Can't get a new certificate
-
wrote on Oct 17, 2023, 6:32 AM last edited by userino Oct 19, 2023, 1:50 PM
I can't get a new Let's Encrypt certificate.
It gives me the following error:
cron Certificate install for XXXXX.XX failed { "domain": "XXXXX.XX", "errorMessage": "connect EHOSTUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443" }
-
wrote on Oct 19, 2023, 1:49 PM last edited by userino Oct 19, 2023, 1:53 PM
I've talked with the support, and we could solve the problem.
However, I would like to provide a brief summary for all who are facing the same issue.
The issue was that cloudron attempted to connect with Let's Encrypt via IPv6, which, of course, didn't work out. Therefore, it couldn't get a new certificate.You can see this if you run the command:
host acme-v02.api.letsencrypt.org
directly in your server shell.
Then it should print something like:
acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2cThis was the case, so I knew, that I have to disable IPv6. To do so, run:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
This should disable IPv6 and solve the problem.
I would like to thank Jonas from the support team, who helped me resolve the issues and also wrote all of these commands.
-
I can't get a new Let's Encrypt certificate.
It gives me the following error:
cron Certificate install for XXXXX.XX failed { "domain": "XXXXX.XX", "errorMessage": "connect EHOSTUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443" }
-
-
wrote on Oct 17, 2023, 12:58 PM last edited by
I disabled the IPv6 address because Gmail said the reverse DNS wasn't configured properly. To solve this issue, I deactivated it. But this was months ago, and I'm certain that I got a new certificate in the meantime, without the IPv6 port. So why does this error happen now?
-
wrote on Oct 18, 2023, 5:35 AM last edited by
I found an outdated AAAA record and deleted it. But still, after 12 hours (which should be enough for the DNS to update), it prints the same error.
-
I found an outdated AAAA record and deleted it. But still, after 12 hours (which should be enough for the DNS to update), it prints the same error.
@userino Can you check if there are stale AAAA records for other (sub)domains as well? 12 hours should be enough I think for Let's Encrypt.
Can you go to Domain -> Renew All Certs and send us the full logs (it's in the dropdown in the top right of the header of the section) to support@cloudron.io ?
-
wrote on Oct 19, 2023, 1:49 PM last edited by userino Oct 19, 2023, 1:53 PM
I've talked with the support, and we could solve the problem.
However, I would like to provide a brief summary for all who are facing the same issue.
The issue was that cloudron attempted to connect with Let's Encrypt via IPv6, which, of course, didn't work out. Therefore, it couldn't get a new certificate.You can see this if you run the command:
host acme-v02.api.letsencrypt.org
directly in your server shell.
Then it should print something like:
acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2cThis was the case, so I knew, that I have to disable IPv6. To do so, run:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
This should disable IPv6 and solve the problem.
I would like to thank Jonas from the support team, who helped me resolve the issues and also wrote all of these commands.
-
-
I've talked with the support, and we could solve the problem.
However, I would like to provide a brief summary for all who are facing the same issue.
The issue was that cloudron attempted to connect with Let's Encrypt via IPv6, which, of course, didn't work out. Therefore, it couldn't get a new certificate.You can see this if you run the command:
host acme-v02.api.letsencrypt.org
directly in your server shell.
Then it should print something like:
acme-v02.api.letsencrypt.org is an alias for prod.api.letsencrypt.org.
prod.api.letsencrypt.org is an alias for ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com.
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has address 172.65.32.248
ca80a1adb12a4fbdac5ffcbc944e9a61.pacloudflare.com has IPv6 address 2606:4700:60:0:f53d:5624:85c7:3a2cThis was the case, so I knew, that I have to disable IPv6. To do so, run:
sysctl -w net.ipv6.conf.all.disable_ipv6=1
This should disable IPv6 and solve the problem.
I would like to thank Jonas from the support team, who helped me resolve the issues and also wrote all of these commands.