DigitalOcean Droplet Certbot - Timeout during connect (likely firewall problem)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: archie.info

I ran this command: certbot certonly --force-renewal -d archie.info

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for archie.info
Waiting for verification...
Challenge failed for domain archie.info
http-01 challenge for archie.info
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: archie.info
    Type: connection
    Detail: 146.190.0.227: Fetching
    http://archie.info/.well-known/acme-challenge/Oy0xCwjSxtIh7V6i_Mpq7Nrned3Tx0J7MZm4-Pv7Qs8:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.
    My web server is (include version):

The operating system my web server runs on is (include version):
Ubuntu 20.04 (LTS) x64

My hosting provider, if applicable, is:
DigitalOcean

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.40.0

I made sure nothing is running on port 80. I ran the command and select option 1 to spin up temporary webserver. It sounds like it's not connecting for some reason.
I have these DNS type setup. It seems to work if I run a dockerized nginx on localhost and I go to the domain.
CNAME www.archie.info
A archie.info directs to 146.190.0.227
NS ns1.digitalocean.com. to ns3

2

Welcome to the community @archie824

First, --force-renewal won't fix problems. It often causes Rate Limit problems so you should not use that.

For better debugging of stand-alone you should try this:

certbot certonly --standalone -d archie.info --debug-challenge -v

It will show you the URL that will be requested by the Let's Encrypt server. And, will pause so you can try the URL yourself. Just make sure to try it from the public internet.

2 Likes
3

root@archieinfo-main-ubuntu:/archieinfo# sudo certbot certonly --standalone -d archie.info --debug-challenge -v
Root logging level set at 10
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator standalone and installer None
Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x7f8e0cf116a0>
Prep: True
Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x7f8e0cf116a0> and installer None
Plugins selected: Authenticator standalone, Installer None
Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/550238166', new_authzr_uri=None, terms_of_service=None), 0c82c17d39cd55fc228a80fddc47d21d, Meta(creation_dt=datetime.datetime(2022, 5, 19, 6, 33, 48, tzinfo=), creation_host='archieinfo-main-ubuntu'))>
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
Received response:
HTTP 200
Server: nginx
Date: Thu, 19 May 2022 19:11:23 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert",
"tLh42eOu2G8": "Adding random entries to the directory"
}
Obtaining a new certificate
Generating key (2048 bits): /etc/letsencrypt/keys/0007_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0007_csr-certbot.pem
Requesting fresh nonce
Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
Received response:
HTTP 200
Server: nginx
Date: Thu, 19 May 2022 19:11:24 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0102mUmTk-fe4oReD6MH4bnaZ-kqC0EDRsgUHrYdGhjoPQU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

