Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Can't get a new certificate

Can't get a new certificate

Scheduled Pinned Locked Moved Solved Support
certificates
9 Posts 3 Posters 1.4k Views 3 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • U Offline
    U Offline
    userino
    wrote on last edited by userino
    #1

    I can't get a new Let's Encrypt certificate.

    It gives me the following error:

    cron	Certificate install for XXXXX.XX failed
    {
      "domain": "XXXXX.XX",
      "errorMessage": "connect EHOSTUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443"
    }
    
    girishG 1 Reply Last reply
    1
    • U Offline
      U Offline
      userino
      wrote on last edited by userino
      #8

      I've talked with the support, and we could solve the problem.
      However, I would like to provide a brief summary for all who are facing the same issue.
      The issue was that cloudron attempted to connect with Let's Encrypt via IPv6, which, of course, didn't work out. Therefore, it couldn't get a new certificate.

      You can see this if you run the command:

      host acme-v02.api.letsencrypt.org
      

      directly in your server shell.

      Then it should print something like:

      acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
      prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
      ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
      ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c

      This was the case, so I knew, that I have to disable IPv6. To do so, run:

      sysctl -w net.ipv6.conf.all.disable_ipv6=1
      

      This should disable IPv6 and solve the problem.

      I would like to thank Jonas from the support team, who helped me resolve the issues and also wrote all of these commands.

      girishG 1 Reply Last reply
      1
      • U userino

        I can't get a new Let's Encrypt certificate.

        It gives me the following error:

        cron	Certificate install for XXXXX.XX failed
        {
          "domain": "XXXXX.XX",
          "errorMessage": "connect EHOSTUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443"
        }
        
        girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #2

        @userino that message is from Let's Encrypt. It's trying to reach your server's IPv6 port 443 and it's not able to. Is your server's IPv6 correct? If so, is incoming port 443 open in your firewall?

        1 Reply Last reply
        0
        • girishG girish marked this topic as a question on
        • U Offline
          U Offline
          userino
          wrote on last edited by
          #3

          I disabled the IPv6 address because Gmail said the reverse DNS wasn't configured properly. To solve this issue, I deactivated it. But this was months ago, and I'm certain that I got a new certificate in the meantime, without the IPv6 port. So why does this error happen now?

          1 Reply Last reply
          0
          • nebulonN Offline
            nebulonN Offline
            nebulon
            Staff
            wrote on last edited by
            #4

            Can you also check if there are any ipv6 (AAAA) DNS records setup for your domain, which might be the root cause? If so try to delete those if you don't want to use ipv6 anyways.

            1 Reply Last reply
            2
            • girishG Offline
              girishG Offline
              girish
              Staff
              wrote on last edited by
              #5

              Ah, this is most likely a stale AAAA record as @nebulon pointed out. Please delete that record manually in your DNS provider.

              1 Reply Last reply
              1
              • U Offline
                U Offline
                userino
                wrote on last edited by
                #6

                I found an outdated AAAA record and deleted it. But still, after 12 hours (which should be enough for the DNS to update), it prints the same error.

                girishG 1 Reply Last reply
                0
                • U userino

                  I found an outdated AAAA record and deleted it. But still, after 12 hours (which should be enough for the DNS to update), it prints the same error.

                  girishG Offline
                  girishG Offline
                  girish
                  Staff
                  wrote on last edited by
                  #7

                  @userino Can you check if there are stale AAAA records for other (sub)domains as well? 12 hours should be enough I think for Let's Encrypt.

                  Can you go to Domain -> Renew All Certs and send us the full logs (it's in the dropdown in the top right of the header of the section) to support@cloudron.io ?

                  1 Reply Last reply
                  0
                  • U Offline
                    U Offline
                    userino
                    wrote on last edited by userino
                    #8

                    I've talked with the support, and we could solve the problem.
                    However, I would like to provide a brief summary for all who are facing the same issue.
                    The issue was that cloudron attempted to connect with Let's Encrypt via IPv6, which, of course, didn't work out. Therefore, it couldn't get a new certificate.

                    You can see this if you run the command:

                    host acme-v02.api.letsencrypt.org
                    

                    directly in your server shell.

                    Then it should print something like:

                    acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
                    prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
                    ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
                    ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c

                    This was the case, so I knew, that I have to disable IPv6. To do so, run:

                    sysctl -w net.ipv6.conf.all.disable_ipv6=1
                    

                    This should disable IPv6 and solve the problem.

                    I would like to thank Jonas from the support team, who helped me resolve the issues and also wrote all of these commands.

                    girishG 1 Reply Last reply
                    1
                    • U userino has marked this topic as solved on
                    • U userino

                      I've talked with the support, and we could solve the problem.
                      However, I would like to provide a brief summary for all who are facing the same issue.
                      The issue was that cloudron attempted to connect with Let's Encrypt via IPv6, which, of course, didn't work out. Therefore, it couldn't get a new certificate.

                      You can see this if you run the command:

                      host acme-v02.api.letsencrypt.org
                      

                      directly in your server shell.

                      Then it should print something like:

                      acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
                      prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
                      ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
                      ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2c

                      This was the case, so I knew, that I have to disable IPv6. To do so, run:

                      sysctl -w net.ipv6.conf.all.disable_ipv6=1
                      

                      This should disable IPv6 and solve the problem.

                      I would like to thank Jonas from the support team, who helped me resolve the issues and also wrote all of these commands.

                      girishG Offline
                      girishG Offline
                      girish
                      Staff
                      wrote on last edited by
                      #9

                      @userino you should also put that in /etc/sysctl.conf to make the setting persistent across reboots.

                      1 Reply Last reply
                      0
                      Reply
                      • Reply as topic
                      Log in to reply
                      • Oldest to Newest
                      • Newest to Oldest
                      • Most Votes


                      • Login

                      • Don't have an account? Register

                      • Login or register to search.
                      • First post
                        Last post
                      0
                      • Categories
                      • Recent
                      • Tags
                      • Popular
                      • Bookmarks
                      • Search