Authorization timed out

Hey everyone. I’ve tried searching for the errors below, but they seem to be different enough that I’m not sure it relates. I’ve tried some of the fixes, like adding a CAA to our DNS, but nothing is working.

My domain is: electronicoffice.net

I ran this command: wacs (windows)

It produced this output:

[DBUG] Scanning IIS sites
[INFO] Target generated using plugin IISSite: cw.electronicoffice.net
[DBUG] Scanning IIS sites
[VERB] Checking [IISSite] PSA
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/new-order

[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/authz/W3mD
f3t4oX6TCy1I9H6BtXQq_fj3ksCHGHbvYmEpqKg
[INFO] Authorize identifier: cw.electronicoffice.net
[INFO] Authorizing cw.electronicoffice.net using http-01 validation (SelfHostin
g)
[DBUG] Submitting challenge answer
[DBUG] Send POST request to https://acme-v02.api.letsencrypt.org/acme/challenge
/W3mDf3t4oX6TCy1I9H6BtXQq_fj3ksCHGHbvYmEpqKg/19273187504
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/
W3mDf3t4oX6TCy1I9H6BtXQq_fj3ksCHGHbvYmEpqKg/19273187504
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/
W3mDf3t4oX6TCy1I9H6BtXQq_fj3ksCHGHbvYmEpqKg/19273187504
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/
W3mDf3t4oX6TCy1I9H6BtXQq_fj3ksCHGHbvYmEpqKg/19273187504
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/
W3mDf3t4oX6TCy1I9H6BtXQq_fj3ksCHGHbvYmEpqKg/19273187504
[DBUG] Refreshing authorization
[DBUG] Send GET request to https://acme-v02.api.letsencrypt.org/acme/challenge/
W3mDf3t4oX6TCy1I9H6BtXQq_fj3ksCHGHbvYmEpqKg/19273187504
[EROR] Authorization timed out
[EROR] Create certificate failed: Authorization failed

My web server is (include version): IIS 6.2

The operating system my web server runs on is (include version): 2012 R2

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): A simple Windows ACMEv2 client, 2.0.9.386

Hi @Lectoid,

I’m not sure why your ACME client isn’t showing you the real error that Let’s Encrypt returned trying to authorize your domain. That error is:

  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://cw.electronicoffice.net/.well-known/acme-challenge/c-QHaMhW3sICAmd_KouQzAhUc3XjWEB1HRoznka_eI4: Timeout during connect (likely firewall problem)",
    "status": 400
  },

If you’re the maintainer of the ACME client you should adjust the code to show the problem details returned when an authorization challenge fails. If you aren’t the maintainer it might be worth checking if there’s an available upgrade or a feature request that would address that.

As for the error itself: can you verify that the http://cw.electronicoffice.net/.well-known/acme-challenge/ directory is externally accessible? It looks like there may be a firewall blocking access.

Hi @Lectoid

your http port 80 doesn't answer ( https://check-your-website.server-daten.de/?q=cw.electronicoffice.net ):

Is there a firewall or something else?

Is port 80 configured?

Perhaps share your bindings.

Is it ok if I have port 80 redirect to port 443?

Yes, the HTTP-01 validation request will follow the redirect.

JuergenAuer called it. We had port 80 turned off because there was no need for it to be on since we only use 443 to that site. I put a redirect in and turned on port 80 and letsencrypt worked the first time through.

Thanks everyone.

Great! Glad to hear you’re all set now. Thanks for reporting back.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.