Storing nonce: 0102mUmTk-fe4oReD6MH4bnaZ-kqC0EDRsgUHrYdGhjoPQU
JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "archie.info"\n }\n ]\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTUwMjM4MTY2IiwgIm5vbmNlIjogIjAxMDJtVW1Uay1mZTRvUmVENk1INGJuYVota3FDMEVEUnNnVUhyWWRHaGpvUFFVIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "vuVWbSjX2KtfAZYo69OHNF9YGOvtnKRaz8-__85qMPfHNRN050C6PggcyzLbteCiVMw3i5uKFZoG5Hf4rwqPy4t-om_hwO6GXjTiVRXgDg1vKcE1NXjOb7vMZ9AgUwyFfbb6fM52fX47ayQb-7JFQbRN9aKhd9kJLsAjpm6LvKuAAg74TdXcTs6h19ctH0X4vLvHyNmUmlIvtX1rR-D3mIhG3GTehmiuscD9aNOlDJgLuTfyImgDVfhJON2YBu6KkaR3NNxXDfAczB5p0QQ2N5A7iHeChFx7DGIOg7vO_VfvnmM7M9lQdecbi2pjkp4P87bYJGs8Gn4N_MnExzmrEw",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImFyY2hpZS5pbmZvIgogICAgfQogIF0KfQ"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 335
Received response:
HTTP 201
Server: nginx
Date: Thu, 19 May 2022 19:11:24 GMT
Content-Type: application/json
Content-Length: 335
Connection: keep-alive
Boulder-Requester: 550238166
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/550238166/90121769246
Replay-Nonce: 0102OPofwyWdx0kzL5uY9CYMdFrns5HCqmGO4YYMYVPG7-w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"status": "pending",
"expires": "2022-05-26T19:11:24Z",
"identifiers": [
{
"type": "dns",
"value": "archie.info"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/110402200676"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/550238166/90121769246"
}
Storing nonce: 0102OPofwyWdx0kzL5uY9CYMdFrns5HCqmGO4YYMYVPG7-w
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/110402200676:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTUwMjM4MTY2IiwgIm5vbmNlIjogIjAxMDJPUG9md3lXZHgwa3pMNXVZOUNZTWRGcm5zNUhDcW1HTzRZWU1ZVlBHNy13IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTA0MDIyMDA2NzYifQ",
"signature": "QJ_t9R7YWafBZr056Wkz1Ylawr3QOptz__LdZ1qpPwfzOsVqlEm5eoBwigXkGvUtKAwtAKL94zynhxbDloyfP7fOgDoLpBBRMzfi_shxK-MF2_FqrAdQWpyxJtB7RHXpf4NNEH4cYuVdO8jXXTsKgpBjef4FHRM7LwYZSo0q5yX3BpKhVXJEkbaXck6m7bb5GHjXJbSXVlDVX2NyCThsMic-crFa8bM2KysEJ8AVZtHqw_-j4zQ7OF8ZjDBS39gi_nyfARfDpBTr6cqHfXlDQMRr_Wptdavybn_YO07xBi3r9p71e1CS9gULA5FAw4dEsloncwYDrqNx-zTVMhWr9g",
"payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/110402200676 HTTP/1.1" 200 795
Received response:
HTTP 200
Server: nginx
Date: Thu, 19 May 2022 19:11:24 GMT
Content-Type: application/json
Content-Length: 795
Connection: keep-alive
Boulder-Requester: 550238166
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0101zLjxeuwTM-0CSRDk1bL4Mlmkm0WhHIyI9MqbuCULrf0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "archie.info"
},
"status": "pending",
"expires": "2022-05-26T19:11:24Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/srf6zw",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/fbJjPg",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/gNYdNw",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
}
]
}
Storing nonce: 0101zLjxeuwTM-0CSRDk1bL4Mlmkm0WhHIyI9MqbuCULrf0
Performing the following challenges:
http-01 challenge for archie.info
Successfully bound to :80 using IPv6
Certbot wasn't able to bind to :80 using IPv4, this is often expected due to the dual stack nature of IPv6 socket implementations.
Waiting for verification...

Challenges loaded. Press continue to submit to CA. Pass "-v" for more info about
challenges.

