since a few weeks I have an issue with letsencrypt not being able to renew a certificat for a domain.
I have repeatedly tried with always the same log:
[...]Waiting for verification...
Cleaning up challenges
Failed authorization procedure. my.domain.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching https://my.domain.net/.well-known/acme-challenge/C2jcc9d6swAzRrC7gkMlICtPyB26_RRybOfyGlOOR08: Timeout during connect (likely firewall problem)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: my.domain.net
Type: connection
Detail: Fetching
https://my.domain.net/.well-known/acme-challenge/C2jcc9d6swAzRrC7gkMlICtPyB26_RRybOfyGlOOR08:
Timeout during connect (likely firewall problem)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Strange enough: I have another DNS name provided by manufacturer of my router, which works perfectly well with letsencrypt to create or renew the certificate.
Of course:
both A/AAAA records are correct, I can even connect to “my.domain.net” when I accept the certificate error…
I have deleted the entire letsencrypt configuration and started all over from NCP panel…
Any ideas welcome. Ideally I would have letsencrypt create certificates for both domains, but first “my.domain.net” would have to be accepted.
I thought, as I can use ncp-web to have letsencrypt create one certificate for the one domain successfully but the other domain the same settings do not work, it is not likely to be a port/firewall issue. Am I wrong?
I know, that ncp-web only supports one domain. This is not the issue. I think I was unclear:
I have two domain names linked to the same IP. The one is provided by the manufacturer of my router (xyz.routermanufact.tld), the other one is a “free dynamic dns service” (dynv6.com). Both are updated on every IP change. No issue with that.
I had mydomain.dynv6.net worked for over a year perfectly well. There was an interruption of the service for 1 or two days and I could not reach via that domain name, so I used the xyz.routermanufact.tld to create a new valid certificate and could connect fine. With this I can create/renew the certificate easily in ncp-web. No issue at all.
Now I would like to revert back to mydomain.dynv6.net (which is much easier to remember when logging in from abroad), but when I enter this domain name in ncp-web it leads to the given error.
[it worked well before; I can still connect via “mydomain.dynv6.net” if I accept the certificate being valid for “xyz.routermanufact.tld”]
How can this be a firewall issue? What do I overlook?
I had this problem when I ran an install previously. Turned out that the port forwarding on the router wasn’t set up correctly to the right IP address (I’d literally typed in 192.168.10.xxx instead of 192.168.11.xxx)
My understanding is that letsecrypt needs a clear route and dns resolve to the server you’re working with.
Would probably be also worth checking that your domain name resolves against the right WAN / Public IP address as well, especially if you’re using a Dynamic DNS Service. I use https://mxtoolbox.com/DNSLookup.aspx for this and whatismyip.com to verify your WAN / Public IP address.
thanks to all.
I had already run diverse DNS tests (dnsviz and others) showing issues for the respective domain (but not the other). Although I had sent a mail to the dynamic DNS service provider for clarification, I was able to create a certificate in the very same minute - so not likely that they had already intervened
So - for some reason I can’t explain - all works now as previously. Quite odd, but the result is what I needed
