Trying to renew certificate after migration to http-01 - Error getting validation data

Hello guys,

after migration to http-01 challenge I could not renew my certificate.
I tried a lot of different tips and I disabled the https-redirect in my apache-config but nothing seems to help.

My domain is: d4x.de

I ran this command:
sudo certbot run -a webroot -i apache -w /var/www -d d4x.de
I also tried
sudo certbot certonly --manual --preferred-challenges http

It produced this output:

Cleaning up challenges
Failed authorization procedure. d4x.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://d4x.de/.well-known/acme-challenge/ztgINcZpGm6PNhdey62CZ9uFnCO48LWg0ssPglcP9_c: Error getting validation data, www.d4x.de (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.d4x.de/.well-known/acme-challenge/3EXJx0dea0CHofPE5UBN3CxDADyNPdJ0wic-zZvL8xI: Error getting validation data

My web server is (include version):
apache
Version : 2.4.6
Ausgabe : 88.el7.centos

The operating system my web server runs on is (include version):
CentOS Linux release 7.6.1810
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I could access the files mentioned above via curl:
curl http://www.d4x.de/.well-known/acme-challenge/3EXJx0dea0CHofPE5UBN3CxDADyNPdJ0wic-zZvL8xI

3EXJx0dea0CHofPE5UBN3CxDADyNPdJ0wic-zZvL8xI.QgLi5cainC9MgxRRgAhO5Szy-3NFl2FSxWv-kK1wz1g

So I don’t understand why the letsencrypt-server could not reach the files.
Thanks in advance for any hints.
Daniel

For me, attempts to connect to the site’s IPv6 and IPv4 addresses using HTTP both return ICMP destination unreachable - administratively prohibited errors.

HTTPS works.

Hi @dm2002

I see, you have checked your domain via https://check-your-website.server-daten.de/?q=d4x.de

You have ipv4 and ipv6 addresses:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
d4x.de A 85.214.136.24 yes 2 0
AAAA 2a01:238:4391:af00:8626:8ad:a194:4b90 yes
www.d4x.de C d4x.de yes 1 0
A 85.214.136.24 yes
AAAA 2a01:238:4391:af00:8626:8ad:a194:4b90 yes

But http / port 80 has a timeout - ipv4 and ipv6:

Domainname Http-Status redirect Sec. G
http://d4x.de/
85.214.136.24 -14 10.027 T
Timeout - The operation has timed out
http://d4x.de/
2a01:238:4391:af00:8626:8ad:a194:4b90 -14 10.027 T
Timeout - The operation has timed out
http://www.d4x.de/
85.214.136.24 -14 10.026 T
Timeout - The operation has timed out
http://www.d4x.de/
2a01:238:4391:af00:8626:8ad:a194:4b90 -14 10.027 T
Timeout - The operation has timed out
https://d4x.de/
85.214.136.24 200 0.083 A
https://d4x.de/
2a01:238:4391:af00:8626:8ad:a194:4b90 200 0.083 A
https://www.d4x.de/
85.214.136.24 200 0.093 A
https://www.d4x.de/
2a01:238:4391:af00:8626:8ad:a194:4b90 200 0.087 A
http://d4x.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
85.214.136.24 -14 10.030 T
Timeout - The operation has timed out
Visible Content:
http://d4x.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a01:238:4391:af00:8626:8ad:a194:4b90 -14 10.030 T
Timeout - The operation has timed out
Visible Content:
http://www.d4x.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
85.214.136.24 -14 10.026 T
Timeout - The operation has timed out
Visible Content:
http://www.d4x.de/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
2a01:238:4391:af00:8626:8ad:a194:4b90 -14 10.026 T
Timeout - The operation has timed out
Visible Content:

https works, you can use a redirect http -> https. But if you want to use http-01 validation, the first connection is via http.

Letsencrypt prefers ipv6, so that should work.

Thanks, Jürgen and [mnordhoff],
I read the information on your site but didn’t belive it. :confused: curl seems to switch to https without any further notice, so it was misleading me.
The problem was that I blocked port 80 in firewalld quite a while ago and didn’t remember that setting. This setting was never a problem for any browser, but certbot seems to be a little bit picky and does not try to reach 443.

sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-service=http --permanent

and than certbot runs smoothly:


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/d4x.de-0001/fullchain.pem



Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/d4x.de-0001/fullchain.pem (success)


Big thanks to you and the service you offer on your website! It’s really impressive how many people you’ve helped in this forum.
Greetings Daniel

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.