SSL impossible to create on OVH VPS

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Let's encrypt works fine on other domain names. NOT on this one.
ALL domain names are registered on OVH.
izitrek.net has a single IPV4 + single IPV6.
ALL other domain names have the same shared IPV4

My domain is:
izitrek.net + www.izitrek.net
I ran this command:
Install a basic free Let's Encrypt Certificat on Plesk interface via SSL it! extension
It produced this output:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/396789792046.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: 91.121.33.150: Fetching https://izitrek.net/.well-known/acme-challenge/Zc_xMMqY_H3lcNxScJ3mChyTr6kk0RTLmQHk5PErO4c: Timeout during connect (likely firewall problem)

My web server is (include version):
Debian 10 Plesk
The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
OVH
I can login to a root shell on my machine (yes or no, or I don't know):
I don't know
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi @itakmedia,

Is there a firewall or router issue?

What does Let's Debug reveal?

3 Likes

Hi @itakmedia,

Using Let's Debug gives this https://letsdebug.net/izitrek.net/2206965

AAAANotWorking
Error
izitrek.net has an AAAA (IPv6) record (2001:41d0:701:1000::234f) but a test request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address. You should either ensure that validation requests to this domain succeed over IPv6, or remove its AAAA record.
A timeout was experienced while communicating with izitrek.net/2001:41d0:701:1000::234f: Get "http://izitrek.net/.well-known/acme-challenge/letsdebug-test": dial tcp [2001:41d0:701:1000::234f]:80: i/o timeout

Trace:
@0ms: Making a request to http://izitrek.net/.well-known/acme-challenge/letsdebug-test (using initial IP 2001:41d0:701:1000::234f)
@0ms: Dialing 2001:41d0:701:1000::234f
@10000ms: Experienced error: dial tcp [2001:41d0:701:1000::234f]:80: i/o timeout
IssueFromLetsEncrypt
Error
A test authorization for izitrek.net to the Let's Encrypt staging service has revealed issues that may prevent any certificate for this domain being issued.
91.121.33.150: Fetching https://izitrek.net/.well-known/acme-challenge/9cNzMeeiduFYs92iouE1YOMXAOXCTtXBqXqiSI1srIk: Timeout during connect (likely firewall problem)

All IP Address need to respond the same

Here is a list of DNS Records

Edit

And this shows that IPv4 is open but IPv6 is filtered

Checking IPv4 Ports 80 & 443

>nmap -4 -Pn -p80,443 izitrek.net
Starting Nmap 7.94 ( https://nmap.org ) at 2024-08-29 22:45 UTC
Nmap scan report for izitrek.net (91.121.33.150)
Host is up (0.15s latency).
Other addresses for izitrek.net (not scanned): 2001:41d0:701:1000::234f
rDNS record for 91.121.33.150: ip150.ip-91-121-33.eu

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds

Checking IPv6 Ports 80 & 443

>nmap -6 -Pn -p80,443 izitrek.net
Starting Nmap 7.94 ( https://nmap.org ) at 2024-08-29 22:45 UTC
Nmap scan report for izitrek.net (2001:41d0:701:1000::234f)
Host is up.
Other addresses for izitrek.net (not scanned): 91.121.33.150

PORT    STATE    SERVICE
80/tcp  filtered http
443/tcp filtered https

Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds
3 Likes

The IPv6 path is not working:

Name:      www.izitrek.net
Addresses: 2001:41d0:701:1000::234f
           91.121.33.150

Name:      izitrek.net
Addresses: 2001:41d0:701:1000::234f
           91.121.33.150

You should remove it from DNS [until it has been fixed].

5 Likes

Hello all people who spent time to help,

the IPV6 parameters should be THE problem. Once deleted, I could make the Let's Encrypt certificate work properly.

NB: I also need to delete on the registrar interface + add the same "acme-challenge" value.

QUESTIONS:

  1. When updating the certificate, do also I have to update the registrar parameters?
  2. How to setup the IPV6 configuration? If useful...

Thanks again for this useful help!

3 Likes

No; The two are unrelated.

  1. Ensure your server has an IPv6 address:
  • ip addr | grep inet6
  • curl -6 ifconfig.me
  1. If #1, then ensure the web service is listening via IPv6
  2. If #2, then ensure the firewall/network path is clear via IPv6 to your server
  3. If #3, then add the AAAA address in DNS
4 Likes

On izitrek.net SSH terminal, I prompted:
$ ip addr | grep inet6
Then got:
inet6 ::1/128 scope host
inet6 2001:41d0:701:1000::234f/56 scope global
inet6 fe80::f816:3eff:fe99:ed86/64 scope link

And
$ curl -6 ifconfig.me
Then got
curl: (7) Couldn't connect to server

Difficult for me to understand the meaning and decide what to do.

If you need to configure IPv6, it has to be set up manually on your system.

4 Likes

Hello,
thanks to help.
The process seams to be really too complicate for a so small benefit.

1 Like

To me, that means your IPv6 IP isn't "working".

4 Likes

If your IPv6 doesn't work and it's too complicated for you to get it to actually work, you should probably disable IPv6 entirely, as otherwise you might get into strange issues when IPv6 somehow gets preference above IPv4.

3 Likes

When will ipv6 otherwise ipv4? Is it usual? A future in networks...?

The future is IPv6 [only].
Both work today.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.