Connection timeout

For my client I host an e-learning application. Each Organisation ( there re bout 66) has it’s own domain name. When I ran the command ./certbot-auto I get the list with all available domains, I get about 160 possible url’s to chose from, out of that list I generate a cvs list of only the URL’ s I Need, about 60. I did this a few weeks ago and everything went well. Now I need to extend the certificate because there is a new domain. Now I get an error while retrieving the certificate. I get a time-out for 5 of the domains,
www.pcbovroomshoop-academie.nl
www.annasr-academie.nl
www.prisma-academie.nl
www.scoh-academie.nl
www.pcpokrimpenerwaard-academie.nl

All these domains have currently a valid Letsencrypt certificate, Nothing changed on the server since I requested the last time the certificate.

I ran an ubuntu vps 14.04 with an apache 2.4.7 webserver.

The system seems mostly proper.
The IP returns a cert which includes 4 of those 5 names:
(missing = www.annasr-academie.nl)

www.annasr-academie.nl.jpg885×457 71.8 KB

The domain annasr-academie.nl is a new domain for which I want to expand the certificate. Problem is that I get a timeout error for these 5 url’s but for the others ( about 55) I don’t get an error. For example www.vvv-academie.nl won’t give an error, this URL points to the same server and has a virtual host which is the same as the five with the error.

I can’t figure out why a few weeks ago everything went well but now I’m stuck with these five timeout errors.

I would recommend using HTTP authentication; as that may work even when you don’t have a separate vhost for that domain. As long as the “default” vhost and corresponding acme-challenge folder is the one accessed from the Internet.

If you must use HTTPS, then I would try creating a self-signed cert and separate vhost for each of the names that fail.

I have separate vhosts for each of the domains, the problem is why I get these timeout errors for the five url’s mentioned and the other domains go well. The content of each vhost is the same ( except of course for the URL ) everything is on the same server, every domain is purchased at godaddy and have the same nameservers.

At you trying HTTP or HTTPS auth?
can you show one of the vhost files?

I’m not sure if http or https is used, I only use the command ./certbot-auto. Not sure what happens behiond the scenes, the log show these errors:

2017-06-18 18:32:17,971:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: www.pcbovroomshoop-academie.nl
Type:   connection
Detail: Timeout

Domain: www.annasr-academie.nl
Type:   connection
Detail: Timeout

Domain: www.prisma-academie.nl
Type:   connection
Detail: Timeout

Domain: www.scoh-academie.nl
Type:   connection
Detail: Timeout

Domain: www.pcpokrimpenerwaard-academie.nl
Type:   connection
Detail: Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2017-06-18 18:32:17,971:INFO:certbot.auth_handler:Cleaning up challenges
2017-06-18 18:32:49,255:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 743, in main
    return config.func(config, plugins)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 598, in run
    certname, lineage)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 82, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 344, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 313, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 81, in get_authorizations
    self._respond(resp, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 138, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 202, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. www.pcbovroomshoop-academie.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.annasr-academie.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.prisma-academie.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.scoh-academie.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, www.pcpokrimpenerwaard-academie.nl (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

Below is one of the vhosts

<VirtualHost www.scoh-academie.nl:80>
DocumentRoot /var/www/elw
ServerAlias www.scoh-academie.nl
<Directory /var/www/elw>
	Options Indexes FollowSymLinks SymLinksIfOwnerMatch 
	AllowOverride All
	Order deny,allow
	allow from all
</Directory>

tls-sni-01 = HTTPS
:80 = HTTP

TRY:
./certbot-auto --preferred-challenges http

I use two vhost per url, one for port 80 and one for port 443, below are the two vhosts I use for www.pcbovroomshoop-academie.nl

<VirtualHost www.pcbovroomshoop-academie.nl:80>
DocumentRoot /var/www/elw
ServerAlias www.pcbovroomshoop-academie.nl
<Directory /var/www/elw>
	Options Indexes FollowSymLinks SymLinksIfOwnerMatch 
	AllowOverride All
	Order deny,allow
	allow from all
</Directory>

