Certbot times out


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#2

Hi @pneumo

please answer the questions.

To check your configuration, your domain name is required.


#3

My domain is:glottertal.spdns.eu

I ran this command:certbot --apache -d glottertal.spdns.eu

It produced this output:
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for glottertal.spdns.eu
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. glottertal.spdns.eu (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://glottertal.spdns.eu/.well-known/acme-challenge/V30KUCKIg68zO2HTvhSRedKd6cwYkEZIGAO4VqVAmLM: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

My hosting provider, if applicable, is: local installation

I can login to a root shell on my machine (yes or no, or I don’t know): loally

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0


#4

Your port 80 doesn’t answer ( https://check-your-website.server-daten.de/?q=glottertal.spdns.eu ):

Domainname Http-Status redirect Sec. G
• http://glottertal.spdns.eu/
91.4.126.214 -14 10.016 T
Timeout - The operation has timed out
• https://glottertal.spdns.eu/
91.4.126.214 -4 0.163 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
• http://glottertal.spdns.eu:443/
91.4.126.214 200 0.190 Q
• http://glottertal.spdns.eu/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
91.4.126.214 -14 10.030 T
Timeout - The operation has timed out

If you want to use http-01 validation, an open port 80 is required.

You have older certificates.

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1176191867 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-02-05 04:16:01 2019-05-06 03:16:01 glottertal.spdns.eu
1006938327 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-12-06 16:50:41 2019-03-06 16:50:41 glottertal.spdns.eu
814674315 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-10-04 01:40:20 2019-01-02 02:40:20 glottertal.spdns.eu
743257843 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-08-01 22:20:15 2018-10-30 23:20:15 glottertal.spdns.eu
489289129 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-05-27 10:35:20 2018-08-25 10:35:20 glottertal.spdns.eu
386912985 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-04-05 02:29:57 2018-07-04 02:29:57 glottertal.spdns.eu
318189477 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-02-01 05:57:38 2018-05-02 04:57:38 glottertal.spdns.eu
267264511 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2017-11-30 06:22:41 2018-02-28 06:22:41 glottertal.spdns.eu
219285151 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2017-09-28 02:43:00 2017-12-27 03:43:00 glottertal.spdns.eu

Perhaps you have used tls-sni-01 validation (port 443), that’s not longer supported.

If you use a router, create a correct port forwarding.


#5

the port forwarding is correct.
i can connect to my server with midori on http protocol.

the old certificates are on a server no longer functional (hardware problem).

my actual ip address is 91.4.126.214; please try to connect directly.
thanks.


#6

It’s the same picture ( https://check-your-website.server-daten.de/?q=91.4.126.214 ):

Domainname Http-Status redirect Sec. G
• http://91.4.126.214/
91.4.126.214 -14 10.027 T
Timeout - The operation has timed out
• https://91.4.126.214/
91.4.126.214 -4 0.163 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send. The handshake failed due to an unexpected packet format.
• http://91.4.126.214/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
91.4.126.214 -14 10.013 T
Timeout - The operation has timed out
Visible Content:

Your port 80 doesn’t answer.

Your port 443 answers wrong (http over port 443), but this isn’t critical.

Change your config, then use the online tool (ip or domain name) to recheck your domain.

[Using the ip skips the dns checks].

Port 80 / http must answer with a http status 200 / 404 or a redirect 301 etc.


#7

Maybe you have a firewall where you can connect from your own network, but other people can’t connect from the rest of the Internet.


#8

looks like there is a problem with the ISP.

is there a possibility to get a certificate without using port 80?

would it work to copy the /etc/letsencrypt from the backup and renew the certificate?


#9

Check

You can use tls-alpn-01 validation (Certbot doesn’t support hat, acme.sh does) or dns-01 validation.


#10

thanks.
acme.sh --issue --alpn -d glottertal.spdns.eu
worked.