Acme: error: 400 :: urn:ietf:params:acme:error:connection :: Timeout

My domain is: photos.frankridder.com

I ran this command: sudo docker-compose up -d

It produced this output:
time="2022-02-24T11:37:02Z" level=error msg="Unable to obtain ACME certificate for domains "photos.frankridder.com": unable to generate a certificate for the domains [photos.frankridder.com]: error: one or more domains had a problem:\n[photos.frankridder.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://photos.frankridder.com/.well-known/acme-challenge/bOF8hG7aT-RsO2UZpOLzJRhUbJyChs5DGrcDOqFgd84: Error getting validation data\n" ACME CA="https://acme-v02.api.letsencrypt.org/directory" routerName=whoami@docker rule="Host(photos.frankridder.com)" providerName=myresolver.acme

My web server is (include version):
traefik and whoami as for this example:

The operating system my web server runs on is (include version):
Ubuntu server 20.04

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): traefik2.6

I can reach my site but Let's Debug shows letsencrypt can not. I am unsure why this is. For background, I'm trying to get a certificate for my photoprism server. Running the photoprism traefik example generated the same error so I tried to simplify by just running the traefik example.

Neither can I.

Do you have some kind of firewall filtering, or did you forget to enable port forwarding on your router? Are your DNS records ok? (I mean, is your IPv4 address really 84.107.153.151 and your IPv6 2001:1c04:3c22:cd00:e3c:5e87:2bd5:346a -- this is really important: the ipv6 of your server is different from the one of your router, and there is no port forwarding, just a firewall.)

Thank you for the fast response.

I have changed the IPv6 address in the DNS record to the servers IPv6.
I have ufw enabled the following ports are open:

Could there be another firewall I'm missing?

The one on your router. (IPv4 also needs port forwarding)

Forgot to mention, I have forwarded port 80, 443, 8080 and 25565 (For an mc server). Forwarding does work for the mc server. Since I'm using my ISP's router could it be that they block the ports even though they have been forwarded? However, 80 and 443 are only open for TCP could that be an issue?

All of them? It could be.

I think it might be that your ISP changed your IP addresses. Double check your A record. (Let's Encrypt will use AAAA if it exists, so if it exists it needs to be working)

# nmap -6 photos.frankridder.com -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-24 14:10 CET
Nmap scan report for photos.frankridder.com (2001:1c04:3c22:cd00:4216:7eff:feaa:b055)
Host is up.
Other addresses for photos.frankridder.com (not scanned): 84.107.153.151
rDNS record for 2001:1c04:3c22:cd00:4216:7eff:feaa:b055: 2001-1c04-3c22-cd00-4216-7eff-feaa-b055.cable.dynamic.v6.ziggo.nl
All 1000 scanned ports on photos.frankridder.com (2001:1c04:3c22:cd00:4216:7eff:feaa:b055) are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.38 seconds

(Ignore it saying it's up, I told it to say it.)

Is there a better way to check my IP than checking sites like whatsmyip.org. They all show my IPv4 address as 84.107.153.151. I also found a firewall option in my router and completely turned it off for now.

that's probably your correct ipv4.

Indeed, I can now see your services over ipv6:

# nmap -6 photos.frankridder.com -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-24 14:27 CET
Nmap scan report for photos.frankridder.com (2001:1c04:3c22:cd00:4216:7eff:feaa:b055)
Host is up (0.062s latency).
Other addresses for photos.frankridder.com (not scanned): 84.107.153.151
rDNS record for 2001:1c04:3c22:cd00:4216:7eff:feaa:b055: 2001-1c04-3c22-cd00-4216-7eff-feaa-b055.cable.dynamic.v6.ziggo.nl
Not shown: 996 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 11.15 seconds

and ipv4:

# nmap -4 photos.frankridder.com -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2022-02-24 14:28 CET
Nmap scan report for photos.frankridder.com (84.107.153.151)
Host is up (0.023s latency).
Other addresses for photos.frankridder.com (not scanned): 2001:1c04:3c22:cd00:4216:7eff:feaa:b055
rDNS record for 84.107.153.151: 84-107-153-151.cable.dynamic.v4.ziggo.nl
Not shown: 991 closed ports
PORT     STATE    SERVICE
22/tcp   open     ssh
53/tcp   open     domain
80/tcp   filtered http
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
443/tcp  open     https
445/tcp  filtered microsoft-ds
8080/tcp open     http-proxy
8443/tcp open     https-alt

Nmap done: 1 IP address (1 host up) scanned in 6.55 seconds

I guess I just completely missed the firewall option. I'll ask the community page of my ISP if there is a way to enable the firewall but actually forward the ports. Thank you for the help. It now seems to be able to use HTTP challenge to generate a certificate.

Remember that port forwarding only applies to IPv4, but firewall applies to both IPv4 and IPv6.

With IPv4 doesn't really matter if your firewall is on or off, with IPv6 each device should have their own, if your router doesn't.

(But the firewall, I mean, it needs to be configurable. I have no hope it is, though)

About this: you can absolutely get away with exposing port 80 on IPv6 only, if you need to validate only. (The redirect http->https will only work for IPv6 clients, if you set it up, but that's it.)

Seems like it isn't sadly. But I have re-enabled it for IPv4. Thank you for the tips as well. I will try to reduce the amount of open ports now that I have it working.

I like this

curl -4 ifconfig.co
curl -6 ifconfig.co

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.