Switching Challenge Methods

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.corauratum.com

I ran this command: auto renew

It produced this output: usual timeout during connect

My web server is (include version): Nginx 1.15.12

The operating system my web server runs on is (include version): Ubuntu 16.04.6 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

After running for a while now (almost a year?), I’ve started getting the timeout errors that many people are reporting. NOTE: my situation is a little different because I have two domains with two different IP’s, so if you do the usual scan for the IP, you’ll get the one for the main domain and not the one that has the certificate. As I said, everything has been working just fine until the latest auto-renew job ran. Since this is having so much trouble, I would like to switch to using the DNS plugin for Linode. Given that this is an existing certificate, do I just install the plugin and then add it to certbot? Your instructions are for a new installation and I just want to verify the steps I need to switch the challenge method.

Thanks,
AB

2

Hi @AndalayBay

sounds like you have used tls-sni-01 - validation, that's not longer supported.

But checking your domain there is a general problem you should fix. Perhaps that fixes the renew-problem ( https://check-your-website.server-daten.de/?q=corauratum.com ):

You have ipv4- and ipv6 addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
corauratum.com A 45.33.27.8 yes 1 0
AAAA 2600:3c00:e000:1f9::1 yes
www.corauratum.com A 45.33.27.8 yes 1 0
AAAA 2600:3c00:e000:1f9::1 yes

But your ipv6 doesn't work:

Domainname Http-Status redirect Sec. G
http://corauratum.com/
45.33.27.8 301 https://corauratum.com/ 0.293 A
http://www.corauratum.com/
45.33.27.8 301 https://www.corauratum.com/ 0.294 A
http://corauratum.com/
2600:3c00:e000:1f9::1 -14 10.027 T
Timeout - The operation has timed out
http://www.corauratum.com/
2600:3c00:e000:1f9::1 -14 10.027 T
Timeout - The operation has timed out
https://corauratum.com/
45.33.27.8 200 1.743 I
https://corauratum.com/
2600:3c00:e000:1f9::1 -14 10.027 T
Timeout - The operation has timed out
https://www.corauratum.com/
45.33.27.8 200 1.496 I
https://www.corauratum.com/
2600:3c00:e000:1f9::1 -14 10.027 T
Timeout - The operation has timed out

Perhaps it's not configured - or wrong configured. Or there is a blocking firewall.

If you use http-01 validation, Certbot creates a file in /.well-known/acme-challenge, Letsencrypt checks that file. But Letsencrypt prefers ipv6, so this is critical.

Same with users: If a user has an ipv6 connection, your site doesn't answer.

So:

  • Fix your ipv6 (or)
  • remove the ipv6 dns AAAA entry

Then check, if your certbot works.

Use the complete command. Then Certbot should update your configuration file.

3

Aha, thank you for that. My ISP doesn’t support IPv6 so I can’t test it. I had to rely on Linode to help me get that set up and it appears that it still isn’t working.

I’d still like to switch the challenge method, but if Letsencrypt prefers IPv6, then it probably wouldn’t work anyway. I’ll have to talk to Linode and see if we can get IPv6 working. This must be a recent change though.

4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.