Certbot renew fails challenge, timeout. But can access port 80

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
jrreich.duckdns.org

I ran this command:
certbot certonly --standalone

It produced this output:
Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: jrreich.duckdns.org
Type: connection
Detail: 24.254.229.212: Fetching http://jrreich.duckdns.org/.well-known/acme-challenge/3id_kGViJ_CvqxBscYAHhQJuEdZ818bVYP63rXd-biA: Timeout during connect (likely firewall problem)

My web server is (include version):
Just using windows powershell to use cert for testing https for a flask server on WSL

The operating system my web server runs on is (include version):
Windows

My hosting provider, if applicable, is:
NA

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
NA

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.24.0

So the really confusing part is that the computer is accessible on the internet and port 80 is open. In fact, after the certbot failed, I ran the command python -m http.server 80 which runs a very simple http server and I even saw the GET from certbot hit:

image1019×337 23.4 KB

Hi @jrreich, and welcome to the LE community forum

Are you using some sort of Geo-location/fencing enforcement device or IP blocklist?

Not that I'm aware of. I can remote desktop to the same computer from virtual anywhere.

This might be some quirk with certbot for windows and IPv6.
Can you disable IPv6?
If not, can you use another ACME client for Windows?

I concur with Rudy about using a different client. Certbot does not always play nice on Windows.

You should check that no other service is running on port 80. I can't find the thread but I'm pretty sure certbot does not always warn when it cannot bind to port 80 (Windows only). Thus, the standalone server it sets up isn't the one actually listening on that port (some Windows Service or even IIS component might be).

Certify the Web is probably the easiest acme client to use on Windows.

Thank you Mike and Rudy. I'll try other ACME clients.

I should've mentioned before, I tried running certbot on WSL and after working out the additional step of setting up a portproxy to the WSL IP address, I still had the same issue where a simple python http server was accessible on the internet, but certbot still failed.

The issue ended up being my ISP blocking port 80 inbound - So while I was able to get to my challenge server and simple python server using my domain from my LAN, it was not able to complete the challenge from anything external.

Hope this info helps someone else in the future.

https://forums.cox.com/forum_home/internet_forum/f/internet-forum/24187/cox-is-blocking-port-80-incoming-causing-security-certificates-from-installing

Possibly change ISP.

Wish I could. It's the only one in my neighborhood unfortunately.

They said I could upgrade to a business plan and they don't have any port filtering.

Yeah, COX states "80 TCP HTTP Inbound Web servers, worms"
I think they are just wanting to block Web traffic from home servers so they can make more money.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.