Certbot stand-alone return error Timeout during connect (likely firewall problem)

Please help. I cannot generate the certificate for my domain using standalone mode. I've done a test on Letdebug.net and it said that the connection is OK, but when i run certbot still get the Timeout error.

My domain is: chat.campdi.vn

I ran this command:
certbot certonly --standalone --preferred-challenges http --http-01-port 80 -d chat.campdi.vn

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Requesting a certificate for chat.campdi.vn
Performing the following challenges:
http-01 challenge for chat.campdi.vn
Waiting for verification...
Challenge failed for domain chat.campdi.vn
http-01 challenge for chat.campdi.vn
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: chat.campdi.vn
    Type: connection
    Detail: During secondary validation: 1.53.141.231: Fetching
    http://chat.campdi.vn/.well-known/acme-challenge/PxiFDSK54lNo7h7ILzF0yK7mgxQxjFlIP4riEoi_1Mc:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): haproxy

The operating system my web server runs on is (include version): centos 7

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is 1.11.0

Please see:

I'm getting something different:

ANotWorking

ERROR

chat.campdi.vn has an A (IPv4) record (1.53.141.231) but a request to this address over port 80 did not succeed. Your web server must have at least one working IPv4 or IPv6 address.

1 Like

Hi, can you help to check for the domain chatbotchang.fpt.vn. I've setup a new domain to confirm if there's any problems. Letsdebug work fine for this domain

[

Let's Debug

](https://letsdebug.net/)

Test result for chatbotchang.fpt.vn using http-01

All OK!

OK

No issues were found with chatbotchang.fpt.vn. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

The --standalone method is difficult to debug because you need to keep Certbot running to test connection from the public internet.

A way to test this easier is to use these command options

certbot certonly --standalone --dry-run --debug-challenges -v -d (domain) --http-01-port 80

This command will show you the challenge URL to try from the public internet and the proper response. After showing you this it will say "Press Enter to Continue". DO NOT PRESS ENTER.

Leave it paused like that and use a different device to test connection. You can use a mobile phone with wifi disabled so use your carrier's network.

You do not have to use the full URL. Just try http://(yourdomain)

If the connection works this shorter URL should see a response like below. The error in your first post said "Secondary validation" which is a problem just from certain locations. Osiris already linked to an article about that. Make sure your domain can be reached from anywhere.

ACME client standalone challenge solver
4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.