Timeout fetching HTTP-01 challenge

I have a similar problem on Debian Linux kernel 4.9.0-4-amd64

$ letsencrypt certonly --webroot -w /home/www-data/ip/ -d api.pessom.ru --email=***@pessom.ru --agree-tos --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for api.pessom.ru
Using the webroot path /home/www-data/ip for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. api.pessom.ru (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://api.pessom.ru/.well-known/acme-challenge/7DFxVLj7oCnJGLbiCpTlI_UHA2fxfyCQFy-tmRzY7gc: Timeout

 - The following errors were reported by the server:

   Domain: api.pessom.ru
   Type:   connection
   Detail: Fetching

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

80 port is open.
The configuration was not changed, except for updating the system

this is output tcpdump
$ tcpdump -ieth0 -e port 80 -w -

0)w���Y��JJ��RTb-E<@@����4�HP��M�L�?��q ���
     HTTP/1.0 400 Bad request
Cache-Control: no-cache
Connection: close
Content-Type: text/html

<html><body><h1>400 Bad request</h1>
Your browser sent an invalid request.


I’ve split this post into a new topic. (I’m not very good at titles… :sweat:)

You are both experiencing a similar error, but the causes could be different, so it might be easier to talk about them separately.

api.pessom.ru.  (unsigned)  27577  CNAME  pessom.ru.
pessom.ru.      (unsigned)  27577  A
pessom.ru.      (unsigned)  27821  AAAA   2a00:a960:1010::9b4

The website has DNS records for both IPv4 and IPv6; I can connect to the IPv4 IP, but the IPv6 one seems to time out.

Are you sure the AAAA record is correct? Could a firewall be blocking IPv6 traffic? Or could there be an issue with the ISP?

The Let’s Encrypt validator does try to use IPv6; whatever is wrong needs to be sorted out, or the AAAA record needs to be removed. Then Let’s Encrypt should start working. :slightly_smiling_face:

removed AAAA record.
will try later, when there will be changes.

how long ago had this feature?

My problem occurred at about 22 Sep.

If the problem continues, showing that log may be helpful.

Thank you very much for the help!
Indeed, it was in the AAAA record, the proxy was not configured for ipv6.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.