Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


DO - Unable to renew LetsEncrypt
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

DO - Unable to renew LetsEncrypt

plumbergplumberg Veteran

I am trying to renew my SSL certificate (which has expired last week) using Certbot

raise ConnectionError(e, request=request)
ConnectionError: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port443): >     Max retries exceeded with url: /directory (Caused by 
NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection >     object at 0x7f55200944d0>: Failed to establish a new connection: [Errno -3] Temporary >     failure in name resolution',))

Also, if I do ping 8.8.8.8, it works. However, ping google.com, nothing comes up.

ping acme-v01.api.letsencrypt.org does not work. But ping 104.99.153.11 (this IP is returned for acme-v01 from another system), and it responds.

I checked iptables -L

Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

How/ what else do I need to check what is stopping my DO droplet from renewal?

Thanks!

Comments

  • Can you show output this command?

    cat /etc/resolv.conf

  • @PremiumFast_Net said:
    Can you show output this command?

    cat /etc/resolv.conf

    Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)

    DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN

    nameserver 8.8.8.8
    nameserver 8.8.4.4

  • Resolv good.. Did you using ipv6 on your droplet?

  • @PremiumFast_Net said:
    Resolv good.. Did you using ipv6 on your droplet?

    I am really not sure. Any way to check that?

  • MikeAMikeA Member, Patron Provider

    Might be worthwhile just to ask them if UDP is being blocked. Or you could use something like PacketSender to try to check if the VPS is receiving UDP via tcpdump.

  • It's unlikely a provider would block DNS requests to major resolvers.

    OP: please check ip -6 a to see if there's anything that's not fe80.

  • @msg7086 said:
    It's unlikely a provider would block DNS requests to major resolvers.

    OP: please check ip -6 a to see if there's anything that's not fe80.

    1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1
    inet6 ::1/128 scope host
    valid_lft forever preferred_lft forever
    2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000
    inet6 fe80::XX:XX::XXX:X:X/64 scope link
    valid_lft forever preferred_lft forever

  • TheLinuxBugTheLinuxBug Member
    edited June 2018

    CentOS or Debian / Ubuntu?

    If Debian / Ubuntu check /etc/gai.conf and uncomment the line:

    #precedence ::ffff:0:0/96 100

    This will disable the use of ipv6 and may help with your issues.

    Cheers!

  • @TheLinuxBug said:
    CentOS or Debian / Ubuntu?

    If Debian / Ubuntu check /etc/gai.conf and uncomment the line:

    #precedence ::ffff:0:0/96 100

    This will disable the use of ipv6 and may help with your issues.

    Cheers!

    Its ubuntu. After I make that change, will I need to restart any services or anything?

  • @TheLinuxBug said:
    CentOS or Debian / Ubuntu?

    If Debian / Ubuntu check /etc/gai.conf and uncomment the line:

    #precedence ::ffff:0:0/96 100

    This will disable the use of ipv6 and may help with your issues.

    Cheers!

    Did not work... Sigh..... Anything else I can try?

    Same error:
    produced an unexpected error: HTTPSConnectionPool(host='acme-v01.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<requests.packages.urllib3.connection.VerifiedHTTPSConnection object at 0x7f53cb3324d0>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution',)). Skipping

  • Have you tried to reboot the system? Also do you have nslookup or dig around that you can use to test your dns resolver? You can also try to set 1.1.1.1 as your resolver.

  • rm_rm_ IPv6 Advocate, Veteran

    I guess DO's policy of "the whole DC worth of users in the same /64" finally starting to "pay off".

  • every problem on server always on users, except hardware and network.

    have you try to set dns to 1.0.0.1/1.1.1.1

Sign In or Register to comment.