Certbot Timeout during connect

Hi,

I am facing the below issue.

certbot -v certonly --standalone --preferred-challenges http -d api-demo.mydomain.io
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for api-demo.mydomain.io
Performing the following challenges:
http-01 challenge for api-demo.mydomain.io
Waiting for verification...
Challenge failed for domain api-demo.mydomain.io
http-01 challenge for api-demo.mydomain.io

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: api-demo.mydomain.io
Type: connection
Detail: 115.217.211.110: Fetching http://api-demo.mydomain.io/.well-known/acme-challenge/-IDpLX5jpi5jXs90vpPK2Is-1iYQjEEdXxEXmnhPIr0: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

What all Outbound and Inbound ports to be enabled in the firewall to generate Let's Encrypt SSL certificate for api-demo.mydomain.io? Please guide. Thanks in advance.

Best Regards,

Kaushal

You need outbound port 443 for the HTTPS requests to the Let's Encrypt ACME API server. This must be working to have gotten as far as you did.

You chose the --standalone option which uses the HTTP Challenge. This requires inbound port 80 from anywhere. See this for details of this challenge: Challenge Types - Let's Encrypt

The --standalone option is harder to debug than other methods (like webroot). Because there is nothing listening on port 80 to test inbound HTTP requests except for when Certbot is running. The below may help debug this

Use these command options

certbot certonly --standalone --dry-run --debug-challenges -v -d (domain)

This command will show you the challenge URL to try from the public internet and the proper response. After showing you this it will say "Press Enter to Continue". DO NOT PRESS ENTER.

Leave it paused like that and use a different device to test connection. You can use a mobile phone with wifi disabled so use your carrier's network.

You do not have to use the full URL. Just try http://(yourdomain)

If the connection works this shorter URL should see a response like below. I am pretty sure you will get a timeout error instead just like Let's Encrypt did. But, use this technique to modify your comms setup until it works.

ACME client standalone challenge solver
3 Likes