Unable to renew SSL certificate

My domain is: email.pineberry.services

I ran this command: sudo certbot -v certonly --webroot --dry-run -w /var/www/html -d email.pineberry.services

(I fist had used "certbot renew", but since I was running into issues I wanted to first do the dry run until it works)

It produced this output:

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: email.pineberry.services
  Type: connection
  Detail: XXX.XXX.XX.XXX: Fetching
  https://email.pineberry.services/.well-known/acme-challenge/-tR6WFaIojllBj-zuDWX0x1brZ-4t7Zo7E8YFvMe2Dc:
  Timeout during connect (likely firewall problem)

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): Nginx 1.18.0

The operating system my web server runs on is (include version): Ubuntu 20.04.5 LTS

My hosting provider, if applicable, is: IONOS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Hello everyone,
I'm trying for a few days now to renew my SSL certificate for our email server. I'm running this server for about a year and have renewed the certificate already a few times without any issues, until now unfortunately. I still have a valid certificate, for about 1 week and I can access my sites on the server and everything is working fine.

I went already through different threads and try the solutions I found there, so far unfortunately without any success.

At my firewall port 80 and port 443 are open. I also tried to ping port 80 and it is available. I also put a test file at the path where it is trying to put the challenge and accessed it via the browser which is working.

I checked the webroot path and it is also the one I use in the command as shown below:

Screenshot 2022-09-30 at 08.01.41900×474 108 KB

Does anyone has any idea what the issue might is?

Thank you very much in advance!

I get a 404 not found, so it's either a transient error, or something is filtering Let's Encrypt's validation servers.

@9peppe thank you very much for your reply.

I'm trying it already for around 2 weeks without much change, so I don't think it is a transient error.

How can I check if and what could filter Let's Encrypt's validation server?

I still have a valid certificate and I renewed it before a few times. I also have similar Linux servers running at the same provider and I'm also using there the Lets's Encrypt SSL certificate, so far my other servers seem not to be affected.

ok... Let's Debug

This confused me. It looks like an IPv4, but it's IPv6 that's not working. You have to tell nginx to listen on IPv6 (listen [::]:80; and such) or remove your AAAA record.

Thank you very much @9peppe ! This has solved the problem. It was actually the IPv6, I deleted it from the DNS record and now the renewal was working without any issues.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.