Press Enter to Continue

4

JWS payload:
b'{\n "resource": "challenge",\n "type": "http-01"\n}'
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/srf6zw:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTUwMjM4MTY2IiwgIm5vbmNlIjogIjAxMDF6TGp4ZXV3VE0tMENTUkRrMWJMNE1sbWttMFdoSEl5STlNcWJ1Q1VMcmYwIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xMTA0MDIyMDA2NzYvc3JmNnp3In0",
"signature": "pVeIvZNF5WSLHuxyZSfcyZx8Ke4VIaSCuMq2yjjGwUKtGpfE37pASakfDIeaeExEOLk0L4CJEsiPeULDTjJmsJ-doDgO7rdiKXwj_fM4sPT6t-zJING-_J_H8aHsk4BvRJX_h0oR9Bm3YuU6B5f-D2jaZTIKyzTPEAmAzguFE-ckSrN1ympJlzQyRnA3WD1JhoosfNjAxVg-hwAfGGrgiQFEK4qFU8olxzuddqHlgTl82crz4ZFI50Bskr5OkkgDCicJS_A5uWXslsUTXAkYlYUldhNuZnn4jmGARhzmIyi7mj1S56XAJJiEWBrV0QavqK_Ki4w73aAY8XbKi41QCA",
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/110402200676/srf6zw HTTP/1.1" 200 187
Received response:
HTTP 200
Server: nginx
Date: Thu, 19 May 2022 19:12:16 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 550238166
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index", https://acme-v02.api.letsencrypt.org/acme/authz-v3/110402200676;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/srf6zw
Replay-Nonce: 0102Aj0FqRoUbMfUWsKLnFJDFRFTUyYvufY4bGmAot75Mos
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/srf6zw",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
}
Storing nonce: 0102Aj0FqRoUbMfUWsKLnFJDFRFTUyYvufY4bGmAot75Mos
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/110402200676:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTUwMjM4MTY2IiwgIm5vbmNlIjogIjAxMDJBajBGcVJvVWJNZlVXc0tMbkZKREZSRlRVeVl2dWZZNGJHbUFvdDc1TW9zIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTA0MDIyMDA2NzYifQ",
"signature": "gsyFMpJ0kIXSMRTOnoBZcgGcg4496vuWhsTI0a7huOIjRzY1_Wx5u1crbu-2DURXxeXX2TQy2xvIk-x2ZzYmSVD1jUzAACxkbybwTpi2nmulP0jcXZYgzwzV1moFBaPsIAoV0i88g-uJYkHv9dKfEhdxFZec7jJmDAyc8g_Zy67Q-UcDpYeepCeU96RUb42E8LwBPg-maq5Dr8lNHx8oA9rvleOkdU79BAB80i4CRDI5sSRjTd1-tdgaM6cbVt6o-FxbzR7ORrGoc7c6Vt2epoUpGeZxHuqljQ9DhLm1AxhlINRE6X8jRjssAUcJny1_iJMQyzG1Wes3FYQmuQE7xw",
"payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/110402200676 HTTP/1.1" 200 795
Received response:
HTTP 200
Server: nginx
Date: Thu, 19 May 2022 19:12:17 GMT
Content-Type: application/json
Content-Length: 795
Connection: keep-alive
Boulder-Requester: 550238166
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0102HzKoEpV-7lnpDFf7PQIDUMzJv46fkiV1dwtP9SeulfQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "archie.info"
},
"status": "pending",
"expires": "2022-05-26T19:11:24Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/srf6zw",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/fbJjPg",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/gNYdNw",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
}
]
}
Storing nonce: 0102HzKoEpV-7lnpDFf7PQIDUMzJv46fkiV1dwtP9SeulfQ
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/110402200676:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTUwMjM4MTY2IiwgIm5vbmNlIjogIjAxMDJIektvRXBWLTdsbnBERmY3UFFJRFVNekp2NDZma2lWMWR3dFA5U2V1bGZRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTA0MDIyMDA2NzYifQ",
"signature": "u883rdtL29VTa7DneW8FufV8yRMapCljAG78RY5mr9ur2fY0h6AQcchZTdCdk88mBa54RmZcua_teeWHGTgZHddxAI9HUFEfNEmOsGyFe-VugGnfH1Uw53Ax63myu-PXEsqonSuqwmB9fPSFBpn--Irm6BR6oGxL22x73wi94JIiuBcEP1xWSqEwQr5iXuxpZ1L1m46iKzbfjq4i4grFBnfk_3Xw-NpBWHvH9i98Xr1_eNZ9vmjMLKwOhDDvjrEBsS9kgIIcdqu1rF3pUTYqTECKfnERF_FrW_PKaGonJvkUW9HmKv91S8k4uRY3pubToOWRxsdoJl_I5EdF3LaVEg",
"payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/110402200676 HTTP/1.1" 200 795
Received response:
HTTP 200
Server: nginx
Date: Thu, 19 May 2022 19:12:20 GMT
Content-Type: application/json
Content-Length: 795
Connection: keep-alive
Boulder-Requester: 550238166
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0102kXyiBQK-zqFLG2fCNpE1s5YSrVoVkKNcE-wf6Y_vkpQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "archie.info"
},
"status": "pending",
"expires": "2022-05-26T19:11:24Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/srf6zw",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/fbJjPg",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/gNYdNw",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
}
]
}
Storing nonce: 0102kXyiBQK-zqFLG2fCNpE1s5YSrVoVkKNcE-wf6Y_vkpQ
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/110402200676:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTUwMjM4MTY2IiwgIm5vbmNlIjogIjAxMDJrWHlpQlFLLXpxRkxHMmZDTnBFMXM1WVNyVm9Wa0tOY0Utd2Y2WV92a3BRIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTA0MDIyMDA2NzYifQ",
