Can it be that that the machine has a half-configured IPv6 setup? i.e. the resolver returns for "acme-v01.api.letsencrypt.org" multiple IP addresses (including IPv4 and IPv6 addresses), but the connection through IPv6 does not work (due to e.g firewall rules, etc)?
You can check this from NaviServer:
/usr/local/ns/bin/nsd -c
% ns_addrbyhost -all acme-v01.api.letsencrypt.org
2600:1406:1a:394::3a8e 2600:1406:1a:38a::3a8e 104.86.94.242
% ns_http run https://acme-v01.api.letsencrypt.org
status 200 time 0:244362 headers d1 body {...}
Probably, the "ns_http" request runs into a problem at your site (assuming, the problem you saw was not a temporary outage at letsencrypt).
When this assumptions are correct, try
/usr/local/ns/bin/nsd -c
% set requestHeaders [ns_set create]
% ns_set update $requestHeaders Host acme-v01.api.letsencrypt.org
% ns_http run -headers $requestHeaders -keep_host_header 104.86.94.242
If this returns no error but a result dict, the problem is diagnosed.
How to solve the problem:
- Disable IPv6 on the machine (in doubt, google for it)
- Replace in the letsencrypt script "ns_http queue $url" with a snippet as above (this should be just a temporary fix to get things working again)
- Update NaviServer to the newest version from bitbucket: i have just modified the code base to deal with such half-working setups better. Set in install-ns.sh "version_ns=HEAD"
- It is possibly also an option to downgrade NaviServer to e.g. 4.99.16 and change /etc/gai.conf to make the resolver to return IPv4 addresses first (4.99.17 started use multiple IP addresses for client requests)
hope this helps. I am currently in transit on San Francisco airport, and i am just replying so many options, since your situation seems urgent.
