Repeating 400 error on cert renewal

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tvfasching.de

I ran this command: Renew certificate via Plesk

It produced this output:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/4109247977
{
“identifier”: {
“type”: “dns”,
“value”: “tvfasching.de”
},
“status”: “invalid”,
“expires”: “2020-04-29T08:01:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://www.tvfasching.de/.well-known/acme-challenge/Q-BgXf4Qqy-xCTmL4UNAXl3CTMrBZxk2sL_B8HJO4lQ: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/4109247977/Zgt4MA”,
“token”: “Q-BgXf4Qqy-xCTmL4UNAXl3CTMrBZxk2sL_B8HJO4lQ”,
“validationRecord”: [
{
“url”: “http://tvfasching.de/.well-known/acme-challenge/Q-BgXf4Qqy-xCTmL4UNAXl3CTMrBZxk2sL_B8HJO4lQ”,
“hostname”: “tvfasching.de”,
“port”: “80”,
“addressesResolved”: [
“85.214.95.8”,
“2a01:238:4219:7d00:8d85:4ef3:4043:829”
],
“addressUsed”: “2a01:238:4219:7d00:8d85:4ef3:4043:829”
},
{
“url”: “http://tvfasching.de/.well-known/acme-challenge/Q-BgXf4Qqy-xCTmL4UNAXl3CTMrBZxk2sL_B8HJO4lQ”,
“hostname”: “tvfasching.de”,
“port”: “80”,
“addressesResolved”: [
“85.214.95.8”,
“2a01:238:4219:7d00:8d85:4ef3:4043:829”
],
“addressUsed”: “85.214.95.8”
},
{
“url”: “http://www.tvfasching.de/.well-known/acme-challenge/Q-BgXf4Qqy-xCTmL4UNAXl3CTMrBZxk2sL_B8HJO4lQ”,
“hostname”: “www.tvfasching.de”,
“port”: “80”,
“addressesResolved”: [
“85.214.95.8”,
“2a01:238:4219:7d00:8d85:4ef3:4043:829”
],
“addressUsed”: “2a01:238:4219:7d00:8d85:4ef3:4043:829”
}
]
}
]
}

My web server is (include version): apache & nginx

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: Strato

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk 18.0.26

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

2

Hi @preske87

read the output of your domain check - tvfasching.de - Make your website better - DNS, redirects, mixed content, certificates

You have ipv4 and ipv6.

But ipv6 doesn't work - timeout.

  • Remove your ipv6 (or, better)
  • fix it, so it works.

Letsencrypt prefers ipv6, so that's critical.

3

LE can connect via IPv4 or IPv6.
But when both are present, it prefers IPv6 [and will not "fall back" to IPv4].
Is your site reachable on port 80 via IPv6?

4 
curl -4Iki http://tvfasching.de/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 22 Apr 2020 08:20:41 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.tvfasching.de/

curl -6Iki http://tvfasching.de/
curl: (7) Failed to connect to tvfasching.de port 80: Connection timed out
5

Thanks, that appears to be. It’s weird, but will check. Appears some IPv6 issue…

1 Like
6

If you are not using IPv6, simply remove the AAAA record from your DNS zone.

7

So did I, now stuck in the “too many attempts” queue.

IPv6 used to work and I was eben able just yesterday to renew a cert for a subdomain on the same server; there it did work…

8

You can check with https://LetsDebug.net/ to see when you can try again.
Cheers from Miami :beers:

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.