Connection failure, even though server seems to be online

My issue here is this:

getting a certificate fails, and it fails as if the server was unreachable. I don’t understand why, seeing as somebody does check in on the server, and successfully gets the challenge content when I try renewing.

I’ve been running certify the web, but did decide to try a manual process with certbot, and even then, after verifying myself that the contents are available, it doesn’t work.

Here’s a screenshot, showing a wireshark capture with a successful http get during the verification process.

3z1JuMM.png1920×1080 247 KB

I’ve tested this from other countries via my VPN, and it seems that it is accessible just fine.

I’ve included the template below:

My domain is: simo.korho.org

I ran this command:certbot certonly --test-cert --config-dir /home/joakim/testi-kansio/config --work-dir /home/joakim/testi-kansio/work --logs-dir /home/joakim/testi-kansio/log -d simo.korho.org --agree-tos --manual

It produced this output: Failed authorization procedure. simo.korho.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://simo.korho.org/.well-known/acme-challenge/jznsrwSJyvM2GqjNiY-bCVFTViYZ4sFW197J7QvSqkM: Timeout during connect (likely firewall problem)

My web server is (include version): IIS 10.0

The operating system my web server runs on is (include version): Windows Server 2016

My hosting provider, if applicable, is: n/a

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @korhojoa

there is a check of your domain - https://check-your-website.server-daten.de/?q=simo.korho.org

There are only timeouts visible.

If you want to use http-01 validation, an open port 80 is required.

Is this a home server? With a (not working) port forwarding?

How is Certbot running on Windows 2016?

Hi.

Yes, I see that there were only timeouts. I then started a tcpdump on the router, to check for missing traffic.

Well, at least one of the requests went through, when I tried it again. https://check-your-website.server-daten.de/?i=e07e7800-39c1-40b7-872e-bf23c7857815

19:55:17.455101 IP intern.server-daten.de.52215 > cable-roi-50dc9a-129.dhcp.inet.fi.http: Flags [P.], seq 651764197:651764384, ack 1653773112, win 258, length 187: HTTP: GET / HTTP/1.1
E…c.@.w.[WU…P…P&.!.b…8P…A…GET / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Accept: /
Accept-Language: en-us
Host: simo.korho.org
Connection: Close

Port 80 is open, and it is accessible, but seemingly not from intern.server-daten.de and LE’s servers (but not all the time?)

This is a home server, which has had a working LE environment for years.

Certbot isn’t running on Server 2016. As I stated in my post, it was running certify the web, but I tested a manual process with certbot. Certbot was run on a linux host, it was just there to give me the challenge information, and so I could try it against the staging servers.

That's curious. Is there a bot detection that blocks? The checks are not from www.server-daten.de, they are from intern.server-daten.de, so that's correct.

Yep, that works with --manual, then copying the validation file.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.