Cert expired, certbot command is timed out and no outbound connections on ubuntu now

Help
#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:crosscurrentpublisher.com

I ran this command:

It produced this output:

My web server is (include version): nginx/1.10.3

The operating system my web server runs on is (include version):Ubuntu 14.04

My hosting provider, if applicable, is: Godaddy

I can login to a root shell on my machine (yes or no, or I don’t know): Yes, SSH is working

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

So my certificate expired even though I had it on auto renewal.
I can see 3 certs in /etc/letsencrypt/archives/crosscurrentpublisher.com
I can SSH my server

Problem - all my outgoing connections drops, after certificate expires (Expires even when autorenew is enabled). This is the 2nd server thats happening on, on the 1st server I backed up data and rebuild the server because I thought might be a networking Issue but it happened again.

Any help

#2

Outbound connections being dropped would certainly prevent autorenewal from working.

It seems like inbound connections work fine, so if you cannot establish a connection to any outbound server, I would guess that a firewall rule is the culprit.

What does this show?

curl -m10 -v https://acme-v02.api.letsencrypt.org/directory
#3
  • Trying 172.65.32.248…
  • Trying 2606:4700:60:0:f53d:5624:85c7:3a2c…
  • After 4986ms connect time, move on!
  • connect to 172.65.32.248 port 443 failed: Connection timed out
  • After 2383ms connect time, move on!
  • connect to 2606:4700:60:0:f53d:5624:85c7:3a2c port 443 failed: Connection timed out
  • Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out
  • Closing connection 0
    curl: (7) Failed to connect to acme-v02.api.letsencrypt.org port 443: Connection timed out

I can ping my Gateway, but not any further. This problem only arises after the cert is expired

‘sudo iptables -L’ outputs this -
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

#4

This does not seem plausible. An SSL certificate has no effect on OS networking. More likely, no outbound connectivity is the reason the certificate expired in the first place.

I’m not sure how much help you’ll be able to find on this forum for a problem of this nature. Have GoDaddy support told you anything?

#5

Not much help from GoDaddy becuase its a self-managed VPS.
But thanks for confirming that SSL cert has no effect on OS networking.
Will run network diagnostics and post the results

#6

‘ip route’ outputs this :

default via 10.217.7.254 dev eth0
10.217.4.0/22 dev eth0 proto kernel scope link src 10.217.4.149
107.180.92.207 dev eth0 scope link

but should’ve been this :
default via 10.217.7.254 dev eth0 proto static src 107.180.92.207 metric 1024
10.217.4.0/22 dev eth0 proto kernel scope link src 10.217.4.149
107.180.92.207 dev eth0 scope link

the first line :
default via 10.217.7.254 dev eth0 proto static src 107.180.92.207 metric 1024

for some reason got changed to
default via 10.217.7.254 dev eth0 ( proto static src 107.180.92.207 metric 1024 , was removed)

deleted the default route and added again , got fixed.

However I have no idea how it got changed as the certificate got renewal due.

anyways thanks for the Help!!

1 Like
#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.