Possible Let's Encrypt bug

creative567145

Hello everybody

The last 2 Cloudron installations on Azure VPS and Contabo VPS, have resulted in the same problem.
The Let's Encrypt Certificate failed to be issued.

Here is the Contabo VPS log:

Oct 27 21:43:28box:taskworker Starting task 3. Logs are at /home/yellowtent/platformdata/logs/tasks/3.log
Oct 27 21:43:28box:tasks update 3: {"percent":101,"message":"Ensuring certs of my.chat.newtonhealthcore.com"}
Oct 27 21:43:28box:reverseproxy ensureCertificate: my.chat.newtonhealthcore.com needs acme cert
Oct 27 21:43:28box:cert/acme2 getCertificate: for fqdn my.chat.newtonhealthcore.com and domain chat.newtonhealthcore.com
Oct 27 21:43:28box:cert/acme2 Acme2: will get cert for fqdn: my.chat.newtonhealthcore.com cn: my.chat.newtonhealthcore.com certName: my.chat.newtonhealthcore.com wildcard: false http: true
Oct 27 21:43:28box:cert/acme2 getCertificate: start acme flow for my.chat.newtonhealthcore.com from https://acme-v02.api.letsencrypt.org/directory
Oct 27 21:43:31box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
Oct 27 21:43:51box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
Oct 27 21:44:11box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
Oct 27 21:44:11box:cert/acme2 Acme2: will get cert for fqdn: my.chat.newtonhealthcore.com cn: my.chat.newtonhealthcore.com certName: my.chat.newtonhealthcore.com wildcard: false http: true
Oct 27 21:44:11box:cert/acme2 getCertificate: for fqdn my.chat.newtonhealthcore.com and domain chat.newtonhealthcore.com
Oct 27 21:44:11box:cert/acme2 getCertificate: start acme flow for my.chat.newtonhealthcore.com from https://acme-v02.api.letsencrypt.org/directory
Oct 27 21:44:11box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
Oct 27 21:44:31box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
Oct 27 21:44:51box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
Oct 27 21:44:51box:cert/acme2 Acme2: will get cert for fqdn: my.chat.newtonhealthcore.com cn: my.chat.newtonhealthcore.com certName: my.chat.newtonhealthcore.com wildcard: false http: true
Oct 27 21:44:51box:cert/acme2 getCertificate: for fqdn my.chat.newtonhealthcore.com and domain chat.newtonhealthcore.com
Oct 27 21:44:51box:cert/acme2 getCertificate: start acme flow for my.chat.newtonhealthcore.com from https://acme-v02.api.letsencrypt.org/directory
Oct 27 21:44:51box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
Oct 27 21:45:11box:cert/acme2 Attempt 2 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
Oct 27 21:45:31box:reverseproxy ensureCertificate: error: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443
Oct 27 21:45:31box:tasks update 3: {"message":"Rebuilding app configs"}
Oct 27 21:45:31box:reverseproxy writeDashboardConfig: writing admin config for chat.newtonhealthcore.com
Oct 27 21:45:31box:reverseproxy writeCertificate: my.chat.newtonhealthcore.com will use fallback certs because acme is missing
Oct 27 21:45:31box:shell reload spawn: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh nginx
Oct 27 21:45:31box:mailserver checkCertificate: certificate has not changed
Oct 27 21:45:31box:shell notifyCertChange spawn: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh box
Oct 27 21:45:31box:tasks update 3: {"message":"Checking expired certs for removal"}
Oct 27 21:45:31box:reverseproxy cleanupCerts: done
Oct 27 21:45:31box:tasks setCompleted - 3: {"result":null,"error":null}
Oct 27 21:45:31box:tasks update 3: {"percent":100,"result":null,"error":null}
Oct 27 21:45:31box:taskworker Task took 122.95 seconds

Have any of you found a solution for this?

girish

@creative567145 said in Possible Let's Encrypt bug:

Oct 27 21:43:31box:cert/acme2 Attempt 1 failed. Will retry: connect ENETUNREACH 2606:4700:60:0:f53d:5624:85c7:3a2c:443

This is actually the Let's Encrypt server address. Looks like your server is unable to connect via IPv6.

Try these commands on the server:

• ping6 2604:a880:1:4a::2:7000
• curl -6 https://ipv6.api.cloudron.io/api/v1/helper/public_ip

creative567145

@girish Thank you Girish very much for your fast and direct response

From this command:
ping6 2604:a880:1:4a::2:7000
This was the result:

From fd43:4f4e:5943:50::a icmp_seq=5 Destination unreachable: No route

.

And from this command:
curl -6 https://ipv6.api.cloudron.io/api/v1/helper/public_ip
This was the result:

curl: (7) Failed to connect to ipv6.api.cloudron.io port 443 after 1219 ms: Network is unreachable

Your assistance with this problem will be greatly appreciated

creative567145

When I enter in the terminal this:
enable_ipv6

This is the result:

** (generate:57510): WARNING **: 13:03:50.397: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others.
** (generate:57510): WARNING **: 13:03:50.398: `gateway6` has been deprecated, use default routes instead.
See the 'Default routes' section of the documentation for more details.
** (generate:57515): WARNING **: 13:03:50.541: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others.
** (generate:57515): WARNING **: 13:03:50.542: `gateway6` has been deprecated, use default routes instead.
See the 'Default routes' section of the documentation for more details.
WARNING:root:Cannot call Open vSwitch: ovsdb-server.service is not running.
** (process:57513): WARNING **: 13:03:50.959: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others.
** (process:57513): WARNING **: 13:03:50.960: `gateway6` has been deprecated, use default routes instead.
See the 'Default routes' section of the documentation for more details.
** (process:57513): WARNING **: 13:03:51.254: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others.
** (process:57513): WARNING **: 13:03:51.255: `gateway6` has been deprecated, use default routes instead.
See the 'Default routes' section of the documentation for more details.
** (process:57513): WARNING **: 13:03:51.255: Permissions for /etc/netplan/01-netcfg.yaml are too open. Netplan configuration should NOT be accessible by others.
** (process:57513): WARNING **: 13:03:51.255: `gateway6` has been deprecated, use default routes instead.
See the 'Default routes' section of the documentation for more details.

girish

@creative567145 I think the enable_ipv6 command is something provider specific. But as you can see, IPv6 is not working on your server. I think you should reach out to your VPS provider. Another option is to disable IPv6 entirely.

Something like:

sudo sysctl -w net.ipv6.conf.all.disable_ipv6=0
sudo sysctl -w net.ipv6.conf.default.disable_ipv6=0
sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=0

creative567145

@girish Thank you. Your solution did the trick.
But we needed the ipv6 to be functional.
So what we did to make it work was > reinstall Ubuntu 22.04 LTS OS and didn't install unbound in advance. All is good now.