Hi have trouble for renewing Let’s Encrypt certificate. Here is the output of the command sudo yunohost domain cert-renew --debug:
165 DEBUG loading actions map namespace 'yunohost'
232 DEBUG extra parameter classes loaded: ['ask', 'password', 'required', 'pattern']
234 DEBUG initializing base actions map parser for cli
238 DEBUG registering new callback action 'yunohost.utils.packages.ynh_packages_version' to ['-v', '--version']
486 DEBUG initialize authenticator 'ldap-anonymous' with: uri='ldap://localhost:389', base_dn='dc=yunohost,dc=org', user_rdn='None'
490 DEBUG lock has been acquired
841 INFO processing action [3431.1]: yunohost.domain.cert-renew with args={'no_checks': False, 'force': False, 'domain_list': [], 'auth': <moulinette.authenticators.ldap.Authenticator object at 0x7665a8d0>, 'staging': False, 'email': False}
2155 INFO Starting new HTTP connection (1): 80.201.150.87
2186 DEBUG "HEAD / HTTP/1.1" 302 0
2190 DEBUG Domain 'manuc66.nohost.me' IP address is resolved to 80.201.150.87, expect it to be 80.201.150.87 or in the 127.0.0.0/8 address block
2192 INFO Now attempting renewing of certificate for domain manuc66.nohost.me !
2452 INFO Starting new HTTP connection (1): 80.201.150.87
2469 DEBUG "HEAD / HTTP/1.1" 302 0
2472 DEBUG Domain 'manuc66.nohost.me' IP address is resolved to 80.201.150.87, expect it to be 80.201.150.87 or in the 127.0.0.0/8 address block
2473 DEBUG Making sure tmp folders exists...
2475 INFO Prepare key and certificate signing request (CSR) for manuc66.nohost.me...
16706 INFO Saving to /tmp/acme-challenge-private/manuc66.nohost.me.csr.
16708 INFO Now using ACME Tiny to sign the certificate...
16709 INFO Parsing account key...
16743 INFO Parsing CSR...
16772 INFO Registering account...
17555 INFO Already registered!
17556 INFO Verifying manuc66.nohost.me...
29291 ERROR manuc66.nohost.me challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'80.201.150.87', u'2a02:a03f:a5f:0:c30:3f69:b861:4598'], u'url': u'http://manuc66.nohost.me/.well-known/acme-challenge/pA9exYI6My89ChzqBQA7OIf5paiB5woR7oFvcU4ZEEg', u'hostname': u'manuc66.nohost.me', u'addressesTried': [], u'addressUsed': u'2a02:a03f:a5f:0:c30:3f69:b861:4598', u'port': u'80'}], u'keyAuthorization': u'pA9exYI6My89ChzqBQA7OIf5paiB5woR7oFvcU4ZEEg.5-vf9j2C_pmYxASIb7omHE0som41D0Fmu788z28ojhg', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/Y81bmdxMuuEGJ_xhQjlhiOemSC_BPI6XIDDyOWHs9R4/1703576335', u'token': u'pA9exYI6My89ChzqBQA7OIf5paiB5woR7oFvcU4ZEEg', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'Fetching http://manuc66.nohost.me/.well-known/acme-challenge/pA9exYI6My89ChzqBQA7OIf5paiB5woR7oFvcU4ZEEg: Timeout'}, u'type': u'http-01'}
