Unable to obtain certificates for root domains

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
syntafin.de

I ran this command:
acme.sh --issue -d syntafin.de -d www.syntafin.de -d api.syntafin.de -w /home/forge/syntafin.de/public --debug

It produced this output:

2024-01-19 07:57:49 URL:https://forge-certificates.laravel.com/le/2044530/2185005/ecdsa?env=production [4511] -> "letsencrypt_script1705647469" [1]
Cloning into 'letsencrypt1705647469'...
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]	"http-01"
["status"]	"invalid"
["error","type"]	"urn:ietf:params:acme:error:connection"
["error","detail"]	"157.90.249.186: Fetching https://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0: Timeout during connect (likely firewall problem)"
["error","status"]	400
["error"]	{"type":"urn:ietf:params:acme:error:connection","detail":"157.90.249.186: Fetching https://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0: Timeout during connect (likely firewall problem)","status":400}
["url"]	"https://acme-v02.api.letsencrypt.org/acme/chall-v3/305769841526/FP2wgg"
["token"]	"vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0"
["validationRecord",0,"url"]	"http://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0"
["validationRecord",0,"hostname"]	"api.syntafin.de"
["validationRecord",0,"port"]	"80"
["validationRecord",0,"addressesResolved",0]	"157.90.249.186"
["validationRecord",0,"addressesResolved",1]	"2a01:4f8:c012:de1a::2"
["validationRecord",0,"addressesResolved"]	["157.90.249.186","2a01:4f8:c012:de1a::2"]
["validationRecord",0,"addressUsed"]	"2a01:4f8:c012:de1a::2"
["validationRecord",0]	{"url":"http://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0","hostname":"api.syntafin.de","port":"80","addressesResolved":["157.90.249.186","2a01:4f8:c012:de1a::2"],"addressUsed":"2a01:4f8:c012:de1a::2"}
["validationRecord",1,"url"]	"http://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0"
["validationRecord",1,"hostname"]	"api.syntafin.de"
["validationRecord",1,"port"]	"80"
["validationRecord",1,"addressesResolved",0]	"157.90.249.186"
["validationRecord",1,"addressesResolved",1]	"2a01:4f8:c012:de1a::2"
["validationRecord",1,"addressesResolved"]	["157.90.249.186","2a01:4f8:c012:de1a::2"]
["validationRecord",1,"addressUsed"]	"157.90.249.186"
["validationRecord",1]	{"url":"http://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0","hostname":"api.syntafin.de","port":"80","addressesResolved":["157.90.249.186","2a01:4f8:c012:de1a::2"],"addressUsed":"157.90.249.186"}
["validationRecord",2,"url"]	"https://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0"
["validationRecord",2,"hostname"]	"api.syntafin.de"
["validationRecord",2,"port"]	"443"
["validationRecord",2,"addressesResolved",0]	"157.90.249.186"
["validationRecord",2,"addressesResolved",1]	"2a01:4f8:c012:de1a::2"
["validationRecord",2,"addressesResolved"]	["157.90.249.186","2a01:4f8:c012:de1a::2"]
["validationRecord",2,"addressUsed"]	"2a01:4f8:c012:de1a::2"
["validationRecord",2]	{"url":"https://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0","hostname":"api.syntafin.de","port":"443","addressesResolved":["157.90.249.186","2a01:4f8:c012:de1a::2"],"addressUsed":"2a01:4f8:c012:de1a::2"}
["validationRecord"]	[{"url":"http://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0","hostname":"api.syntafin.de","port":"80","addressesResolved":["157.90.249.186","2a01:4f8:c012:de1a::2"],"addressUsed":"2a01:4f8:c012:de1a::2"},{"url":"http://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0","hostname":"api.syntafin.de","port":"80","addressesResolved":["157.90.249.186","2a01:4f8:c012:de1a::2"],"addressUsed":"157.90.249.186"},{"url":"https://api.syntafin.de/.well-known/acme-challenge/vGJX_N6ppIwjfXpud7AJQ5R3Ibmsdg9lYORhcR5oOL0","hostname":"api.syntafin.de","port":"443","addressesResolved":["157.90.249.186","2a01:4f8:c012:de1a::2"],"addressUsed":"2a01:4f8:c012:de1a::2"}]
["validated"]	"2024-01-19T06:58:05Z")

My web server is (include version):
nginx/1.24.0

The operating system my web server runs on is (include version):
Ubuntu 22.04

My hosting provider, if applicable, is:
Hetzner Cloud

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
Laravel Forge

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
acme.sh 3.0.8/Laravel Forge

Additional information:
I am unable to obtain a certificate for all root domains on the server, that means for example "syntafin.de" (with aliases for www.syntafin.de and api.syntafin.de) but I can obtain certificates for subdomains only without any issue as example would be: example.syntafin.de

I only have 3 DNS Records for this domain, that would be a A/AAAA record pointing to the IP and a CNAME wildcard record.

After I talked to Hetzner I opened a ticket at Laravel Forge and they said "not a problem on our side ask in LetsEncrypt forum".

For the moment I use an old LetsEncrypt certificate I copied over from my old server but the end for this one is near (around 6 days till expiration).
Anyone any idea?

Your IPv6 address 2a01:4f8:c012:de1a::2 is not working. The error mentioning IPv4 is unfortunately a mixup at Let's Encrypt side: the validation server attempts to connect to http:// using IPv6 and if that doesn't work, falls back to IPv4. Here, IPv4 results in a redirect to https://, so the validation server makes a new validation attempt using https://, but ONLY tries IPv6 and does NOT fall back again to IPv4 (I dunno why..), but DOES somehow show the IPv4 address of the first successful attempt (the http:// to https:// redirect) and NOT the failing IPv6 address. (I dunno why...)

You should fix your IPv6 connectivity :slight_smile:

3 Likes

hey thank you for the quick answer and a first light into this issue!
That the IPv6 is wrong is something that surprises me, as the DNS panel for the said domain gave this for my server:
image

Could this be a bug in the DNS tool from hetzner or is there a way for me to check in a "fast" way what would be the correct IPv6 address? (Hetzner shows only the full subnet that is attached: 2a01:4f8:c012:de1a::/64)

//Update:

I just did a quick trial & error ping to the IPv6 and tried out, found out that ::1 is the correct one! I will open a bug report at Hetzner to tell them the issue :slight_smile: !
Again thanks for the quick help!

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.