Acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
southfield.mywire.org

The domain is a dyndns name and I am wondering if this is the issue. If I use a the same configuration in traefik labels for a name I control the DNS for and I do not have any problems.

time="2021-01-05T14:42:59Z" level=debug msg="TLS Challenge CleanUp temp certificate for southfield.mywire.org" providerName=acme
time="2021-01-05T14:42:59Z" level=debug msg="legolog: [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/9839901599"
time="2021-01-05T14:42:59Z" level=debug msg="legolog: [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/9839901599"
time="2021-01-05T14:42:59Z" level=error msg="Unable to obtain ACME certificate for domains \"southfield.mywire.org\": unable to generate a certificate for the domains [southfield.mywire.org]: error: one or more domains had a problem:\n[southfield.mywire.org] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout during connect (likely firewall problem), url: \n" providerName=leresolver.acme routerName=gitlab-https@docker rule="Host(`southfield.mywire.org`)"

My web server is (include version):
rails

The operating system my web server runs on is (include version):
docker

My hosting provider, if applicable, is:
self-host

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
traefik2

Hello @mmance,

I can't reach your site too:

$ curl -IkL -m 15 https://southfield.mywire.org                                                                                                       
curl: (28) Connection timed out after 15000 milliseconds

Are you sure the ip 24.192.4.166 is the right one and is pointing to your server?

Cheers,
sahsanu

It connects now... But:

curl https://southfield.mywire.org/
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

image419×522 10 KB

Basically the error was telling me that I could not get to my website from the IP address I gave it. I wish I would have read what I am writing to help me figure out what my specific issue was. Make sure you can get to your website from outside the local network before you think its a lets encrypt error.

The situation was more complicated due to my back end setup...

I had thought the site was working as it should because my router has automatically setup NAT redirect. Even thought I was using a domain name that pointed to a public IP, my router was just redirecting me locally and I was never hitting it from the outside.

I was confused because I could see packets on port 80 go all the way to the web server. If you want to catch some quick packets for testing use "tcpdump port 80" or "tcpdump host IP". Even though the packets got to the server, they never got responses.

The ports that I was forwarding were to a Traefik reverse proxy. I had to add new NAT rules to my router to re-write the NAT packets to have a source IP from my external of my router. After that I was able to see my site from outside the network on port 80.

So long story short, if you can, make sure your site works on http first before you troubleshoot lets encrypt.