Resolution issues (Staging fine)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sunstarved.co

I ran this command: sudo certbot renew

It produced this output: urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.3 LTS

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

Hi there. I’m running a number of identical Nginx configurations all of which resolve and update no problem, however this domain (Porkbun registrar and DNS server) does not seem to resolve on live. Staging (using --dry-run flag) works fine. Any tips?

Thanks

1 Like

Can you show us the rest of the error message?

Sure, it’s a long one.

An error occurred requesting a new certificate for sunstarved.co, sunstarved.design, wiki.sunstarved.co, creative.sunstarved.co, dev.sunstarved.co from Let's Encrypt : Web-based validation failed : <pre>Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for creative.sunstarved.co
http-01 challenge for dev.sunstarved.co
http-01 challenge for sunstarved.co
http-01 challenge for sunstarved.design
http-01 challenge for wiki.sunstarved.co
Using the webroot path /home/sunstarved/public_html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. creative.sunstarved.co (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://sunstarved.co/.well-known/acme-challenge/hAsvyxPYO1f_C2jakmNLtjMOoizmBvdMMS-daU0u63U: Error getting validation data, sunstarved.co (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://sunstarved.co/.well-known/acme-challenge/dXgZFfle_4IKe3et-Idzv2uyNQ6_k3LVJxPDORMPn1M: Error getting validation data, dev.sunstarved.co (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://sunstarved.co/.well-known/acme-challenge/7gUEAp027hdold-VoHAtd5ijfOjf7IHQNONfANYAptI: Error getting validation data, sunstarved.design (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://sunstarved.co/.well-known/acme-challenge/Sb8JVqVAs2rO29kSrns6HPzAZ_OdQlQtvEULHyL63ZA: Error getting validation data, wiki.sunstarved.co (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://sunstarved.co/.well-known/acme-challenge/IE9qXtc8FIJGnAWF95mR92SjTPhEwAUM1WPOuqUyi90: Error getting validation data
IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: creative.sunstarved.co
   Type:   connection
   Detail: Fetching
   https://sunstarved.co/.well-known/acme-challenge/hAsvyxPYO1f_C2jakmNLtjMOoizmBvdMMS-daU0u63U:
   Error getting validation data

   Domain: sunstarved.co
   Type:   connection
   Detail: Fetching
   https://sunstarved.co/.well-known/acme-challenge/dXgZFfle_4IKe3et-Idzv2uyNQ6_k3LVJxPDORMPn1M:
   Error getting validation data

   Domain: dev.sunstarved.co
   Type:   connection
   Detail: Fetching
   https://sunstarved.co/.well-known/acme-challenge/7gUEAp027hdold-VoHAtd5ijfOjf7IHQNONfANYAptI:
   Error getting validation data

   Domain: sunstarved.design
   Type:   connection
   Detail: Fetching
   https://sunstarved.co/.well-known/acme-challenge/Sb8JVqVAs2rO29kSrns6HPzAZ_OdQlQtvEULHyL63ZA:
   Error getting validation data

   Domain: wiki.sunstarved.co
   Type:   connection
   Detail: Fetching
   https://sunstarved.co/.well-known/acme-challenge/IE9qXtc8FIJGnAWF95mR92SjTPhEwAUM1WPOuqUyi90:
   Error getting validation data

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
</pre>
1 Like

Your sites are responding with HTTP redirects to URLs starting with https://sunstarved.co/, but https://sunstarved.co/ doesn’t work: Its IPv6 address is running HTTP on port 443 (the HTTPS port), so Let’s Encrypt is reporting an error.

Can you resolve that problem?

Its IPv4 address has functioning HTTPS with an expired certificate, which would be fine for this purpose.

You could also turn off the redirects. Or turn off IPv6.

2 Likes

Oh, that would certainly explain it! Thank you for spotting this. I’ve temporarily disabled ipv6 and renewed the cert with no problem. Was this a diagnosis using telnet? I’d have been scratching my head for ages with that.

It points to an issue in my nginx configuration for ipv6 which will be affecting all of my domains, but most are configured without AAAA records so it explains why they are functional, all of my configurations currently have two listen directives for [::]:80 and [::]:443. Sounds like I might need to change my [::]:443 directive to enable ssl using listen [::]:443 ssl; ?

1 Like

Close – curl. :slightly_smiling_face: Including “curl -v http://sunstarved.co:443/”.

Yes. Usually the IPv4 and IPv6 listens should have the same options.

2 Likes

Thank you so much!! I’ll update my configurations. Really appreciate your help :slight_smile:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.