Repeating 400 error on cert renewal

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: tvfasching.de

I ran this command: Renew certificate via Plesk

It produced this output:
https://acme-v02.api.letsencrypt.org/acme/authz-v3/4109247977
{
“identifier”: {
“type”: “dns”,
“value”: “tvfasching.de”
},
“status”: “invalid”,
“expires”: “2020-04-29T08:01:11Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching http://www.tvfasching.de/.well-known/acme-challenge/Q-BgXf4Qqy-xCTmL4UNAXl3CTMrBZxk2sL_B8HJO4lQ: Timeout during connect (likely firewall problem)”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/4109247977/Zgt4MA”,
“token”: “Q-BgXf4Qqy-xCTmL4UNAXl3CTMrBZxk2sL_B8HJO4lQ”,
“validationRecord”: [
{
“url”: “http://tvfasching.de/.well-known/acme-challenge/Q-BgXf4Qqy-xCTmL4UNAXl3CTMrBZxk2sL_B8HJO4lQ”,
“hostname”: “tvfasching.de”,
“port”: “80”,
“addressesResolved”: [
“85.214.95.8”,
“2a01:238:4219:7d00:8d85:4ef3:4043:829”
],
“addressUsed”: “2a01:238:4219:7d00:8d85:4ef3:4043:829”
},
{
“url”: “http://tvfasching.de/.well-known/acme-challenge/Q-BgXf4Qqy-xCTmL4UNAXl3CTMrBZxk2sL_B8HJO4lQ”,
“hostname”: “tvfasching.de”,
“port”: “80”,
“addressesResolved”: [
“85.214.95.8”,
“2a01:238:4219:7d00:8d85:4ef3:4043:829”
],
“addressUsed”: “85.214.95.8”
},
{
“url”: “http://www.tvfasching.de/.well-known/acme-challenge/Q-BgXf4Qqy-xCTmL4UNAXl3CTMrBZxk2sL_B8HJO4lQ”,
“hostname”: “www.tvfasching.de”,
“port”: “80”,
“addressesResolved”: [
“85.214.95.8”,
“2a01:238:4219:7d00:8d85:4ef3:4043:829”
],
“addressUsed”: “2a01:238:4219:7d00:8d85:4ef3:4043:829”
}
]
}
]
}

My web server is (include version): apache & nginx

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: Strato

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk 18.0.26

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

Hi @preske87

read the output of your domain check - tvfasching.de - Make your website better - DNS, redirects, mixed content, certificates

You have ipv4 and ipv6.

But ipv6 doesn't work - timeout.

  • Remove your ipv6 (or, better)
  • fix it, so it works.

Letsencrypt prefers ipv6, so that's critical.

LE can connect via IPv4 or IPv6.
But when both are present, it prefers IPv6 [and will not "fall back" to IPv4].
Is your site reachable on port 80 via IPv6?

curl -4Iki http://tvfasching.de/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 22 Apr 2020 08:20:41 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Location: https://www.tvfasching.de/

curl -6Iki http://tvfasching.de/
curl: (7) Failed to connect to tvfasching.de port 80: Connection timed out

Thanks, that appears to be. It’s weird, but will check. Appears some IPv6 issue…

1 Like

If you are not using IPv6, simply remove the AAAA record from your DNS zone.

So did I, now stuck in the “too many attempts” queue.

IPv6 used to work and I was eben able just yesterday to renew a cert for a subdomain on the same server; there it did work…

You can check with https://LetsDebug.net/ to see when you can try again.
Cheers from Miami :beers:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.