29296 ERROR Certificate renewing for manuc66.nohost.me failed !
29298 ERROR Traceback (most recent call last):
File "/usr/lib/moulinette/yunohost/certificate.py", line 382, in certificate_renew
_fetch_and_enable_new_certificate(domain, staging)
File "/usr/lib/moulinette/yunohost/certificate.py", line 564, in _fetch_and_enable_new_certificate
'certmanager_cert_signing_failed'))
MoulinetteError: [Errno 22] Signing the new certificate failed
29302 ERROR [Errno 22] Signing the new certificate failed
29304 DEBUG action [3431.1] ended after 28.462s
29306 DEBUG lock has been released
Not sure, but to me it looks like it’s trying to renew the certificate through IPv6. Can you confirm that 2a02:a03f:a5f:0:c30:3f69:b861:4598 is the IPv6 of your server ? (And also 80.201.150.87 should be your ipv4)
You can check that by running the following commands on your server :
curl ip6.yunohost.org
curl ip.yunohost.org
I think you should either make sure your IPv6 setup is working, or disable IPv6 to fallback to IPv4 :s
$ curl ip6.yunohost.org
curl: (7) Couldn't connect to server
$ sudo yunohost domain cert-renew --debug
163 DEBUG loading actions map namespace 'yunohost'
230 DEBUG extra parameter classes loaded: ['ask', 'password', 'required', 'pattern']
231 DEBUG initializing base actions map parser for cli
234 DEBUG registering new callback action 'yunohost.utils.packages.ynh_packages_version' to ['-v', '--version']
515 DEBUG initialize authenticator 'ldap-anonymous' with: uri='ldap://localhost:389', base_dn='dc=yunohost,dc=org', user_rdn='None'
519 DEBUG lock has been acquired
863 INFO processing action [2312.1]: yunohost.domain.cert-renew with args={'no_checks': False, 'force': False, 'domain_list': [], 'auth': <moulinette.authenticators.ldap.Authenticator object at 0x7663d8d0>, 'staging': False, 'email': False}
2229 INFO Starting new HTTP connection (1): 80.201.150.87
2248 DEBUG "HEAD / HTTP/1.1" 302 0
2251 DEBUG Domain 'manuc66.nohost.me' IP address is resolved to 80.201.150.87, expect it to be 80.201.150.87 or in the 127.0.0.0/8 address block
2252 INFO Now attempting renewing of certificate for domain manuc66.nohost.me !
2519 INFO Starting new HTTP connection (1): 80.201.150.87
2539 DEBUG "HEAD / HTTP/1.1" 302 0
2541 DEBUG Domain 'manuc66.nohost.me' IP address is resolved to 80.201.150.87, expect it to be 80.201.150.87 or in the 127.0.0.0/8 address block
2542 DEBUG Making sure tmp folders exists...
2543 INFO Prepare key and certificate signing request (CSR) for manuc66.nohost.me...
12736 INFO Saving to /tmp/acme-challenge-private/manuc66.nohost.me.csr.
12737 INFO Now using ACME Tiny to sign the certificate...
12738 INFO Parsing account key...
12773 INFO Parsing CSR...
12800 INFO Registering account...
13743 INFO Already registered!
13745 INFO Verifying manuc66.nohost.me...
22804 ERROR manuc66.nohost.me challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'80.201.150.87', u'2a02:a03f:a5f:0:c30:3f69:b861:4598'], u'url': u'http://manuc66.nohost.me/.well-known/acme-challenge/66G62NH5DEutYwk7XNnNvUcRPnOGWtAMxoc08P_j_Wo', u'hostname': u'manuc66.nohost.me', u'addressesTried': [], u'addressUsed': u'2a02:a03f:a5f:0:c30:3f69:b861:4598', u'port': u'80'}], u'keyAuthorization': u'66G62NH5DEutYwk7XNnNvUcRPnOGWtAMxoc08P_j_Wo.5-vf9j2C_pmYxASIb7omHE0som41D0Fmu788z28ojhg', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/92mEUR2V1MUB-OI5lrmmZkLU2HKAgRxdWajAiqOJ2OQ/1704225321', u'token': u'66G62NH5DEutYwk7XNnNvUcRPnOGWtAMxoc08P_j_Wo', u'error': {u'status': 400, u'type': u'urn:acme:error:connection', u'detail': u'Fetching http://manuc66.nohost.me/.well-known/acme-challenge/66G62NH5DEutYwk7XNnNvUcRPnOGWtAMxoc08P_j_Wo: Timeout'}, u'type': u'http-01'}
22812 ERROR Certificate renewing for manuc66.nohost.me failed !
22814 ERROR Traceback (most recent call last):
File "/usr/lib/moulinette/yunohost/certificate.py", line 382, in certificate_renew
_fetch_and_enable_new_certificate(domain, staging)
File "/usr/lib/moulinette/yunohost/certificate.py", line 564, in _fetch_and_enable_new_certificate
'certmanager_cert_signing_failed'))
MoulinetteError: [Errno 22] Signing the new certificate failed
22815 ERROR [Errno 22] Signing the new certificate failed
22816 DEBUG action [2312.1] ended after 21.952s
22817 DEBUG lock has been released
Well I’m guessing somehow your IPv6 is not working properly… But not sure why, I’m far from understanding how to properly set up IPv6. You probably need to configure some gateway or something on your server
With that said, It’d be nice that the Let’s Encrypt install automatically falls back to IPv4 if there’s something wrong about IPv6. Currently we do not do so much checks about IPv6 for instance.