Certbot verification times out even though I can access the URL from several servers & a 200 response is returned to Let's Encrypt

gregopet · April 11, 2022, 8:51am

Certbot automatic certificate renewal stopped working some time after January and our certificates have expired. The application running there is not in active development and hasn't been touched for some time. I updated certbot but it is still not working - output of the command is listed below.

The thing is, if I re-create the changes certbot made to nginx config, I can access the challenge fine (using curl), I tried from several external servers. Going through certbot logs I see the resolved IP was also correct. In fact, I can tail the access log & see a 200 response was given back to nginx: 18.196.102.134 - - [11/Apr/2022:10:37:38 +0200] "GET /.well-known/acme-challenge/1n8d7-tIQEqoeNfZ4DjIcBjXEkG4j9jIJIKjxm5dSM8 HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

I'm at loss as to what I can try? Answers to the template questions follow below, I can also provide /var/log/letsencrypt/letsencrypt.log if it helps?

My domain is: priloznosti.btc-city.com

I ran this command: certbot --nginx --test-cert --break-my-certs

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
NGINX configured with OpenSSL alternatives is not officially supported by Certbot.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: priloznosti.btc-city.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Renewing an existing certificate for priloznosti.btc-city.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: priloznosti.btc-city.com
  Type:   connection
  Detail: Fetching http://priloznosti.btc-city.com/.well-known/acme-challenge/1n8d7-tIQEqoeNfZ4DjIcBjXEkG4j9jIJIKjxm5dSM8: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

My web server is (include version): nginx/1.4.6 (Ubuntu)

The operating system my web server runs on is (include version): Linux priloznosti 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:16:20 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

My hosting provider, if applicable, is: not applicable

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.26.0

9peppe · April 11, 2022, 9:09am

Do you only see one?

There should be four.

gregopet · April 11, 2022, 9:17am

Yes, I only see one.. ok, so that would explain the problem - are the following ones made to HTTP or HTTPS (perhaps my HTTPS block has some problems)?

_az · April 11, 2022, 9:28am

All the requests are the same, in that they will be over HTTP and go to the same request path, but they come from different IP addresses.

gregopet · April 11, 2022, 9:41am

I've asked the server provider to double check there is no active firewall (there shouldn't be one, but maybe somebody made a mistake).

gregopet · April 11, 2022, 12:19pm

It was the server provider, they applied firewall rules against our agreement (and without our knowledge).

Thank you for your help, it led me to the actual cause of the problem!

system · May 11, 2022, 12:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.