I’m trying to renew a certificate and I can’t stop getting this message:
Attempting to renew cert from /etc/letsencrypt/renewal/mail.ex-nihilo-paris.com.conf produced an unexpected error: Failed authorization procedure. mail.ex-nihilo-paris.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://mail.ex-nihilo-paris.com/.well-known/acme-challenge/fb9D3S51twTLKeGSIuTWD1VPdVM5Pzxv7ixrE3mTNHM: Timeout. Skipping.
I double checked there was no issue with the domain (it’s a production domain, accessible from everywhere), no firewall issue (port 80 is opened). The authenticator is standalone and opens a listining socket (I can see 0.0.0.0:80 opened by a python process while waiting for the challenge response).
Could you please tell me what could go wrong? Is there another way to renew the certificate, it expires in 3 days (I had to wait for holidays as our office is closed to renew the certificate).
OK - I didn’t realise you were using it in standalone mode.
Can you provide a little more information on your setup please. Are you using certbot ? or some other script ? ( sorry, reading to fast - you do mention certbot )
Does the DNS resolve correctly within the server itself ?
I have a NGinx server installed, running on port 443. I can also make it run on port 80 (currently only serves Zimbra webmail through SSL). I tried the “nginx” authenticator, but this fails as the plugin is not installed (I don’t even know how to install it and if it may be useful).
Is there a way for certbot to export a /.well-known/acme-challenge/XXXXXX file in a selected folder (webroot parameter) and let NGinx deliver this file?
Indeed. Was version 0.14.2. Updated to version 0.19. No more “unrecognized arguments error”, but still no chance to get the certificate renewed with the exact same issue : The server could not connect to the client to verify the domain.
And now, I have to wait for an hour: Too many failed authorizations recently…
Meanwhile, I will try to figure out how webroot works and try to make Nginx respond instead of the standalone server.
Doesn’t matter what method you use (manual, webroot, standalone…), your server is not answering requests to your IPv6 address and as @bytecamp said, Let’s Encrypt will try to validate your domain using IPv6 address if it is present.
Trying to connect to your mail server using IPv4 -> OK
$ telnet -4 mail.ex-nihilo-paris.com 25
Trying 51.255.78.216...
Connected to mail.ex-nihilo-paris.com.
Escape character is '^]'.
220 mail.ex-nihilo-paris.com ESMTP Postfix
quit
221 2.0.0 Bye
Connection closed by foreign host.
Trying to connect to your mail server using IPv6 -> TIMEOUT
$ telnet -6 mail.ex-nihilo-paris.com 25
Trying 2001:41d0:203:1d8::...
telnet: Unable to connect to remote host: Connection timed out
Trying to connect to your nginx server using IPv4 -> OK
Trying to connect to your nginx server using IPv6 -> TIMEOUT
$ curl -6IkLv https://mail.ex-nihilo-paris.com
* Rebuilt URL to: https://mail.ex-nihilo-paris.com/
* Trying 2001:41d0:203:1d8::...
* TCP_NODELAY set
* connect to 2001:41d0:203:1d8:: port 443 failed: Connection timed out
* Failed to connect to mail.ex-nihilo-paris.com port 443: Connection timed out
* Closing connection 0
curl: (7) Failed to connect to mail.ex-nihilo-paris.com port 443: Connection timed out
Are you sure your IPv6 address is correctly configured? Because for me, 2001:41d0:203:1d8:: looks like an anycast address.
Or you remove the AAAA record for domain mail.ex-nihilo-paris.com or configure your server and/or AAAA record correctly so your server can be reached using IPv6.
This seems to be the issue. I’m trying to find informations from my provider to set up IPv6 the right way. The out-of-the-box configuration for this server does not seem to be enough.