Challenge timeout with working firewall rules

Tularis · July 15, 2018, 9:36am

I have a debian 9 (stretch) install, with nginx running on port 80. I can get to the page via various networks, so I am assuming DNS is correctly configured, and the firewall is allowing traffick through.

When running sudo certbot certonly --staging --webroot -w /var/www/html -d coach.datanose.nl
I recieve the following response:

Obtaining a new certificate
Performing the following challenges:
http-01 challenge for coach.datanose.nl
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. coach.datanose.nl (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://coach.datanose.nl/.well-known/acme-challenge/1Ceu_HIQgKF_fW9AhooDe7qhNJ5xD8JPdomj2YnGQrk: Timeout during connect (likely firewall problem)

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: coach.datanose.nl
   Type:   connection
   Detail: Fetching
   http://coach.datanose.nl/.well-known/acme-challenge/1Ceu_HIQgKF_fW9AhooDe7qhNJ5xD8JPdomj2YnGQrk:
   Timeout during connect (likely firewall problem)

Looking at the log I see nothing special, except for a timeout at the end.
If I abort the process half-way, and manually look up the challenge (via my browser), I can find it without any problems.

My iptables state:

target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http /* Allow HTTP */

So I am now confused as how to proceed :s

_az · July 15, 2018, 9:46am

It doesn’t seem that your web server is accessible from anywhere - I can’t load it from my browser either: https://letsdebug.net/coach.datanose.nl/2534

Can we get a full view of what addresses are bound and your iptables rules?

iptables -Ln
ss -tlnp

Are you sure there’s no additional firewall sitting in front of your machine at your VPS hosting?

Tularis · July 15, 2018, 10:48am

iptables: No chain/target/match by that name.
tularis@coach:/home/tularis$ ss -tlnp
State      Recv-Q Send-Q                                    Local Address:Port                                                   Peer Address:Port
LISTEN     0      128                                                   *:80                                                                *:*
LISTEN     0      128                                                   *:22                                                                *:*
LISTEN     0      128                                                  :::80                                                               :::*
LISTEN     0      128                                                  :::22                                                               :::*

Hm, that is odd; I will have to check tomorrow. Thank you.

system · August 14, 2018, 10:49am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.