Renewing an existing certificate for www.ingber.com and 6 more domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
ingber.com

I ran this command:
/usr/bin/certbot renew

It produced this output:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/www.ingber.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for www.ingber.com and 6 more domains

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: blog.ingber.com
  Type:   connection
  Detail: 173.255.212.226: Fetching https://blog.ingber.com/.well-known/acme-challenge/r07W_zUeK6qjz7g0e0lr-nWjN8Ukm7mlJBXTWAz6lmI: Timeout during connect (likely firewall problem)

  Domain: default.ingber.com
  Type:   connection
  Detail: 173.255.212.226: Fetching https://default.ingber.com/.well-known/acme-challenge/vbdlFjN30s4nTlTOheXtGqLWBUo-XBRHmym95woR_Js: Timeout during connect (likely firewall problem)

  Domain: ingber.com
  Type:   connection
  Detail: 173.255.212.226: Fetching https://ingber.com/.well-known/acme-challenge/SCCzTv68p2l0GLFmqFyCQzsEvGEIh0mxZ7gKjG9xQB0: Timeout during connect (likely firewall problem)

  Domain: lin.ingber.com
  Type:   connection
  Detail: 173.255.212.226: Fetching https://lin.ingber.com/.well-known/acme-challenge/AJnNnen348eYRrG7PhLx3At400FNJQG3VaoQ26eY6tM: Timeout during connect (likely firewall problem)

  Domain: www.ingber.com
  Type:   connection
  Detail: 173.255.212.226: Fetching https://www.ingber.com/.well-known/acme-challenge/U1cHHs4HUnwy60xgMt47KAsIHxaShahf0dEHxZ7eAzw: Timeout during connect (likely firewall problem)

  Domain: lester.ingber.com
  Type:   connection
  Detail: 173.255.212.226: Fetching https://lester.ingber.com/.well-known/acme-challenge/VtPetkQYmbKgsKfZhYRHwxeJGXJIXj44I2KcCHgK3T8: Timeout during connect (likely firewall problem)

  Domain: lin6.ingber.com
  Type:   connection
  Detail: 173.255.212.226: Fetching https://lin6.ingber.com/.well-known/acme-challenge/6POFwd9NhaB9wSE8xqBBOeZG6viv3vZer0BldiI5JLw: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to renew certificate www.ingber.com with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/www.ingber.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version):
ingber.com

The operating system my web server runs on is (include version):
Linux lin 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is:
Linode.com VPS

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.5.0

Hello @, welcome to the Let's Encrypt community.

Using the online tool Let's Debug I see several ERRORs https://letsdebug.net/ingber.com/1439605

All your IP Addresses (both IPv4 and IPv6) need to be able to respond to the HTTP-01 Challenge on Port 80.

looks like you didn't open port 80: keep mind LE doesn't care about HSTS:
from letsdebug:

The failed /var/log/letsencrypt/letsencrypt.log is attached.

letsencrypt.log

that's link to some ramdom thread, not file

Using this online tool https://www.redirect-checker.org/ with http://ingber.com/.well-known/acme-challenge/sometestfile as the input yields these results

HTTP Headers

>>> http://ingber.com/.well-known/acme-challenge/sometestfile

> --------------------------------------------
> 302 Found
> --------------------------------------------
Status:	302 Found
Code:	302
Date:	Sun, 09 Apr 2023 18:21:04 GMT
Server:	Apache
Location:	https://ingber.com/.well-known/acme-challenge/sometestfile
Content-Length:	242
Connection:	close
Content-Type:	text/html; charset=iso-8859-1



>>> https://ingber.com/.well-known/acme-challenge/sometestfile

> --------------------------------------------
> 403 Forbidden
> --------------------------------------------
Status:	403 Forbidden
Code:	403
Date:	Sun, 09 Apr 2023 18:21:05 GMT
Server:	Apache
Content-Length:	318
Connection:	close
Content-Type:	text/html; charset=iso-8859-1

Or for those who prefer more visual view

image926×912 55 KB

@lingber Your IPv6 is broken again. Also, have you reviewed your past threads to ensure an old problem has not resurfaced?

nslookup www.ingber.com
Address: 173.255.212.226
Address: 2600:3c01::f03c:91ff:fe93:e6f3

curl -i6 https://www.ingber.com/.well-known/acme-challenge/Test123
curl: (28) Failed to connect to www.ingber.com port 443 after 130349 ms: Connection timed out

Here is an online tool to do DNS https://unboundtest.com/ configured very similarly to Let's Encrypt's production servers, and is started fresh for each query so there are no caching effects. With a choice of Query type: CAA A AAAA TXT

Hi. Yes, I see a ping to that address fails. That IPv6 was valid for a long time and I suspect Akamai purchase of Linode may have something to do with this problem?

I have contacted their support re a valid IPv6 address. I assume that is the only problem you see, e.g., my IPv4 address is responding correctly?

Thanks.

Lester

Note that I am using Cloudflare's IPv4 and IPv6 for their security.

I believe so; it visually looks right to me on Windows 10 with Chrome and Firefox; plus curl seems fine too.

~$ curl -4 -Ii https://ingber.com/
HTTP/1.1 302 Found
Date: Sun, 09 Apr 2023 20:42:41 GMT
Server: Apache
Location: https://www.ingber.com/
Content-Type: text/html; charset=iso-8859-1

$ curl -4 -Ii https://www.ingber.com/
HTTP/1.1 200 OK
Date: Sun, 09 Apr 2023 20:42:48 GMT
Server: Apache
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 133650
Content-Type: text/html

Can I get by with just an IPv4 address?

I don't see Cloudflare involved at all. At least not with domain www.ingber.com

I see the IPv4 attached to Linode (not Cloudflare)

Yes, IPv6 is not required. In the past your server configs were highly specific to IPv4 and IPv6 so I'm not sure what impact these have since you may have made changes since.

Somewhat a decision for you based off of what/who and how they will connect yo your web server.
I only have IPv4.

I reset my DNS on Linode.com to just use my IPv4 address, but I still get failures?

I don't know IPv6 is your only problem. But, at least for ingber.com I still see an AAAA record in your authoritive servers (I didnt check them all)
https://unboundtest.com/m/AAAA/ingber.com/MQRWU2RR

Now, all are failing?

Most likely: Yes.

I still see:

Name:      ingber.com
Addresses: 2600:3c01::f03c:91ff:fe93:e6f3
           173.255.212.226

Name:      www.ingber.com
Addresses: 2600:3c01::f03c:91ff:fe93:e6f3
           173.255.212.226

I believe that now my reset to use IPv4 only is working OK. I just rebooted my Linode after resetting everything (I think?) to IPv4.

Thanks.

Lester

The TTL hasn't expired yet; So, some DNS caches will still show the IPv6 address.