I would like to point out that I have done all the checks on the firewall and that port 80 is open for my SMTP server.
After typing the command certbot certanly --standalone -d smtp.example.com keeps giving me the error: Fetching http://smtp.example.com/.well-known/acme-challenge/b9MhloMPFv0kOJMvmOlZje8CeIrg7ssvx82k126IgQA: Timeout during connect ( likely firewall problem).
Hello @metodi,
Is your ISP blocking Port 80?
Well, one of this is wrong then. It's hard to help without the actual domain name. If you want to test connectivity from around the world, run certbot with --debug-challenges which will pause the process with its standalone web server running so that you can try connecting from outside your network. If you don't want to share your domain name here, but are willing to put it into online tools, you might want to try some of these:
Also, use --dry-run on your certbot command while diagnosing, in order to use the staging environment which has more generous rate limits.
When you opened this thread in the Help section, you should have been provided with a questionnaire. Maybe you didn't get it somehow (which is weird), or you've decided to delete it. In any case, all the answers to this questionnaire are required:
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
NO.
I ran the command with debug:
certbot certanly --standalone -d smtp.example.com --debug-challenge
I checked the server to verify that port 80 was listening:
netstat -tanp
port 80 is listening.
I checked from a browser from an external network if my server responded on port 80 and the test went well.
Here's what I saw in my browser after typing http://smtp.example.com
ACME client standalone challenge solver
I don't know what to do beyond that
That is reaching Certbot. But, if the challenge still fails there must be something blocking requests from the Let's Encrypt servers. Do you have a firewall that blocks certain IP ranges or geographic areas?
Try running standalone again with --debug-challenges. While it is waiting run a Let's Debug test or try connecting from something like site24x7. Both of these were provided in Peter's post earlier.
Last year, for example, we saw Palo Alto brand firewalls changed their default so were blocking any URL formatted for an acme challenge (had: /.well-known/acme-challenge in it). Do you have one of those that is still blocking these?
We would probably resolve this quicker if you provided your domain name.
Thank Peter!!! I had geo filters set up on my firewall.
Can you tell me the geographical region that will issue the certificate renewals.
US?
If you mean which geographic regions are used for validations...
You need to expect them from everywhere on the Internet.
That means HTTP should not be GEO blocked.
HTTPS can be GEO blocked.
Considering you are using --standalone, there is no real risk for HTTP; As it isn't being used 24/7.
Additional "for instance": DNS requests should never be GEO blocked.
Thanks Peter.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.