Lets encrypt cannot add certificate for main domain

Mitch

Verified User
Joined
Apr 16, 2013
Messages
74
Hi all,

Just did a setup of a new server and moved domains to the new server.
No I'm running into some issues with Lets Encrypt.

I select a few domains for generating the ssl:

domain.com
subdomain.domain.com
www.domain.com

this gives an error:
Challenge pre-checks for http://domain.com/.well-known/acme-challenge/letsencrypt_1615128498 failed.

when I remove domain.com from the selection and only request subdomain.domain.com and www.domain.com the requesting ssl works fine.

So I followed those steps: https://help.directadmin.com/item.php?id=646

All those steps works fine.

So I tried the command that lets encrypt tries to run:

/usr/bin/curl --connect-timeout 40 -k --silent --resolve domain.com:80:IPV6 --resolve domain.com:IPV6 -I -L -X GET http://domain.com/.well-known/acme-challenge/letsencrypt_1615128498

I tried this locally and on the server it self and I both get the same response:

curl: (7) Failed to connect to domain.com port 80: Connection refused

While I can visit http://domain.com/.well-known/acme-challenge/test.txt and I see the test output.

I tried to replace domain.com with localhost:
/usr/bin/curl --connect-timeout 40 -k --silent --resolve localhost:80:IPV6 --resolve localhost:IPV6 -I -L -X GET http://domain.com/.well-known/acme-challenge/letsencrypt_1615128498
That gives the response:

```
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 07 Mar 2021 14:56:08 GMT
Content-Type: text/plain
Content-Length: 5
Last-Modified: Sun, 07 Mar 2021 14:14:08 GMT
Connection: keep-alive
ETag: "6044dfb0-5"
Accept-Ranges: bytes
```

So I don't think its an issue in lets encrypt but maybe DNS? (would be weird because the url works tho)

Somebody has an idea how to fix this?


-------------------------------
Update


I tried to use IPv4 adres instead of 6 and that works. So now I to to figure out how to force lets encrypt to use IPv4.
I followed (https://help.directadmin.com/item.php?id=353) and disabled it by setting ipv6=0 but lets encrypt it still using ipv6...



-------------------------------
An other update

I'm reading the scripts that tries to make the command for lets encrypt.

Its first attempt to get and IP is looking into the DNS and looking for an IPv6 address:

IP_TO_RESOLV=`${DIG} @${DNS_SERVER} AAAA ${1} +short | grep -v '\.$' | tail -n1`

So for now to test it I removed the record AAAA record from my DNS. I guess I have to wait a bit to test this out.



--------------------------------
Last update.

Removing the AAAA record did do the trick, this might add more confusing in the future, I think the directadmin script needs to consider there own ipv6 option instead of looking to the DNS
 
Last edited:
Top