Unable to generate new certificate on AWS

My domain is:

I ran this command:
sudo certbot certonly --webroot -w /path/to/sites/root/ -d bitoffirehost.com -d www.bitoffirehost.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bitoffirehost.com
http-01 challenge for www.bitoffirehost.com
Using the webroot path /path/to/sites/root/ for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.bitoffirehost.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.bitoffirehost.com/.well-known/acme-challenge/gpNH3G05oQndon3uIwRCRlO9wqzWto9oUJTejXf4-SA: Timeout, bitoffirehost.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://bitoffirehost.com/.well-known/acme-challenge/6hgBONgIFbICDkdrm_OE-38MbjpMcjNZm4Fv4RCNemo: Timeout


My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
Amazon Web Services

I can login to a root shell on my machine (yes or no, or I don’t know):
No, I can sudo from main user

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

My server block for nginx is:
server {
listen [2a05:d01c:eb7:1900:c7bc:6710:787c:fad9]:80;

server_name     bitoffirehost.com;
server_name www.bitoffirehost.com;

root                /path/to/sites/root/;
access_log          /path/to/sites/logs/access.log;
error_log           /path/to/sites/logs/errors.log;

index index.php index.html;

gzip off;

location / { try_files $uri $uri/ /index.php?$args; }

location ~ /\.ht { deny all; }

location ~ \.php$ {
    try_files $uri =404;

    fastcgi_pass unix:/run/php/php7.2-fpm.sock;
    fastcgi_index index.php;

    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include /etc/nginx/fastcgi.conf;


My domains A and AAAA records are pointing to the Elastic IP provided by Amazon, and it looks like Lets Encrypt can resolve the site, however it is failing to verify the challenge. Is there something ridiculously stupid I am overlooking, or is it an AWS issue?

I can connect to the site over IPv4, but connecting to it over IPv6 times out.

Are you sure the DNS records and everything are correct?

I copied and pasted the IPv6 record that Amazon gave me.


Are you sure the OS networking configuration, firewall, and security groups are correct?

OS is set up to listen and respond on IPv6, There is no firewall and the security group only allows port 80 and 443 through, on both IPv6 and IPv4, along with ping.

If I try and ping6 from another EC2 instance on the same VPC, I get a reply, while pinging from outside gets no answer. If I try and ping using an IPv4 address, I get a reply from both inside and outside the VPC.

As I seem to be able to use IPv4, is there a way of forcing Lets Encrypt to use a v4 connection, rather than v6?

Actually, I have got it working now. By default Amazon does not add a route to the route table allowing external IPv6 traffic.

After editing the route table this is now working.

Thanking you for pointing I’m in the right direction mnordhoff, I got there in the end.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.