Certification creation error : Timeout during connect (likely firewall problem)

Help
1

I'm unable to publicly view files in my web root i.e. /var/www/html/ but certbot is not able to access it. I keep getting the error that is firewall could be blocking but I have my port 80 open in my server, I have tried to do this with entire firewall disabled but no luck. Appreciate any help!

Proof that files are accessible in web root

http://crdy.my.to/welcome.html
http://crdy.my.to/1.txt

My domain is:

crdy.my.to

I ran this command:

sudo certbot certonly --webroot -w /var/www/html/ -d crdy.my.to

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for crdy.my.to

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: crdy.my.to
Type: connection
Detail: 2405:201:c027:307b:62eb:69ff:fe5a:a442: Fetching http://crdy.my.to/.well-known/acme-challenge/rqyZqyUAA_ibxZI5wX47zFNHpg-7qUAmL5VKbOXFEmM: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
My web server is (include version):
nginx/1.18.0 (Ubuntu)
The operating system my web server runs on is (include version):

My hosting provider is:

freedns.afraid.org

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.30.0

1 Like
2

Welcome to the community!

Those URLs are inaccessible to me, so it is not surprising that the validations are failing too. So you have a general accessibility problem. The domain crdy.my.to resolves to the IP address 2405:201:c027:307b:62eb:69ff:fe5a:a442. Is it really the IP address of the host? (check with the ip -6 addr command)

5 Likes
3

I am now getting a different error than you show. The Let's Debug test site says your IP address is not public so cannot be used for certificate challenge. I also see the DNS A record from your afraid DNS as 127.0.0.2 which is private IP.

The Let's Debug site also reports that my.to domain names are rate limited due to other people's activity. You should inform the owner of that domain about rate limits. Or, consider using another domain name.

5 Likes
4

I also see that IP too.
But LE was able to obtain an IPv6 address, as shown by:

From my experience 127.0.0.2 is not a good thing.
Do you own the my.to domain?
[or just use the crdy.my.to FQDN]
If you don't own it, then the owner may have purposely blocked your use of that FQDN.

4 Likes
5

Yes, but I tried the same request from my test server to their domain and now get the IP address error. I think something changed since their initial try

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: crdy.my.to
  Type:   dns
  Detail: no valid A records found for crdy.my.to; no valid AAAA records found for crdy.my.to
5 Likes
6

Here is what I see for IP Address for crdy.my.to

and

and

$ nslookup
> crdy.my.to
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   crdy.my.to
Address: 127.0.0.2
> set q=soa
> crdy.my.to
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
*** Can't find crdy.my.to: No answer

Authoritative answers can be found from:
my.to
        origin = ns1.afraid.org
        mail addr = dnsadmin.afraid.org
        serial = 2209240463
        refresh = 86400
        retry = 7200
        expire = 2419200
        minimum = 3600
> server ns1.afraid.org
Default server: ns1.afraid.org
Address: 69.65.50.194#53
> crdy.my.to
Server:         ns1.afraid.org
Address:        69.65.50.194#53

*** Can't find crdy.my.to: No answer
> set q=a
> crdy.my.to
Server:         ns1.afraid.org
Address:        69.65.50.194#53

Name:   crdy.my.to
Address: 127.0.0.2
> set q=aaaa
> crdy.my.to
Server:         ns1.afraid.org
Address:        69.65.50.194#53

*** Can't find crdy.my.to: No answer
>
2 Likes
7

And various locations around the Internet with IP Address for crdy.my.to shown; all showing the same answer of 127.0.0.2

3 Likes
8

My Internet provider only provides with public ipv6 not v4 but by default the dns portal takes local ipv4 when adding the record, not sure why it takes ipv4 address even though it's a AAAA record.

9

That is not a problem when obtaining a cert from LE.
[it would only be a problem to any IPv4 only clients]

Then don't use the default?
Add the IPv6 record manually [or contact your DSP for their support].

4 Likes
10

Screenshot 2022-09-24 at 11.55.00 PM
Screenshot 2022-09-24 at 11.55.00 PM1518×600 55.1 KB

Yeah :grimacing:, not sure what happened there!

3 Likes
11

Yeah i'm gonna change to different portal this one is giving me a lot of issues, i'm using ddns and dynu seems to be providing exactly what I want, I'll just move to that. Thanks for the help!

4 Likes
12

I don't own my.to, I'm using a ddns service, but pretty sure the owner has limited the access since it worked for other ddns services. Appreciate the help, Thanks!

2 Likes
13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.