Certbot standalone timeout, ip routable and ports open

I d’ont understand what is going wrong. On the same machine, I have several certificates and I can’t renew any of them since few days. I revoked one : cloud-formation.paquerette.eu and tried to getting it again and here is the output. It is the same problem when I want to renew another one : cloud-test.paquerette.eu. I can still reach this address in http or https, so ip is routable, and ports 80 and 443 are open, as shown in the output of ufw.

Thanks for help !

My domain is: cloud-formation.paquerette.eu

I ran this command:

certbot certonly --standalone -d cloud-formation.paquerette.eu --agree-tos -m postmaster@paquerette.eu -n

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud-formation.paquerette.eu
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. cloud-formation.paquerette.eu (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cloud-formation.paquerette.eu/.well-known/acme-challenge/IFmV1_fzvEElzQFlvvJRAP9jumhVZDUKYfbS5CNy_cU: Timeout during connect (likely firewall problem)

My web server is (include version): nginx 1.10.3

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is: Infomaniak (Jelastic cloud)

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

ufw status verbose :

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To Action From


22/tcp LIMIT IN Anywhere
22/tcp (OpenSSH) ALLOW IN Anywhere
80,443/tcp (Nginx Full) ALLOW IN Anywhere
80/tcp ALLOW IN Anywhere
443/tcp ALLOW IN Anywhere
22/tcp (v6) LIMIT IN Anywhere (v6)
22/tcp (OpenSSH (v6)) ALLOW IN Anywhere (v6)
80,443/tcp (Nginx Full (v6)) ALLOW IN Anywhere (v6)
80/tcp (v6) ALLOW IN Anywhere (v6)
443/tcp (v6) ALLOW IN Anywhere (v6)

I tried the same after disabling ufw, and I got this :
Failed authorization procedure. cloud-formation.paquerette.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cloud-formation.paquerette.eu/.well-known/acme-challenge/j_j54og9RTk2ILywIMDXszreMW73wCT2lHqJ7yJFi9s [185.74.71.249]: “\n\n\n<meta name=“referrer” content=“origin-when-crossorigin”>\n/* eslint-disable */\n\n’use strict”

I just made four requests to http://cloud-formation.paquerette.eu/, the first one took a second or two but worked, and the other connections timed out.

do you mean it’s a problem of performance ?
nginx is running now, not when I try to get a certificate in standalone mode, here is a ping :
ping 185.74.71.249
PING 185.74.71.249 (185.74.71.249) 56(84) bytes of data.
64 bytes from 185.74.71.249: icmp_seq=1 ttl=53 time=24.7 ms
64 bytes from 185.74.71.249: icmp_seq=2 ttl=53 time=24.9 ms
64 bytes from 185.74.71.249: icmp_seq=3 ttl=53 time=24.8 ms
64 bytes from 185.74.71.249: icmp_seq=4 ttl=53 time=25.2 ms
64 bytes from 185.74.71.249: icmp_seq=5 ttl=53 time=24.8 ms
64 bytes from 185.74.71.249: icmp_seq=6 ttl=53 time=25.0 ms
64 bytes from 185.74.71.249: icmp_seq=7 ttl=53 time=24.9 ms
^C
— 185.74.71.249 ping statistics —
7 packets transmitted, 7 received, 0% packet loss, time 6008ms
rtt min/avg/max/mdev = 24.771/24.956/25.224/0.251 ms

I can ping it. I can even connect to https://cloud-formation.paquerette.eu/.

http://cloud-formation.paquerette.eu/ times out. That’s typically a firewall issue.

By the way, why not use Certbot’s --nginx or --webroot plugins?

I have the same issue using --nginx plugin.
I don’ understand why port 80 is closed with ufw output as mentioned before, but you’re true, when ufw is disabled, I have the second issue

I had to reboot the machine and everything goes well !
Sorry for that, many thanks for the support !

1 Like

Hi @paquerette

now I can connect ( https://check-your-website.server-daten.de/?q=cloud-formation.paquerette.eu ):

Domainname Http-Status redirect Sec. G
http://cloud-formation.paquerette.eu/
185.74.71.249 200 0.057 H
https://cloud-formation.paquerette.eu/
185.74.71.249 200 5.703 N
Certificate error: RemoteCertificateNameMismatch
http://cloud-formation.paquerette.eu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
185.74.71.249 404 0.054 A
Not Found

Port 80 is open, checking a file in /.well-known/acme-challenge produces the expected http status 404 - not found.

So don't use --standalone, instead --nginx or --webroot with your running webserver. Standalone must stop your webserver and starts an own, but you can use the running webserver directly.

thank you, the problem was ufw, I activated the logs and no mention of port 80, after reboot (!) I can see port 80 is correctly open and correctly logged…

I’m using standalone mode because I had troubles with apache plugin, I will upgrade to apache and nginx mode soon…

why don’t you try webroot mode?

Standalone must stop your running webserver, so you should standalone only use, if the website isn't relevant.

And there is a nginx, so the apache plugin can't work.

Instead, find your "root" (nginx) and use it:

certbot run certonly -a webroot  -w yourRoot -d example.com -d cloud-formation.paquerette.eu

The "root" should be defined in your vHost.

Happy to see a new certificate:

CN=cloud-formation.paquerette.eu
	22.02.2019
	23.05.2019
expires in 90 days	cloud-formation.paquerette.eu - 1 entry

And you have a Grade A, so it’s secure.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.