ConnectTimeout when registering certificate

yazid · October 21, 2022, 3:37am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: wpd.dev.skolla.online

I ran this command:
sudo certbot --nginx --domain wpd.dev.skolla.online

It produced this output:
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f5a46d18a90>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))

My web server is (include version): Nginx 1.16.1-1

The operating system my web server runs on is (include version): CentOS 7.7

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.31.0

rg305 · October 21, 2022, 4:43am

Hi @yazid, and welcome to the LE community forum

Please show the outputs of:
curl -4Ii https://acme-v02.api.letsencrypt.org/
curl -4Ii https://www.google.com/

yazid · October 21, 2022, 5:46am

No response when curl letsencrypt

yazid · October 21, 2022, 5:47am

curl_google

rg305 · October 21, 2022, 5:55am

Your IP might be blocked.
Please show the output of:
curl -4 ifconfig.co

yazid · October 21, 2022, 6:41am

[admskl@sites ~]$ curl -4 ifconfig.co
8.215.24.16

MikeMcQ · October 21, 2022, 2:49pm

Can you show results of this

curl -4v https://acme-v02.api.letsencrypt.org/directory

And, if you can, please just copy/paste the curl output from your terminal to this thread. Much easier for us to read and work with.

yazid · October 21, 2022, 4:08pm

[admskl@sites ~]$ curl -4v https://acme-v02.api.letsencrypt.org/directory

About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
Trying 172.65.32.248...

MikeMcQ · October 21, 2022, 4:34pm

I might be wrong but that looks more like a routing problem than an IP block. Do you have any firewall that might block outbound requests to the letsencrypt IP?

Could you show result of this

sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org

yazid · October 21, 2022, 4:36pm

[admskl@sites ~]$ sudo traceroute -T -p 443 acme-v02.api.letsencrypt.org
traceroute to acme-v02.api.letsencrypt.org (172.65.32.248), 30 hops max, 60 byte packets
1 10.92.227.62 (10.92.227.62) 0.361 ms * *
2 * * *
3 11.58.185.65 (11.58.185.65) 24.461 ms 11.58.185.73 (11.58.185.73) 0.818 ms 0.902 ms
4 10.54.148.70 (10.54.148.70) 1.463 ms 10.54.148.74 (10.54.148.74) 0.907 ms 10.54.148.82 (10.54.148.82) 1.592 ms
5 cloudflare-as13335.iix.net.id (103.28.75.135) 4.284 ms 4.282 ms 4.295 ms
6 172.65.32.248 (172.65.32.248) 1.976 ms * 1.901 ms

We have 2 other domains registered to Let'sEncrypt SSL Certificate in this server

MikeMcQ · October 21, 2022, 4:52pm

Just to be sure ... those other domains are on this same server IP?

I see several names with certs issued Oct 4. Are these some of the same names? (see crt.sh history)

Has your IP changed since Oct4? Any other network gear changed since then?

Also, your first post says nginx v 1.16.1-1

But, when I try below I see nginx 1.20.1. Was that just a typo?

curl -IL  wpd.dev.skolla.online
HTTP/1.1 302 Found
Server: nginx/1.20.1
Date: Fri, 21 Oct 2022 16:50:26 GMT
X-Powered-By: PHP/7.4.28
X-Redirect-By: WordPress
Location: http://wpd.dev.skolla.online/wp-admin/install.php

yazid · October 21, 2022, 5:03pm

Sorry for the nginx version, a typo in my first post. It should be 1.20.1

Some other domains which in same server are
mading.skolla.online
sekolahmetaverse.com

We don't change our public IP, still the same IP from before Oct 4 until now.

MikeMcQ · October 21, 2022, 5:12pm

@lestaff Can you please check this for any kind of block?

It is not the usual symptom of that but an odd pattern of results. Would be helpful to rule out an IP block. Thanks

Bruce5051 · October 21, 2022, 5:19pm

https://letsdebug.net/ HTTP-01 Challenge passes
Let's Debug

might the redirect be a problem here? A response of 302

yazid · October 21, 2022, 5:20pm

[admskl@sites ~]$ curl -4v https://acme-v02.api.letsencrypt.org/directory

About to connect() to acme-v02.api.letsencrypt.org port 443 (#0)
Trying 172.65.32.248...
Connected to acme-v02.api.letsencrypt.org (172.65.32.248) port 443 (#0)
Initializing NSS with certpath: sql:/etc/pki/nssdb
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Server certificate:
subject: CN=acme-v02.api.letsencrypt.org
start date: Sep 08 19:36:39 2022 GMT
expire date: Dec 07 19:36:38 2022 GMT
common name: acme-v02.api.letsencrypt.org
issuer: CN=R3,O=Let's Encrypt,C=US

GET /directory HTTP/1.1
User-Agent: curl/7.29.0
Host: acme-v02.api.letsencrypt.org
Accept: /

< HTTP/1.1 200 OK
< Server: nginx
< Date: Fri, 21 Oct 2022 17:20:01 GMT
< Content-Type: application/json
< Content-Length: 659
< Connection: keep-alive
< Cache-Control: public, max-age=0, no-cache
< X-Frame-Options: DENY
< Strict-Transport-Security: max-age=604800
<
{
"WYqpgoRvdrM": "Adding random entries to the directory",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"

Connection #0 to host acme-v02.api.letsencrypt.org left intact

yazid · October 21, 2022, 5:23pm

[admskl@sites ~]$ sudo certbot --nginx --domain wpd.dev.skolla.online
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
requests.exceptions.ConnectTimeout: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ConnectTimeoutError(<urllib3.connection.HTTPSConnection object at 0x7f9e59b66a60>, 'Connection to acme-v02.api.letsencrypt.org timed out. (connect timeout=45)'))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Still get ConnectTimeout message

rg305 · October 21, 2022, 5:46pm

MTU size?

Perhaps certbot isn't using curl ... ?

yazid · October 21, 2022, 5:50pm

2 hours ago, response for command
"curl -4v https://acme-v02.api.letsencrypt.org/directory"

stop in
"Trying 172.65.32.248..."

rg305 · October 21, 2022, 6:12pm

And now?
[transient problem?]

yazid · October 21, 2022, 6:17pm

Responses of executing command
"curl -4v https://acme-v02.api.letsencrypt.org/directory"

Oct 21, 11:08 PM
Stop on "Trying 172.65.32.248..."

Oct 22, 12:20 AM
Finish executing command

Now
Stop on "Trying 172.65.32.248..."