Connection Timeout when renewing

JeffBlumes · March 14, 2022, 3:34pm

My domain is: naestvedbilleder.dk

Trying to renew throws a 400 error: https://acme-v02.api.letsencrypt.org/acme/authz-v3/87575369050

But the access log clearly shows that the challenge file was accessed:

18.192.36.99 - - [14/Mar/2022:16:11:35 +0100] "GET /.well-known/acme-challenge/E1Sc49QMYsmfV_JO5R8i_s-Kn6PDDopWc0Cf0lZmnG0 HTTP/1.1" 200 89

I can also download the challenge file from the given location manually from an outside network without a problem.

Any idea what goes wrong?

9peppe · March 14, 2022, 3:38pm

Does your firewall filter connections from the rest of the world?

(Have you tried running your command again, maybe using the staging environment?)

JeffBlumes · March 14, 2022, 3:41pm

I tried several times. The manual download works from different countries. There is no proxy in place somewhere inbetween.

Osiris · March 14, 2022, 3:48pm

There should be 4 requests.

JeffBlumes · March 14, 2022, 4:09pm

Interesting. I can only see one from the shown IP address. Why could the other three have a problem with the same server?

Osiris · March 14, 2022, 4:19pm

Could be regional differences, such as regional firewalls.

MikeMcQ · March 14, 2022, 4:36pm

Most likely. The one seen in the log was from an LE Germany server and should also see up to 3 US based LE servers.

Less likely a "smart" firewall blocking multiple identical requests from different locations.
Like a very sensitive ddos prevention.

JeffBlumes · March 14, 2022, 4:54pm

I have forwarded this information to the IT department. Thanks.

JeffBlumes · March 16, 2022, 12:18pm

IT came back saying that they have a regional block for the US. Is there any official documentation which Lets Encrypt server IP addresses must be allowed for validation?

9peppe · March 16, 2022, 12:23pm

The official documentation explicitly tells you that they won't tell you the IP addresses for the validation bots. They are hosted on several cloud providers and might change without prior warning.

Right now, there should be four (might change) of which three (might change) are in the US (might change) and one (might change) is in Europe (not sure if NL or DE) (might change).

If you want to block http from the US, but you can keep your DNS nameservers reachable, you can use the dns-01 validation method instead.

JeffBlumes · March 16, 2022, 12:35pm

Thank you. I probably missed this in the docs.

system · April 15, 2022, 12:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Challenge invalid: Timeout, status 400 - but access_log shows status 200 Help	4	1761	January 1, 2018
Timeout during connect (likely firewall problem) - not my server's issue Help	4	526	June 11, 2024
Time out issues with challenge verification Help	15	1009	January 12, 2019
The following errors were reported by the server: Timeout but in apache log there is a request Help	2	2877	October 11, 2017
win-ACME certificate renewal Help	6	129	September 25, 2024

Connection Timeout when renewing

Related topics