Certbot standalone timeout, ip routable and ports open

#1

I d’ont understand what is going wrong. On the same machine, I have several certificates and I can’t renew any of them since few days. I revoked one : cloud-formation.paquerette.eu and tried to getting it again and here is the output. It is the same problem when I want to renew another one : cloud-test.paquerette.eu. I can still reach this address in http or https, so ip is routable, and ports 80 and 443 are open, as shown in the output of ufw.

Thanks for help !

My domain is: cloud-formation.paquerette.eu

I ran this command:

certbot certonly --standalone -d cloud-formation.paquerette.eu --agree-tos -m postmaster@paquerette.eu -n

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud-formation.paquerette.eu
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cloud-formation.paquerette.eu (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud-formation.paquerette.eu/.well-known/acme-challenge/IFmV1_fzvEElzQFlvvJRAP9jumhVZDUKYfbS5CNy_cU: Timeout during connect (likely firewall problem)

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is: Infomaniak (Jelastic cloud)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

ufw status verbose :

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To Action From


22/tcp LIMIT IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) LIMIT IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)

#2

I tried the same after disabling ufw, and I got this :
Failed authorization procedure. cloud-formation.paquerette.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud-formation.paquerette.eu/.well-known/acme-challenge/j_j54og9RTk2ILywIMDXszreMW73wCT2lHqJ7yJFi9s [185.74.71.249]: “\n\n\n<meta name=“referrer” content=“origin-when-crossorigin”>\n/* eslint-disable */\n\n’use strict”

#3

I just made four requests to http://cloud-formation.paquerette.eu/, the first one took a second or two but worked, and the other connections timed out.

#4

do you mean it’s a problem of performance ?
nginx is running now, not when I try to get a certificate in standalone mode, here is a ping :
ping 185.74.71.249
PING 185.74.71.249 (185.74.71.249) 56(84) bytes of data.
64 bytes from 185.74.71.249: icmp_seq=1 ttl=53 time=24.7 ms
64 bytes from 185.74.71.249: icmp_seq=2 ttl=53 time=24.9 ms
64 bytes from 185.74.71.249: icmp_seq=3 ttl=53 time=24.8 ms
64 bytes from 185.74.71.249: icmp_seq=4 ttl=53 time=25.2 ms
64 bytes from 185.74.71.249: icmp_seq=5 ttl=53 time=24.8 ms
64 bytes from 185.74.71.249: icmp_seq=6 ttl=53 time=25.0 ms
64 bytes from 185.74.71.249: icmp_seq=7 ttl=53 time=24.9 ms
^C
— 185.74.71.249 ping statistics —
7 packets transmitted, 7 received, 0% packet loss, time 6008ms
rtt min/avg/max/mdev = 24.771/24.956/25.224/0.251 ms

#5

I can ping it. I can even connect to https://cloud-formation.paquerette.eu/.

http://cloud-formation.paquerette.eu/ times out. That’s typically a firewall issue.

By the way, why not use Certbot’s --nginx or --webroot plugins?

#6

I have the same issue using --nginx plugin.
I don’ understand why port 80 is closed with ufw output as mentioned before, but you’re true, when ufw is disabled, I have the second issue

#7

I had to reboot the machine and everything goes well !
Sorry for that, many thanks for the support !

1 Like
#8

Hi @paquerette

now I can connect ( https://check-your-website.server-daten.de/?q=cloud-formation.paquerette.eu ):

Domainname Http-Status redirect Sec. G
http://cloud-formation.paquerette.eu/
185.74.71.249 200 0.057 H
https://cloud-formation.paquerette.eu/
185.74.71.249 200 5.703 N
Certificate error: RemoteCertificateNameMismatch
http://cloud-formation.paquerette.eu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
185.74.71.249 404 0.054 A
Not Found

Port 80 is open, checking a file in /.well-known/acme-challenge produces the expected http status 404 - not found.

So don’t use --standalone, instead --nginx or --webroot with your running webserver. Standalone must stop your webserver and starts an own, but you can use the running webserver directly.

#9

thank you, the problem was ufw, I activated the logs and no mention of port 80, after reboot (!) I can see port 80 is correctly open and correctly logged…

I’m using standalone mode because I had troubles with apache plugin, I will upgrade to apache and nginx mode soon…

#10

why don’t you try webroot mode?

#11

Standalone must stop your running webserver, so you should standalone only use, if the website isn’t relevant.

And there is a nginx, so the apache plugin can’t work.

Instead, find your “root” (nginx) and use it:

certbot run certonly -a webroot  -w yourRoot -d example.com -d cloud-formation.paquerette.eu

The “root” should be defined in your vHost.

#12

Happy to see a new certificate:

CN=cloud-formation.paquerette.eu
	22.02.2019
	23.05.2019
expires in 90 days	cloud-formation.paquerette.eu - 1 entry

And you have a Grade A, so it’s secure.

1 Like
closed #13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.