Forum OpenACS Q&A: Re: letsencrypt - unable to renew

Posted by Gustaf Neumann on
Can it be that that the machine has a half-configured IPv6 setup? i.e. the resolver returns for "" multiple IP addresses (including IPv4 and IPv6 addresses), but the connection through IPv6 does not work (due to e.g firewall rules, etc)?

You can check this from NaviServer:

/usr/local/ns/bin/nsd -c
% ns_addrbyhost -all
2600:1406:1a:394::3a8e 2600:1406:1a:38a::3a8e

% ns_http run
status 200 time 0:244362 headers d1 body {...}
Probably, the "ns_http" request runs into a problem at your site (assuming, the problem you saw was not a temporary outage at letsencrypt).

When this assumptions are correct, try

/usr/local/ns/bin/nsd -c
% set requestHeaders [ns_set create]
% ns_set update $requestHeaders Host
% ns_http run -headers $requestHeaders -keep_host_header
If this returns no error but a result dict, the problem is diagnosed.

How to solve the problem:

  • Disable IPv6 on the machine (in doubt, google for it)
  • Replace in the letsencrypt script "ns_http queue $url" with a snippet as above (this should be just a temporary fix to get things working again)
  • Update NaviServer to the newest version from bitbucket: i have just modified the code base to deal with such half-working setups better. Set in "version_ns=HEAD"
  • It is possibly also an option to downgrade NaviServer to e.g. 4.99.16 and change /etc/gai.conf to make the resolver to return IPv4 addresses first (4.99.17 started use multiple IP addresses for client requests)
hope this helps. I am currently in transit on San Francisco airport, and i am just replying so many options, since your situation seems urgent.