Certificate request error behind NAT and DMZ

Help
#1

My domain is: appli.setex.ovh

I ran this command: letsencrypt certonly -d appli.setex.ovh

It produced this output: Failed authorization procedure. appli.setex.ovh (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://appli.setex.ovh/.well-known/acme-challenge/2XSQ1JU6DniBnHoLaHMPYkf2HgFsL_XJCsv-AWoPl34: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: appli.setex.ovh
    Type: connection
    Detail: Fetching
    http://appli.setex.ovh/.well-known/acme-challenge/2XSQ1JU6DniBnHoLaHMPYkf2HgFsL_XJCsv-AWoPl34:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): Apache/2.4.25

The operating system my web server runs on is (include version): Debian9

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certboot 0.28.0

1 Like
#2

Hi @Andrymyh

a working port 80 / http is required if you want to use http validation.

Read

If that isn't possible, you may switch to dns validation.

1 Like
#3

Hi @JuergenAuer,

Thank's for your reply, I test this and I'll give you the result.

1 Like
#4

@JuergenAuer, I have the same error, my be I rephrase may probleme. I have a domain name: appli.setex.ovh that I redirect to the public IP of my router/firewall, and I then NAT my public IP to the server that hosts my site (this server is on my DMZ). I tried Let's encrypt and Certbot but I have the same problem. Maybe the problem has something to do with NAT? I don't know.

1 Like
#5

Is your DNS having the correct IP?
If I do
dig +short appli.setex.ovh
I got: 41.188.49.23
What IP the following command gives if you execute it on your server:
curl 'http://ifconfig.me'
Are the two IP addresses the same?

1 Like
#6

Yes, it's the same IP using two commands.

1 Like
#7

Is the destination private IP in the NAT configuration match the private IP of your server?

1 Like
#8

Yes, it is the same.

1 Like
#9

From another system on the same DMZ does curl http://server_private_IP/ work?

1 Like
#10

Yes, it's work very well

1 Like
#11

It looks like the issue might be with the NAT, or firewall on the NAT device. Have you checked both?

1 Like
#12

Ah, I have a little bit idea, but I want to confirm if the IP address of the Let'sEncrypt server is 172.65.32.248? I think it's indeed a firewall problem on the NAT. :smiley:

1 Like
#13

You may want to allow inbound TCP connection on port 80 from any IP address.

1 Like
#15

There are several IPs and they can change at any moment.
Don't make specific inbound rules for this purpose.

1 Like
#16

At last it's ok, thanks for all helping me your answers help me to find the issue, I can see the error, it was finaly on the firewall.

2 Likes
#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.