SSL Renew not work

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
nothing - plesk auto cert

It produced this output:
Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/11186311073.
Details:
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching http://www.byte-store.de/.well-known/acme-challenge/VZUnkNmu-t2uWP1QXN68rvzFIa9CfCxsKUX84Th77mg: Timeout during connect (likely firewall problem)

My web server is (include version):
Apache 2

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Plesk

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2

You have an AAAA DNS record set for your domain, pointing to a non-functional IPv6 address. Let's Encryp prefers IPv6 over IPv4, so a non-functional IPv6 address will cause issues.

3

Okay, thank you very much.
I can't read that out of the Error Response, I will edit my Records.

1 Like
4

Not directly, no. However, with some basic debugging, it can be found.

First, I ran curl -LIv http://www.byte-store.de/.well-known/acme-challenge/VZUnkNmu-t2uWP1QXN68rvzFIa9CfCxsKUX84Th77mg, which gave me a successful result actually. However, I noticed curl outputting:

*   Trying 2a02:c207:2023:4051::1:80...
*   Trying 173.212.219.135:80...

But only connecting to IPv4:

* Connected to www.byte-store.de (173.212.219.135) port 80 (#0)

So I tested IPv6 without IPv4 by adding the -6 option to curl, which lead to a time out.

Also, if you look at the "authz" at https://acme-v02.api.letsencrypt.org/acme/authz-v3/11186311073, you'll notice:

          "addressesResolved": [
            "173.212.219.135",
            "2a02:c207:2023:4051::1"
          ],
          "addressUsed": "2a02:c207:2023:4051::1"

for the www subdomain, where the apex domain name doesn't have the IPv6 address. And it's the www subdomain actually failing here.

2 Likes
5

Yee, i made a "cURL" request to, I tried everything like disable the Firewall, disable Fail2Ban or disable Web Firewall.

image
image1245×338 54.5 KB

I don't know, i think that the Provider edited my IPv6 Address.

6

cURL will actually succeed, as it'll fall back to IPv4 by default (unless you force IPv6 with the -6 option), but Let's Encrypt doesn't for these kind of problems (timeout). It will reconnect with IPv4 when IPv6 gives a "connection refused" I believe.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.