Spurious 301 after changing IP address

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot -v renew

It produced this output:
Domain: tana.it
Type: connection
Detail: Fetching
Timeout during connect (likely firewall problem)

My web server is (include version):
Apache/2.4.56 (Debian)

The operating system my web server runs on is (include version):
Devuan Chimaera (equiv. Debian 11.1)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.12.0

The "only" thing I changed since last renewal is the IP number of the server. Now it is, which internally is NATted to The redirection from tana.it to www.tana.it has been there for quite some time. Yet, I find the request for tana.it but not the redirected one: 42526 - [27/Mar/2023:17:43:35 +0200] "GET /.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM HTTP/1.1" "-" 301 394 "tana.it []" tana.it "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-" 51358 - [27/Mar/2023:17:43:35 +0200] "GET /.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM HTTP/1.1" "-" 301 394 "tana.it []" tana.it "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-" 61602 - [27/Mar/2023:17:43:35 +0200] "GET /.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM HTTP/1.1" "-" 301 394 "tana.it []" tana.it "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)" "-"

Well using Let's Debug yields https://letsdebug.net/www.tana.it/1423104; seems to be IPv6 related

www.tana.it has an AAAA (IPv6) record (2a06:a003:e016::2) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with www.tana.it/2a06:a003:e016::2: Get "http://www.tana.it/.well-known/acme-challenge/letsdebug-test": context deadline exceeded

@0ms: Making a request to http://www.tana.it/.well-known/acme-challenge/letsdebug-test (using initial IP 2a06:a003:e016::2)
@0ms: Dialing 2a06:a003:e016::2
@10000ms: Experienced error: context deadline exceeded 

Although the failure is via IPv4:

I do see an issue with IPv6 [with one of the names]:

Name:      www.tana.it
Addresses: 2a06:a003:e016::2

Name:     tana.it
curl -Ii4 http://tana.it/.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM
HTTP/1.1 301 Moved Permanently
Date: Mon, 27 Mar 2023 16:00:56 GMT
Server: Apache
Location: http://www.tana.it/.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM
Content-Type: text/html; charset=iso-8859-1

curl -Ii4 http://www.tana.it/.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM
HTTP/1.1 404 Not Found
Date: Mon, 27 Mar 2023 16:01:03 GMT
Server: Apache
Content-Type: text/html; charset=iso-8859-1

curl -Ii6 http://www.tana.it/.well-known/acme-challenge/GHyXUtNIbDvFr2rirr5S4RlZDU4_kHrG5KAu7NGMMgM
curl: (56) Recv failure: Connection reset by peer

I see... Route48.org, which provided the IPv6 link said they're closing down. I hoped that would have lasted until I get new IPv6 addresses, but it didn't. Now I've deleted them. By tomorrow it should work with IPv4 only...

Thank you!

1 Like

Also DNS Spy report for tana.it shows www.tana.it has IPv4 & IPv6 Addresses where tana.it only has an IPv4 Address.

1 Like

Do you use any GeoLocation type blocks?
OR any other type of IP blocking?


Let's Encrypt uses the authoritive servers and those look ok already.

nslookup www.tana.it dns2.zoneedit.com

(Note: No IPV6 record)


And now Let's Debug is OK https://letsdebug.net/www.tana.it/1423133

1 Like

Yup, it worked, bypassing any DSN cache. Great!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.