I would need some help to renew a cert using HTTP-01.

Here is the message I received when running: sudo certbot renew --dry-run

My web server: Apache 2.4.18 on Ubuntu 16.04.3

I can login to a root shell on my machine and I use Webmin 1.900

certbot --version = 0.28



Hi @LucD

you have an ipv6 Teredo tunneling address as your ip address ( ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout A yes 1 0
AAAA 2001:41d0:401:3100::702d yes A yes 1 0
AAAA 2001:41d0:401:3100::702d yes

warning: Private ip address found: 2001:0000:0000:0000:0000:0000:0000:0000 to 2001:ffff:ffff:ffff:ffff:ffff:ffff:ffff: Teredo tunneling
warning: Private ip address found: 2001:0000:0000:0000:0000:0000:0000:0000 to 2001:ffff:ffff:ffff:ffff:ffff:ffff:ffff: Teredo tunneling

Perhaps remove this ipv6, then try it again. Or check your vHosts, then find your DocumentRoot. Then use

certbot run -a webroot -i apache -w YourDocumentRoot -d -d

You have both dns entries - www and non-www. And http + www answers. But your certificate has only one domain name. So you should create one certificate with both domain names.


Thank you Juergen for your answer and all the provided information.

I didn’t know about all this…

I need IPV6 on this server so I have no option to remove it.

I’m going to try your cerbot command and will be back soon…


Unfortunately, I received the following error (from letsencryp.log)

2019-01-29 12:09:43,135:ERROR:certbot.log:An unexpected error occurred:
2019-01-29 12:13:25,830:DEBUG:certbot.main:certbot version: 0.28.0
2019-01-29 12:13:25,831:DEBUG:certbot.main:Arguments: [’-a’, ‘webroot’, ‘-i’, ‘apache’, ‘-w’, ‘/var/www/html’, ‘-d’, ‘’, ‘-d’, ‘’]
2019-01-29 12:13:25,831:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-01-29 12:13:25,847:DEBUG:certbot.log:Root logging level set at 20
2019-01-29 12:13:25,848:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2019-01-29 12:13:25,854:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer apache
2019-01-29 12:13:25,939:DEBUG:certbot_apache.configurator:Apache version is 2.4.18
2019-01-29 12:13:26,313:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7fc8f85597f0>
Prep: True
2019-01-29 12:13:26,315:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fc8f8559198>
Prep: True
2019-01-29 12:13:26,316:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7fc8f8559198> and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7fc8f85597f0>
2019-01-29 12:13:26,316:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer apache
2019-01-29 12:13:26,320:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(uri=‘’, terms_of_service=‘’, body=Registration(only_return_existing=None, contact=(‘’,), agreement=‘’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7fc8f849fa20>)>), status=None, terms_of_service_agreed=None), new_authzr_uri=‘’), 29b050103c0efb16c2d50bc9b607ff4c, Meta(creation_dt=datetime.datetime(2017, 10, 7, 20, 51, 55, tzinfo=), creation_host=‘vps463490’))>
2019-01-29 12:13:26,322:DEBUG:acme.client:Sending GET request to
2019-01-29 12:13:26,325:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1):
2019-01-29 12:13:26,549:DEBUG:urllib3.connectionpool: “GET /directory HTTP/1.1” 200 658
2019-01-29 12:13:26,550:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 29 Jan 2019 11:13:26 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 29 Jan 2019 11:13:26 GMT
Connection: keep-alive

“keyChange”: “”,
“meta”: {
“caaIdentities”: [
“termsOfService”: “”,
“website”: “
“newAccount”: “”,
“newNonce”: “”,
“newOrder”: “”,
“revokeCert”: “”,
“skehR9wD_cU”: “Adding random entries to the directory
2019-01-29 12:13:26,554:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==0.28.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python3/dist-packages/certbot/”, line 1340, in main
return config.func(config, plugins)
File “/usr/lib/python3/dist-packages/certbot/”, line 1089, in run
should_get_cert, lineage = _find_cert(config, domains, certname)
File “/usr/lib/python3/dist-packages/certbot/”, line 286, in _find_cert
action, lineage = _find_lineage_for_domains_and_certname(config, domains, certname)
File “/usr/lib/python3/dist-packages/certbot/”, line 313, in _find_lineage_for_domains_and_certname
return _find_lineage_for_domains(config, domains)
File “/usr/lib/python3/dist-packages/certbot/”, line 266, in _find_lineage_for_domains
return _handle_subset_cert_request(config, domains, subset_names_cert)
File “/usr/lib/python3/dist-packages/certbot/”, line 163, in _handle_subset_cert_request
File “/usr/lib/python3/dist-packages/certbot/display/”, line 218, in yesno
File “/usr/lib/python3/dist-packages/certbot/display/”, line 85, in input_with_timeout
raise EOFError
2019-01-29 12:13:26,556:ERROR:certbot.log:An unexpected error occurred:


force_interactive = True - your Certbot want’s an input.

But there is no input, so it’s a timeout.



Yes but the script is so fast I don’t have any chance to press a key…

More seriously, I’m running the script via webmin console and this is (may be) related (the script is not waiting for input and exits right away).

I will try to run it with plain ssl/putty and let you know


Running the script with putty solved the problem.

I just need to check the next letsencrypt renewal deadline now!

Thanks Jeurgen for your help



You don’t have to remove IPv6 from the server; Only remove it from the global DNS zone.
If that is not possible, then I don’t think you will be able to use HTTP validation.
Maybe DNS validation can work for your case.


He has already created a new certificate.
	29.04.2019, - 2 entries

So Letsencrypt accepts these Teredo tunneling addresses.


Accepts it? Like it actually uses it?
Or it just ignores it (and falls back to any other available address - like the IPv4 address in this case)?


The ipv6 Teredo is there:

Host T IP-Address is auth. ∑ Queries ∑ Timeout A yes 1 0
AAAA 2001:41d0:401:3100::702d yes A yes 1 0
AAAA 2001:41d0:401:3100::702d yes

And the Topic uses this address.

Now the file was ok -> new certificate.


OK, the confusion is that this is actually a normal IPv6 address (assigned to OVH France).

So this is incorrect assumption:


It isn’t a normal IPv6 address, it’s a Teredo tunneling address. So as I know, it should be used as client address (sample: mobile clients), that may change. Not as a static server address.


How do you know this?


Bits 0 to 31 hold the Teredo prefix (2001::/32).

That doesn’t cover: 2001:40d0::
Only 2001:0000::


Yep, thanks, it’s my error.


2001::/32 2001:: 2001::ffff:ffff:ffff:ffff:ffff:ffff

is a ::, not

2001::/32 2001:: 2001:ffff:ffff:ffff:ffff:ffff:ffff:ffff

So all with 2001:0000: as start is a Teredo address. Must fix it.