i use ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.4.0

Your IPv6 seems to be not working, not on port 80 (nor on port 443). I only get timeouts when trying to connect using IPv6. IPv4 works fine, but Let's Encrypt prefers IPv6 and tries that first. I know sometimes the validation server steps down to IPv4, but I don't know which scenario's don't result in an error. Apparently these timeouts do.

Hi Osiris, many thanks for your quick help.

Indeed ipv6 was never configured on that server.

I'll investigate further more and let you know.
So far from what I read on this forum, there's no way to tell certbot to just ignore ipv6.

That's because Certbot doesn't do the validating, that's the job of the ACME server, not the ACME client.

And there is no way to tell the ACME server to use IPv4, no.

Unless you count only publishing an A record and no AAAA record. That is always effective.

True. Not what I meant, but true.

Yeah, thanks I got this part.
I would rather try to configure the ipv6 on my server, I'm reading doc about it.

If I don't succeed then I'll remove the dns record.

IPv6 shouldn't be too hard..

It worked, I got the certificate renewed after enabling my routes to ipv6.
Thank you very much for your (very quick) help.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.