Timeout issues while renewing certificats


My domain is:


I ran this command:

I did not run any, I am using nginx-proxy with letsencrypt-nginx-proxy-companion docker images for various sub domain, each container is set for one subdomain.

It produced this output:

(just one example, but I got more subdomains with the same issue, also it always worked fine until recently)

Creating/renewal server-queue.roxypony.fr certificates... (server-queue.roxypony.fr)
2017-06-30 13:48:10,972:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-06-30 13:48:12,331:INFO:requests.packages.urllib3.connectionpool:242: Resetting dropped connection: acme-v01.api.letsencrypt.org
2017-06-30 13:48:13,099:INFO:requests.packages.urllib3.connectionpool:207: Starting new HTTP connection (1): server-queue.roxypony.fr
2017-06-30 13:48:13,103:INFO:requests.packages.urllib3.connectionpool:756: Starting new HTTPS connection (1): server-queue.roxypony.fr
2017-06-30 13:48:13,133:INFO:simp_le:1305: server-queue.roxypony.fr was successfully self-verified
2017-06-30 13:48:13,451:INFO:simp_le:1313: Generating new certificate private key
2017-06-30 13:48:22,973:ERROR:simp_le:1271: CA marked some of the authorizations as invalid, which likely means it could not access http://example.com/.well-known/acme-challenge/X. Did you set correct path in -d example.com:path or --default_root? Is there a warning log entry about unsuccessful self-verification? Are all your domains accessible from the internet? Failing authorizations: https://acme-v01.api.letsencrypt.org/acme/authz/-WibFGul4k9LAcp6QgQiILL9QNn2nQ-Aml12DwQ-tlk
Challenge validation has failed, see error log.

I can login to a root shell on my machine (yes or no, or I don’t know):


When I try to fetch the challenge myself I never get those tiemouts, Idon’t know what’s wrong but maybe you can help me see throught it.


Hello @voxdei,

The “problem” is that Let’s Encrypt, since a month ago, if a domain advertise IPv4 and IPv6 records, it will prefer the IPv6 record.

Your domain roxypony.fr has the following IPv6 assigned:

$ dig roxypony.fr AAAA +short

But your web server is not configured to answer to IPv6 request:

$ curl -IkLv6 roxypony.fr
* Rebuilt URL to: roxypony.fr/
* Hostname was NOT found in DNS cache
*   Trying 2001:41d0:a:3d03::1...
* connect to 2001:41d0:a:3d03::1 port 80 failed: No route to host
* Failed to connect to roxypony.fr port 80: No route to host
* Closing connection 0
curl: (7) Failed to connect to roxypony.fr port 80: No route to host

So, or you fix your IPv6 issue or you need to remove the AAAA record for your domains.


1 Like

I thought it was, but I must have done something wrong. Thx for quick answer, I will get it fixed ASAP !

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.