Can not renew a cert with certbot: Timeout during connect (likely firewall problem)

After repeated tries I’m not able to renew my certificates with certbot;
I’ve tried to renew with

  1. sudo certbot --nginx
  2. sudo certbot --authenticator standalone --installer nginx -d nutthause.com -d helios.nutthause.com -d media2.nutthause.com -d silo-omv.nutthause.com -d silo2-omv.nutthause.com -d www.nutthause.com --pre-hook “systemctl stop nginx” --post-hook “systemctl start nginx”
  3. certbot --duplicate --nginx
  4. sudo certbot renew --preferred-challenges http --nginx
  1. /usr/bin/certbot --duplicate --nginx certonly
  2. sudo certbot renew --dry-run

Please let me know if there is anything else I need to supply to get my certificates renewed.

My domain is:
nutthause.com

I ran this command:
sudo certbot renew --preferred-challenges http --nginx

It produced this output:
sudo certbot renew --preferred-challenges http --nginx
[sudo] password for “a user name”:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/nutthause.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for helios.nutthause.com
http-01 challenge for media2.nutthause.com
http-01 challenge for nutthause.com
http-01 challenge for silo-omv.nutthause.com
http-01 challenge for silo2-omv.nutthause.com
http-01 challenge for www.nutthause.com
Using default address 80 for authentication.
Using default address 80 for authentication.
Using default address 80 for authentication.
Using default address 80 for authentication.
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (nutthause.com) from /etc/letsencrypt/renewal/nutthause.com.conf produced an unexpected error: Failed authorization procedure. helios.nutthause.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://helios.nutthause.com/.well-known/acme-challenge/heVb70QWW0VMnfrpN2fkZPop0jj0J7RtBYIFE7mU2Cg: Timeout during connect (likely firewall problem), silo-omv.nutthause.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://silo-omv.nutthause.com/.well-known/acme-challenge/A_FtHe8JMcYP5fA6-ijwOiYA1SBpGMVxWsAYTqzWi-g: Timeout during connect (likely firewall problem), www.nutthause.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.nutthause.com/.well-known/acme-challenge/Lq6Adlal4_oYAwblJJGLiIuV-J2rOtIw_D-SqXISUHI: Timeout during connect (likely firewall problem), media2.nutthause.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://media2.nutthause.com/.well-known/acme-challenge/1U3W_CAgeOUmjNr_4atYA29_liXTy-DjjQlGeiVeckg: Timeout during connect (likely firewall problem), silo2-omv.nutthause.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://silo2-omv.nutthause.com/.well-known/acme-challenge/kvT1Xzksdber3l9Fx2DZ3_Vvx4yOWPT3MakfVbCW59c: Timeout during connect (likely firewall problem), nutthause.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://nutthause.com/.well-known/acme-challenge/1XI4hgfkGpHr6Bm7fbGA09wdbGYyWYmfWZH_O8_kUqQ: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/nutthause.com/fullchain.pem (failure)


All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/nutthause.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

My web server is (include version):
dpkg -l nginx:
nginx 1.10.3-0ubuntu0.16.04.3

The operating system my web server runs on is (include version):
Linux Mint 18 Sarah based on Ubuntu 16.04

My hosting provider, if applicable, is:
Zoneedit is hosting my domain

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

The nginx webserver is sitting behond a smoothwall firewall with these port forwarding rules:
1 ACCEPT tcp – anywhere www.nutthause.com state NEW tcp dpt:http
2 ACCEPT tcp – anywhere www.nutthause.com state NEW tcp dpt:https

Please not when I’m not renewing the certificates these Snoothwall forwarding rules are disabled, and only enable while renewing the certificates.

The webserver has these firewall rules:
sudo ufw status
Status: active

To Action From


22/tcp ALLOW Anywhere (log)
443/tcp ALLOW Anywhere (log)
80/tcp ALLOW Anywhere (log)
22/tcp (v6) ALLOW Anywhere (v6) (log)
443/tcp (v6) ALLOW Anywhere (v6)
80/tcp (v6) ALLOW Anywhere (v6)

22 ALLOW OUT Anywhere (log)
22 (v6) ALLOW OUT Anywhere (v6) (log)


Here is the tail -f letsencrypt.log of the above command: “sudo certbot renew --preferred-challenges http --nginx”


Please use this ubuntu pastebin https://paste.ubuntu.com link below to view the letsencrypt.log:
https://paste.ubuntu.com/p/8X8D88tFJr/

Thanks

Hi @linuxnutt

there is a check of your domain, ~3 hours old - https://check-your-website.server-daten.de/?q=nutthause.com

Your https works, your port 80 doesn't answer:

Domainname Http-Status redirect Sec. G
http://nutthause.com/
72.211.215.143 -14 10.027 T
Timeout - The operation has timed out
http://www.nutthause.com/
72.211.215.143 -14 10.026 T
Timeout - The operation has timed out
https://nutthause.com/
72.211.215.143 200 2.326 A
https://www.nutthause.com/
72.211.215.143 200 1.640 A
http://nutthause.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
72.211.215.143 -14 10.024 T
Timeout - The operation has timed out
Visible Content:
http://www.nutthause.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
72.211.215.143 -14 10.027 T
Timeout - The operation has timed out
Visible Content:

Only timeouts.

You have a lot of older certificates, startet 2017-02-03 23:27:00. Perhaps you have used tls-sni-01 validation / port 443, that's not longer supported, support ended ~2019-03-15, looks like you have created your last certificate via tls-sni-01 validation.

So it's impossible to check your configuration. Please open your firewall, then recheck your domain.

The smoothwall firewall port forwarding rules are enabled

There is a new check - https://check-your-website.server-daten.de/?q=nutthause.com - same picture, only timeouts.

If it is a home server: Blocks your ISP port 80?

Or compare your port 80 settings with your port 443 settings. Works port 80 internal?

1 Like

Yes I sure my ISP is blocking port 80 (and it is a home server) even though it is open on the firewall. Yes I know tls-sni-01 validation is disabled. But in the past I was able to renew with https but is there a new https “tls-something” for renewing - since I’m sure port 80 is being blocked by ISP. So for me and http authenticator will not work. What are my options renew my certificate?
Thanks

There is tls-alpn-01 - but it’s not (yet?) supported by certbot, so you would have to use another client. The other option is the DNS challenge, but that’s awkward if your DNS provider doesn’t have an API.

1 Like

You have one certificate with a lot of domain names:

CN=nutthause.com (8117)
	26.02.2019
	27.05.2019
expires in 3 days	
helios.nutthause.com, media2.nutthause.com, 
nutthause.com, silo-omv.nutthause.com, 
silo2-omv.nutthause.com, www.nutthause.com - 6 entries

But it should be always possible to use dns-01 validation and --manual one time.

So you have 60 - 80 days to check clients with tls-alpn-01 support (like acme.sh).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.