I just can't get it to work, it always fails. When certbot is requesting the certificate I checked if the token url is reachable from the outside and it is:
Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
My web server is (include version): nginx version: nginx/1.22.1
The operating system my web server runs on is (include version): Debian GNU/Linux 12 (bookworm)
My hosting provider, if applicable, is: selfhosted
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.1.0
Are you sure it's reachable from everywhere? I tried a different tool and it's showing a failure to connect from some parts of the world.
The "timeout after connect" isn't the most common failure we see, as that means that the initial connection worked but then it stopped receiving packets from the server. Can you give more details on any firewalling that exists in front of your server?
Strange, is the url Welcome to nginx! also not reachable from some locations? There shouldn't be any region block and I'm not seeing any blocked traffic to the IP/URL. Can you give an example ip from where it failed? Or a tool that failed?
The firewall is an Palo Alto with deep packet inspection, so I can see a lot of information.
I added the acme-protocol as an allowed application and now it works. It's still strange that it didn't show up as 'blocked' or 'drop', just as port 80, web-browsing, allowed. It's now showing as port 80, acme-protocol, allowed.
Again, thanks for the help. It was driving me crazy
It is--when we've seen those issues before, I remember seeing "connection reset by peer" rather than "timeout after connect." But good that has it working.
