.well-known/acme-challenge/ -> Error getting validation data

Hi,

I got a raspberry pi homeserver. On this server I got a docker-container with a reverse proxy running. This setup runs pretty fine for over one year. Also the renewing of the certificates worked fine in the past. But a couple of weeks ago I needed to restart my router (AVM FritzBox) and the IPv6 changes. I just changed the IP at my provider for my domains so they are redirecting to the reverse proxy.
But now I tried to renew my certificates and I got the error which I posted below.

Can anyone help me to find the issue?

My domain is: api.ghp.stoelting-michael.de, bitwarden.stoelting-michael.de, nextcloud.stoelting-michael.de, portainer.stoelting-michael.de

I ran this command: certbot --apache --debug

It produced this output:
root@de93f7b13286:/var/www/html# certbot --apache --debug
Saving debug log to /var/log/letsencrypt/letsencrypt.log
/etc/letsencrypt/options-ssl-apache.conf has been manually modified; updated file saved to /usr/lib/python3/dist-packages/certbot_apache/_internal/tls_configs/current-options-ssl-apache.conf. We recommend updating /etc/letsencrypt/options-ssl-apache.conf for security purposes.
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: bitwarden.stoelting-michael.de
2: api.ghp.stoelting-michael.de
3: nextcloud.stoelting-michael.de
4: portainer.stoelting-michael.de

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for bitwarden.stoelting-michael.de and 3 more domains
Performing the following challenges:
http-01 challenge for api.ghp.stoelting-michael.de
http-01 challenge for bitwarden.stoelting-michael.de
http-01 challenge for nextcloud.stoelting-michael.de
http-01 challenge for portainer.stoelting-michael.de
Waiting for verification...
Challenge failed for domain api.ghp.stoelting-michael.de
Challenge failed for domain bitwarden.stoelting-michael.de
Challenge failed for domain nextcloud.stoelting-michael.de
Challenge failed for domain portainer.stoelting-michael.de
http-01 challenge for api.ghp.stoelting-michael.de
http-01 challenge for bitwarden.stoelting-michael.de
http-01 challenge for nextcloud.stoelting-michael.de
http-01 challenge for portainer.stoelting-michael.de
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 33, in
sys.exit(load_entry_point('certbot==1.12.0', 'console_scripts', 'certbot')())
File "/usr/lib/python3/dist-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1413, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 1154, in run
new_lineage = _get_and_save_cert(le_client, config, domains,
File "/usr/lib/python3/dist-packages/certbot/_internal/main.py", line 134, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 441, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 374, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/_internal/client.py", line 421, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: api.ghp.stoelting-michael.de
  Type: connection
  Detail: 2a02:810b:1a0d:c500:c12b:a8e9:6603:204d: Fetching
  http://api.ghp.stoelting-michael.de/.well-known/acme-challenge/uWFWjPJjer7YbhSfjwGVUY1QmUUGx-xq2_oph3oV8bg:
  Error getting validation data

  Domain: bitwarden.stoelting-michael.de
  Type: connection
  Detail: 2a02:810b:1a0d:c500:c12b:a8e9:6603:204d: Fetching
  http://bitwarden.stoelting-michael.de/.well-known/acme-challenge/KyIxhQUOjF7k3BLHt9dFc2ukcD9A4c08mnkA6-6FDNQ:
  Error getting validation data

  Domain: nextcloud.stoelting-michael.de
  Type: connection
  Detail: 2a02:810b:1a0d:c500:c12b:a8e9:6603:204d: Fetching
  http://nextcloud.stoelting-michael.de/.well-known/acme-challenge/ii4A5CUDPJD_qabcvkrG34s6QRGfoX1IFH-2DoHLboc:
  Error getting validation data

  Domain: portainer.stoelting-michael.de
  Type: connection
  Detail: 2a02:810b:1a0d:c500:c12b:a8e9:6603:204d: Fetching
  http://portainer.stoelting-michael.de/.well-known/acme-challenge/fe49IIzjvHbcrLiwoHKQCLdY0_LgImh1oJrpTV4BC3o:
  Error getting validation data

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A/AAAA record(s) for that domain
  contain(s) the right IP address. Additionally, please check that
  your computer has a publicly routable IP address and that no
  firewalls are preventing the server from communicating with the
  client. If you're using the webroot plugin, you should also verify
  that you are serving files from the webroot path you provided.

My web server is (include version): apache

The operating system my web server runs on is (include version): ubuntu for raspberry pi

My hosting provider, if applicable, is: no

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

Why are you using that command to renew instead of certbot renew?

With regard to your failing challenges: I'm getting a "permission denied" (a.k.a. ICMP code 1 "Administratively prohibited") when connecting to your port 80:

• connect to 2a02:810b:1a0d:c500:c12b:a8e9:6603:204d port 80 from 2a10:xxxx:xxxx:x:xxxx:xxxx:xxxx:xxxx port 40672 failed: Permission denied

Usually it's a firewall doing such a thing. The source of that ICMP reply was from 2a02:810b:0:34::f09. I don't know if that's your Fritz!Box IPv6 address or perhaps an address from your ISP, but it doesn't look to be your actual server looking at the different address than the address currently configured for your website.

(post deleted by author)

Why are you using that command to renew instead of certbot renew?

That is a good questions - I really didn't know that there is this option. I will do this for the future!

With regard to your failing challenges: I'm getting a "permission denied" (a.k.a. ICMP code 1 "Administratively prohibited") when connecting to your port 80:

Usually it's a firewall doing such a thing. The source of that ICMP reply was from 2a02:810b:0:34::f09. I don't know if that's your Fritz!Box IPv6 address or perhaps an address from your ISP, but it doesn't look to be your actual server looking at the different address than the address currently configured for your website.

Ok, that is interesting. I only tested the connection to my domains within my network - of course there it worked. But if I am outside of my wlan, then I also can't access my sites.
So if I understand this correct the problem is not based on letsencrypt, but between the connection of my fritzbox and my raspberry pi, because the IPv6 2a02:810b:0:34::f09 is from my fritzbox. Is that right? Then is only the question how I can fix that