Spurious 301 after changing IP address

ale2019 · March 27, 2023, 3:49pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
tana.it

I ran this command:
certbot -v renew

It produced this output:
Domain: tana.it
Type: connection
Detail: 185.199.25.198: Fetching
http://www.tana.it/.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM:
Timeout during connect (likely firewall problem)

My web server is (include version):
Apache/2.4.56 (Debian)

The operating system my web server runs on is (include version):
Devuan Chimaera (equiv. Debian 11.1)

My hosting provider, if applicable, is:
Altitud

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

The "only" thing I changed since last renewal is the IP number of the server. Now it is 185.199.25.198, which internally is NATted to 192.168.1.254. The redirection from tana.it to www.tana.it has been there for quite some time. Yet, I find the request for tana.it but not the redirected one:

3.135.199.140 42526 - [27/Mar/2023:17:43:35 +0200] "GET /.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM HTTP/1.1" "-" 301 394 "tana.it [192.168.1.254]" tana.it "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
23.178.112.208 51358 - [27/Mar/2023:17:43:35 +0200] "GET /.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM HTTP/1.1" "-" 301 394 "tana.it [192.168.1.254]" tana.it "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"
18.236.139.1 61602 - [27/Mar/2023:17:43:35 +0200] "GET /.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM HTTP/1.1" "-" 301 394 "tana.it [192.168.1.254]" tana.it "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

Bruce5051 · March 27, 2023, 3:54pm

Well using Let's Debug yields https://letsdebug.net/www.tana.it/1423104; seems to be IPv6 related

AAAANotWorking
Error
www.tana.it has an AAAA (IPv6) record (2a06:a003:e016::2) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with www.tana.it/2a06:a003:e016::2: Get "http://www.tana.it/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

Trace:
@0ms: Making a request to http://www.tana.it/.well-known/acme-challenge/letsdebug-test (using initial IP 2a06:a003:e016::2)
@0ms: Dialing 2a06:a003:e016::2
@10000ms: Experienced error: context deadline exceeded

rg305 · March 27, 2023, 4:02pm

Although the failure is via IPv4:

I do see an issue with IPv6 [with one of the names]:

Name:      www.tana.it
Addresses: 2a06:a003:e016::2
           185.199.25.198

Name:     tana.it
Address:  185.199.25.198

curl -Ii4 http://tana.it/.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM
HTTP/1.1 301 Moved Permanently
Date: Mon, 27 Mar 2023 16:00:56 GMT
Server: Apache
Location: http://www.tana.it/.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM
Content-Type: text/html; charset=iso-8859-1

curl -Ii4 http://www.tana.it/.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM
HTTP/1.1 404 Not Found
Date: Mon, 27 Mar 2023 16:01:03 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

curl -Ii6 http://www.tana.it/.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM
curl: (56) Recv failure: Connection reset by peer

ale2019 · March 27, 2023, 4:03pm

I see... Route48.org, which provided the IPv6 link said they're closing down. I hoped that would have lasted until I get new IPv6 addresses, but it didn't. Now I've deleted them. By tomorrow it should work with IPv4 only...

Thank you!

Bruce5051 · March 27, 2023, 4:03pm

Also DNS Spy report for tana.it shows www.tana.it has IPv4 & IPv6 Addresses where tana.it only has an IPv4 Address.

rg305 · March 27, 2023, 4:09pm

Do you use any GeoLocation type blocks?
OR any other type of IP blocking?

MikeMcQ · March 27, 2023, 4:10pm

Let's Encrypt uses the authoritive servers and those look ok already.

nslookup www.tana.it dns2.zoneedit.com
Address: 185.199.25.198

(Note: No IPV6 record)

Bruce5051 · March 27, 2023, 4:12pm

And now Let's Debug is OK https://letsdebug.net/www.tana.it/1423133

ale2019 · March 27, 2023, 4:14pm

Yup, it worked, bypassing any DSN cache. Great!

system · April 26, 2023, 4:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.