Connection error using CertBot

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
jmdok.chickenkiller.com

I ran this command:
sudo sudo certbot --apache --staging -d jmdok.chickenkiller.com

It produced this output:
Domain: jmdok.chickenkiller.com
Type: connection
Detail: Fetching
http://jmdok.chickenkiller.com/.well-known/acme-challenge/4dw40XKQMO28wdIp-_pc2yE1jlWJSqKIW5K7aYJwefs:
Timeout during connect (likely firewall problem)

My web server is (include version):
Apache

The operating system my web server runs on is (include version):
Ubuntu 18.04 LTS

My hosting provider, if applicable, is:
N/A

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

I am running wireshark on my target machine and I see no requests coming in when running certbot. However, when I put http://jmdok.chickenkiller.com into a browser on another machine, I do see requests coming in and I get the apache front page. When I enter the URL that certbot is reporting, I got a Not Found response. It just seems like there is no connection coming from the certbot side.

I also tried LetsDebug.net and it too reported a failure to connect, and again I saw no messages in wireshark. The IP address in the log was correct, 24.115.193.85.

I got rate-limited running certbot, so I know my connections going out are working and certbot is trying to do it’s thing.

I am not sure where to look next. Do I need to open up any other ports on my firewall? Right now, I only have port 80 open.

Thanks for any advice.

Best Regards,
Joe

Hi @jderham,

Is that other machine on the same LAN or ISP, or is it somewhere else on the Internet? It seems very possible that your ISP itself isn’t permitting inbound connections on port 80 to your machine.

1 Like

Hello @schoen,

Thank you for the quick response. I think you are correct. I just now tried connecting from a remote computer outside my network, and it too failed to connect.

I had seen a similar response in another message and I thought ‘thats not my problem’, but it was.

Bummer.

Cheers!
Joe

1 Like

If you know that the network will permit inbound connections on port 443 (but not port 80), you could try to use the TLS-ALPN-01 challenge method—which might require using a different ACME client.

You could also try to get your certificate with the DNS-01 challenge method (providing your control over the domain by creating specified TXT records in the DNS zone). This approach can make automated renewal impossible unless you also have a way to make that change from software via a DNS provider API.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.