Letsencrypt working with one domain not anotherone

since a few weeks I have an issue with letsencrypt not being able to renew a certificat for a domain.

I have repeatedly tried with always the same log:

[...]Waiting for verification...
Cleaning up challenges
Failed authorization procedure. my.domain.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://my.domain.net/.well-known/acme-challenge/C2jcc9d6swAzRrC7gkMlICtPyB26_RRybOfyGlOOR08: Timeout during connect (likely firewall problem)
- The following errors were reported by the server:

Domain: my.domain.net
Type: connection
Detail: Fetching
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Strange enough: I have another DNS name provided by manufacturer of my router, which works perfectly well with letsencrypt to create or renew the certificate.

Of course:

  • both A/AAAA records are correct, I can even connect to “my.domain.net” when I accept the certificate error…
  • I have deleted the entire letsencrypt configuration and started all over from NCP panel…

Any ideas welcome. Ideally I would have letsencrypt create certificates for both domains, but first “my.domain.net” would have to be accepted.

likely firewall problem

have you check your firewall rules again.
verify ports 80:443 are still ok ?

I thought, as I can use ncp-web to have letsencrypt create one certificate for the one domain successfully but the other domain the same settings do not work, it is not likely to be a port/firewall issue. Am I wrong?

at least, try to flush firewall, try renew, restate firewall…

You may have an ports redirect problem like port 80 being permanently redirect to 443.

ncp-web’s letsencrypt will only work for one domain afaik.

If you have ssh or screen+keyboard all the normal certbot commands are available from the terminal.

Once virtual host is set up, for example:

sudo certbot certonly --webroot -w /var/www/html/your.domain.tld -d your.domain.tld

should get you valid certificate for the domain.

I know, that ncp-web only supports one domain. This is not the issue. I think I was unclear:

I have two domain names linked to the same IP. The one is provided by the manufacturer of my router (xyz.routermanufact.tld), the other one is a “free dynamic dns service” (dynv6.com). Both are updated on every IP change. No issue with that.
I had mydomain.dynv6.net worked for over a year perfectly well. There was an interruption of the service for 1 or two days and I could not reach via that domain name, so I used the xyz.routermanufact.tld to create a new valid certificate and could connect fine. With this I can create/renew the certificate easily in ncp-web. No issue at all.

Now I would like to revert back to mydomain.dynv6.net (which is much easier to remember when logging in from abroad), but when I enter this domain name in ncp-web it leads to the given error.

[it worked well before; I can still connect via “mydomain.dynv6.net” if I accept the certificate being valid for “xyz.routermanufact.tld”]

How can this be a firewall issue? What do I overlook?

@stratege1401: there is no permanent redirection, ports open.

Access from abroad to the server is possible. Not sure what I could further check.

@OliverV: tried that from the console, but unfortunately results in the same output as before in ncp-web.

Anyone having an idea about the root cause of my problem?

sorry, no clue.

Try on lets-encrypt community forum:

I had this problem when I ran an install previously. Turned out that the port forwarding on the router wasn’t set up correctly to the right IP address (I’d literally typed in 192.168.10.xxx instead of 192.168.11.xxx)

My understanding is that letsecrypt needs a clear route and dns resolve to the server you’re working with.

Would probably be also worth checking that your domain name resolves against the right WAN / Public IP address as well, especially if you’re using a Dynamic DNS Service. I use https://mxtoolbox.com/DNSLookup.aspx for this and whatismyip.com to verify your WAN / Public IP address.

Hope this helps :slight_smile:

thanks to all.
I had already run diverse DNS tests (dnsviz and others) showing issues for the respective domain (but not the other). Although I had sent a mail to the dynamic DNS service provider for clarification, I was able to create a certificate in the very same minute - so not likely that they had already intervened :wink:

So - for some reason I can’t explain - all works now as previously. Quite odd, but the result is what I needed :smiley: