Certbot complaining that it can't connect to domain... but it can/should be able to?

mcai8rw2 · March 9, 2018, 11:52am

Hi… i’m pulling my hair out with certbot. Can anyone help…as as far as i can see verything should be working. tower.wilmo.uk is a cname of my ddns.

if i dig tower.wilmo.uk i get all the right data.

if i manually visit: http://tower.wilmo.uk i get a response…

and the certbot directories necessary: http://tower.wilmo.uk/.well-known/acme-challenge/here.html

Certbot keeps complaining that it can;'t connect to the ‘qYzf0b4CQK5gEoxI7cKuBxZttQDESDMrz8w4OBXVafo’ subdirectory which is expected as I can;t set up that directory structure before as i have no idea what the string will be. Isn’t certbot supposed to make those files itself?

My domain is: tower.wilmo.uk (cname of my ddns)

I ran this command: certbot --nginx

It produced this output:

Failed authorization procedure. tower.wilmo.uk (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://tower.wilmo.uk/.well-known/acme-challenge/qYzf0b4CQK5gEoxI7cKuBxZttQDESDMrz8w4OBXVafo: Timeout

I;ve “chowned” the website files/folders to both root:root and www-data:www-data and neither works.

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: self hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

mnordhoff · March 9, 2018, 12:06pm

If I try to connect, it times out.

Have you been able to connect from another network, or just inside your own network?

Maybe the firewall or port forwarding on your router need to be changed, or maybe your ISP blocks port 80.

Yes, Certbot should create (and then delete) the file itself.

A timeout error isn't specific to the URL involved, it means the client can't connect to port 80 on the IP address at all. Other problems would probably result in a successful connection and then a 404 Not Found HTTP error or similar.

bytecamp · March 9, 2018, 12:30pm

$ host tower.wilmo.uk
tower.wilmo.uk is an alias for mcai8rw2.ddns.net.
mcai8rw2.ddns.net has address 86.133.230.7

86.133.230.7 is unreachable, maybe your dynamic dns (mcai8rw2.ddns.net) did not get updated?

mcai8rw2 · March 9, 2018, 2:20pm

Oh FFS… i just realised what was causing the issue.

I run Sophos UTM 9 as my firewall. Sophos UTM 9 has a “Country Blocking Service” that blocks connections from your chosen countries.

This was switched on… so no WONDER the letsencrypt servers couldn;t connect.

::facepalm::

I turned “country blocking” off…and hey-presto. It worked straight away.

THanks for your reply all the same.

system · April 8, 2018, 2:20pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.