Renewing existing certificates goes timeout


#1

Hello
I’ve got several domains running on the same server, hence the same IPs
Three months ago, the renewal worked fine. But since about two weeks or so, any attempt to renew existing certificates produces connection timetout errors.

Cert is due for renewal, auto-renewing…
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for drumee.net
Using the webroot path /xxx/yyy for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. drumee.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://drumee.net/.well-known/acme-challenge/xx3BWabvNASGUahi6Cl1ejQShceLdcG2iGXqZxnpbK4: Timeout

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: drumee.net
    Type: connection
    Detail: Fetching
    http://drumee.net/.well-known/acme-challenge/xx3BWabvNASGUahi6Cl1ejQShceLdcG2iGXqZxnpbK4:
    Timeout

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

By looking at the server log (nginx 1.6.2) there are no http request reaching the server

Trying a test file on the target link is OK with wget -S http://drumee.net/.well-known/test.txt

wget -S http://drumee.net/.well-known/test.txt
–2017-12-29 00:01:45-- http://drumee.net/.well-known/test.txt
Résolution de drumee.net (drumee.net)… 149.202.217.145, 2001:41d0:1000:1c91::2
Connexion vers drumee.net (drumee.net)|149.202.217.145|:80…connecté.
requête HTTP transmise, en attente de la réponse…
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Thu, 28 Dec 2017 23:05:06 GMT
Content-Type: text/plain
Content-Length: 13
Last-Modified: Thu, 28 Dec 2017 22:03:33 GMT
Connection: keep-alive
ETag: "5a456a35-d"
Accept-Ranges: bytes
Longueur: 13 [text/plain]
Sauvegarde en : «test.txt.12»

Extract from log :

{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:connection”,
“detail”: “Fetching http://drumee.net/.well-known/acme-challenge/xx3BWabvNASGUahi6Cl1ejQShceLdcG2iGXqZxnpbK4: Timeout”,
“status”: 400**
},
“uri”: “https://acme-v01.api.letsencrypt.org/acme/challenge/8f-O5JwkTqfMi9B1bfwa7PusFrIsxSZH66SJy5ITIX4/2904510851”,
“token”: “xxxxxxxxxxxxxxxxxxxxxxxxxx”,**
“keyAuthorization”: “xxxxxxxxxxxxxxxxxxxx”,
“validationRecord”: [
{
“url”: “http://drumee.net/.well-known/acme-challenge/xx3BWabvNASGUahi6Cl1ejQShceLdcG2iGXqZxnpbK4”,
“hostname”: “drumee.net”,
“port”: “80”,
“addressesResolved”: [
“149.202.217.145”,
“2001:41d0:1000:1c91::2”
],
“addressUsed”: “2001:41d0:1000:1c91::2”,
“addressesTried”: []
}
]
},


#2

Not from a host with IPv6 connectivity! Your site is unreachable in IPv6 but is advertising an AAAA record.


#3

Thanks so much !
I didn’t have that check in mind. Shame on me :scream:
Will check this with our infrastructure provider. They recently had a big power failure with subsequent routing issues.
Meanwhile, is there an option to set priority on IPV4 ?
Thanks again


#4

No, you may remove the AAAA records from dns, since they are obviously not working anyway.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.