"signature": "Y3fB1nYDw69yGJgO9-TPOZAd1EkC_26EZcOP_-0993E5-qdfqaV6F_XJZgCnsfmgCeR08UHfKqEwD7KusVYl3Hk8rT7QyCdfJHQT9Ne2Pfx3Xf5VoCbBsGmuKO0DiWtLVfCSNlSwSDNKKNdaO0Di_fQ3wv0znoBaBbOlY7tODCFTQZuEHgECKaN_jCRjWXmopmBIBgXeOcKgN6EhF123fWuyWU-160_6U-81wdPAn7gZC36AZoDXmkmr6P2NQt3jHu9-vSmwzNgURjw4wDgTi21JmVojLhyE1RZc1A0z3GA0HLdoFYD4TcvMpcVtEW83HM3xzFAkRkiAACiIynVhTg",
"payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/110402200676 HTTP/1.1" 200 795
Received response:
HTTP 200
Server: nginx
Date: Thu, 19 May 2022 19:12:23 GMT
Content-Type: application/json
Content-Length: 795
Connection: keep-alive
Boulder-Requester: 550238166
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0101Cdg26rBNFgCWWOpt7DbM4q4GcfQYb-SpfaDXK8CA2vM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "archie.info"
},
"status": "pending",
"expires": "2022-05-26T19:11:24Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/srf6zw",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/fbJjPg",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/gNYdNw",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY"
}
]
}
Storing nonce: 0101Cdg26rBNFgCWWOpt7DbM4q4GcfQYb-SpfaDXK8CA2vM
JWS payload:
b''
Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/110402200676:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNTUwMjM4MTY2IiwgIm5vbmNlIjogIjAxMDFDZGcyNnJCTkZnQ1dXT3B0N0RiTTRxNEdjZlFZYi1TcGZhRFhLOENBMnZNIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMTA0MDIyMDA2NzYifQ",
"signature": "1R94zIupkEYLGIobt5RLSTD7_xs8TSPRKiRjX9FwQu_nKVLJYNtcUmjOT1OFEeSITWsnxrRS2-zockoM6kWwOkc3b99Ykzjl5DhRcTU6mlSVsqIJVuo2cXbWzY3tpHESGMXg6zsbceTDfkRLkFzIcVnf2JdMlen6IBawmhCrxe6_1uqU1UAI_SRJNbvpz6l2dLYDqf34CVUbtMikax6k3JlYarBmLPwKqESeFZ_MxlNm_sDdn3KehUgJPBvhc3Aj34XN_uxCRlfRllYceHXhJ6wvALcaGsc6Ajjm_BwquRt9Yx-hDymEofnG7IgbYCF34nFIrFhei8J9hEzo3Eg9aw",
"payload": ""
}
https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/110402200676 HTTP/1.1" 200 1042
Received response:
HTTP 200
Server: nginx
Date: Thu, 19 May 2022 19:12:27 GMT
Content-Type: application/json
Content-Length: 1042
Connection: keep-alive
Boulder-Requester: 550238166
Cache-Control: public, max-age=0, no-cache
Link: https://acme-v02.api.letsencrypt.org/directory;rel="index"
Replay-Nonce: 0101N7_CjAFHZdvlPCe6VQW58zBxFqzSqSm7k_JXXMSp_UI
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
"identifier": {
"type": "dns",
"value": "archie.info"
},
"status": "invalid",
"expires": "2022-05-26T19:11:24Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "146.190.0.227: Fetching http://archie.info/.well-known/acme-challenge/UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY: Timeout during connect (likely firewall problem)",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/110402200676/srf6zw",
"token": "UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY",
"validationRecord": [
{
"url": "http://archie.info/.well-known/acme-challenge/UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY",
"hostname": "archie.info",
"port": "80",
"addressesResolved": [
"146.190.0.227"
],
"addressUsed": "146.190.0.227"
}
],
"validated": "2022-05-19T19:12:16Z"
}
]
}
Storing nonce: 0101N7_CjAFHZdvlPCe6VQW58zBxFqzSqSm7k_JXXMSp_UI
Challenge failed for domain archie.info
http-01 challenge for archie.info
Reporting to user: The following errors were reported by the server:

Domain: archie.info
Type: connection
Detail: 146.190.0.227: Fetching http://archie.info/.well-known/acme-challenge/UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Calling registered functions
Cleaning up challenges
Stopping server at :::80...
Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: archie.info
    Type: connection
    Detail: 146.190.0.227: Fetching
    http://archie.info/.well-known/acme-challenge/UxvLVIjj3oK3VnjvI-Udavk_X6OP2y-IvXSMo58Q1eY:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

5

I feel like this might be a DNS issue?
Just tried adding IPv6 to AAAA and still same error.

6

Oh, sorry, that debug method is only available on current versions of certbot. I just saw you are on 0.40. Ubuntu 20 supports the snap install so you should probably install that. Instructions to install are here

Is there a reason you need standalone authentication?

And, you should only use AAAA if you have a working IPv6 system. What happens with this?

curl -6 ifconfig.co

Does that match what you just added as AAAA record?

3 Likes
7

I figured out the issue. sudo ufw disable
I forgot I had set that earlier when I was setting up. Thanks for your help Mike!

2 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.