SSL Renew not work

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
nothing - plesk auto cert

It produced this output:
Invalid response from
Type: urn:ietf:params:acme:error:connection
Status: 400
Detail: Fetching Timeout during connect (likely firewall problem)

My web server is (include version):
Apache 2

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

You have an AAAA DNS record set for your domain, pointing to a non-functional IPv6 address. Let's Encryp prefers IPv6 over IPv4, so a non-functional IPv6 address will cause issues.

Okay, thank you very much.
I can't read that out of the Error Response, I will edit my Records.

1 Like

Not directly, no. However, with some basic debugging, it can be found.

First, I ran curl -LIv, which gave me a successful result actually. However, I noticed curl outputting:

*   Trying 2a02:c207:2023:4051::1:80...
*   Trying

But only connecting to IPv4:

* Connected to ( port 80 (#0)

So I tested IPv6 without IPv4 by adding the -6 option to curl, which lead to a time out.

Also, if you look at the "authz" at, you'll notice:

          "addressesResolved": [
          "addressUsed": "2a02:c207:2023:4051::1"

for the www subdomain, where the apex domain name doesn't have the IPv6 address. And it's the www subdomain actually failing here.


Yee, i made a "cURL" request to, I tried everything like disable the Firewall, disable Fail2Ban or disable Web Firewall.

I don't know, i think that the Provider edited my IPv6 Address.

cURL will actually succeed, as it'll fall back to IPv4 by default (unless you force IPv6 with the -6 option), but Let's Encrypt doesn't for these kind of problems (timeout). It will reconnect with IPv4 when IPv6 gives a "connection refused" I believe.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.