<IfModule mod_ssl.c>
<VirtualHost www.pcbovroomshoop-academie.nl:443>
DocumentRoot /var/www/elw
ServerAlias www.pcbovroomshoop-academie.nl
<Directory /var/www/elw>
	Options Indexes FollowSymLinks SymLinksIfOwnerMatch 
	AllowOverride All
	Order deny,allow
	allow from all
</Directory>
SSLCertificateFile /etc/letsencrypt/live/www.lerarenacademie.nl/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.lerarenacademie.nl/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/www.lerarenacademie.nl/chain.pem
</VirtualHost>

</IfModule>

When trying the command: ./certbot-auto --preferred-challenges http
I get a new error message saying;

Obtaining a new certificate
Performing the following challenges:
None of the preferred challenges are supported by the selected plugin

TRY:
./certbot-auto --preferred-challenges http-01

Again I get the same error message

None of the preferred challenges are supported by the selected plugin

hello,

i have the same problem.

Sending GET request to https://acme-staging.api.letsencrypt.org/acme/authz/Jl-peIYAi4_RQZ-DBnyggUEDUb6iZo322KRvc_XMGRM.
https://acme-staging.api.letsencrypt.org:443 "GET /acme/authz/Jl-peIYAi4_RQZ-DBnyggUEDUb6iZo322KRvc_XMGRM HTTP/1.1" 200 2510
Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Boulder-Request-Id: 6FNNNxtsmIu0cG_KlQds7iY2L4FWTFPHawHmFZ-lCcM
Link: <https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"
Replay-Nonce: 5q93NnPg5R8AH7VQHEuFM3TayRC7yY8KQC3JdKl-Y6A
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Content-Length: 2510
Expires: Mon, 19 Jun 2017 08:38:00 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Mon, 19 Jun 2017 08:38:00 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "webdev.mediathekview.de"
  },
  "status": "invalid",
  "expires": "2017-06-26T08:37:51Z",
  "challenges": [
    {
      "type": "tls-sni-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Jl-peIYAi4_RQZ-DBnyggUEDUb6iZo322KRvc_XMGRM/44606663",
      "token": "qiwDRKizC5T3WXea6MxfW7RiMlJANRRgzVD1aFUEdV4"
    },
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:acme:error:connection",
        "detail": "Fetching http://le-auth.mediathekview.de/.well-known/acme-challenge/xPIc0s1XRqkOG-D8d5gJ5ZV2B8znTggnVeSNo-mamg4: Timeout",
        "status": 400
      },
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Jl-peIYAi4_RQZ-DBnyggUEDUb6iZo322KRvc_XMGRM/44606664",
      "token": "xPIc0s1XRqkOG-D8d5gJ5ZV2B8znTggnVeSNo-mamg4",
      "keyAuthorization": "xPIc0s1XRqkOG-D8d5gJ5ZV2B8znTggnVeSNo-mamg4.NihnW21AV9wjCIiiEe2DsisKVHPIjjY1rM3oec6RebE",
      "validationRecord": [
        {
          "url": "https://webdev.mediathekview.de/.well-known/acme-challenge/xPIc0s1XRqkOG-D8d5gJ5ZV2B8znTggnVeSNo-mamg4",
          "hostname": "webdev.mediathekview.de",
          "port": "443",
          "addressesResolved": [
            "5.1.76.243"
          ],
          "addressUsed": "5.1.76.243",
          "addressesTried": []
        },
        {
          "url": "http://le-auth.mediathekview.de/.well-known/acme-challenge/xPIc0s1XRqkOG-D8d5gJ5ZV2B8znTggnVeSNo-mamg4",
          "hostname": "le-auth.mediathekview.de",
          "port": "80",
          "addressesResolved": [
            "5.1.76.243",
            "2a00:f820:417::18e6:9ec3"
          ],
          "addressUsed": "5.1.76.243",
          "addressesTried": []
        },
        {
          "url": "http://webdev.mediathekview.de/.well-known/acme-challenge/xPIc0s1XRqkOG-D8d5gJ5ZV2B8znTggnVeSNo-mamg4",
          "hostname": "webdev.mediathekview.de",
          "port": "80",
          "addressesResolved": [
            "5.1.76.243"
          ],
          "addressUsed": "5.1.76.243",
          "addressesTried": []
        }
      ]
    },
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/Jl-peIYAi4_RQZ-DBnyggUEDUb6iZo322KRvc_XMGRM/44606665",
      "token": "TCUKNOXaWluDFa5cmuHgWXnwB3VVUO7hdB8tVvsltds"
    }
  ],
  "combinations": [
    [
      2
    ],
    [
      1
    ],
    [
      0
    ]
  ]
}
Reporting to user: The following errors were reported by the server:

Domain: webdev.mediathekview.de
Type:   connection
Detail: Fetching http://le-auth.mediathekview.de/.well-known/acme-challenge/xPIc0s1XRqkOG-D8d5gJ5ZV2B8znTggnVeSNo-mamg4: Timeout

if i
curl -L http://webdev.mediathekview.de/.well-known/acme-challenge/xPIc0s1XRqkOG-D8d5gJ5ZV2B8znTggnVeSNo-mamg4
I get the content of the file. I have create manually this file and i got no timeout.
I have looked and letsencrypt will create the files too.

<VirtualHost www.pcbovroomshoop-academie.nl:443> (NAME1)
ServerAlias www.pcbovroomshoop-academie.nl (UNNECCESARY ALIAS - SAME NAME)
SSLCertificateFile /etc/letsencrypt/live/www.lerarenacademie.nl/cert.pem (NAME2)
SSLCertificateKeyFile /etc/letsencrypt/live/www.lerarenacademie.nl/privkey.pem (NAME2)

Is that correct?
Does the NAME2 cert also cover NAME1?

Not same as error message:

And although both resolve to the same IPs, they may not use the same acme-challenge directory.
Also, both names have IPv6 enabled:
Name: webdav.mediathekview.de
Addresses: 2a00:f820:417::18e6:9ec3
5.1.76.243
Name: le-auth.mediathekview.de
Addresses: 2a00:f820:417::18e6:9ec3
5.1.76.243
Proper consideration must be taken for IPv6 authentications.

Yes that should be correct, at this moment https://www.pcbovroomshoop-academie.nl works as it should be.

I don’t think te server alias is the problem because it is in every vhost I use and did not cause any problem in the past.

ps: thank you for your help so far!!!

they use the same webroot directory because webdev redirect to le-auth. webdev is also just one of several.

what do you mean with that?

Let’sEncrypt will prefer IPv6 over IPv4.
You must ensure IPv6 is fully functional.

no fallback to ipv4?
i have add ipv6 to this subdomain in dns. and sometimes i get could not resolve and sometimes the file content.

root@vps71726:~# curl http://webdev.mediathekview.de/.well-known/acme-challenge/W6Y2gU-JqRfhDakepU_wVoRb42MaXrSGGPmi7u--D_c -L6
test 2
root@vps71726:~# curl http://webdev.mediathekview.de/.well-known/acme-challenge/W6Y2gU-JqRfhDakepU_wVoRb42MaXrSGGPmi7u--D_c -L6
curl: (6) Could not resolve host: webdev.mediathekview.de

it is a other server.
And before i add dns AAAA entry the log say:
"addressUsed": "5.1.76.243",
so letsencrypt uses ipv4?

le-auth has AAAA record and nginx is configured to listen on both.

No fallback that I know of.

Can you place a "test.txt" files at:
http://le-auth.mediathekview.de/.well-known/acme-challenge/test.txt
http://webdev.mediathekview.de/.well-known/acme-challenge/test.txt

ok file is created and i can get the content with curl.