Error timeout during connect (likely firewall problem)

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ildani.tk

I ran this command: sudo certbot certonly --standalone

It produced this output:
Waiting for verification...
Challenge failed for domain ildani.tk
http-01 challenge for ildani.tk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: ildani.tk
    Type: connection
    Detail: Fetching
    http://ildani.tk/.well-known/acme-challenge/LKcsHnVBELveU1P6wI9Hal86P1ARYvV5jneYCS9UCtI:
    Timeout during connect (likely firewall problem)

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you're using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My web server is (include version): I am using docker.. but on port 80 there is the router server.. I can't change it

The operating system my web server runs on is (include version): debian 11

My hosting provider, if applicable, is: .tk with cloudflare

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): latest

2

I don't understand. Your domain points to a residential IP address, not to cloudflare.

It's fastweb, are you sure you have a public ip? (It doesnt't matter if it's static, but it needs to be public)

Most routers can forward port 80 on the external interface to a machine, if you ask them. Even if their servers are on 80 internal (some will change their port if you forward port 80).

2 Likes
3

yes I have requested it.. and it's 93.44.171.181

what do you mean point to residential ip address.. ? I have checked in cloudflare and it's setup correctly..

I have tried to forward the port 80 and 443 but doesn't work.. not sure why.. I am using a different port for my service.. 445.. and I put the server in the DMZ..

4

Of course it doesn't, http and https are different protocols. If you start speaking https on port 80 most people won't understand anything. (ie, all your addresses will be https://example.com:80 because you are using a non-default port)

I am not sure cloudflare likes this.

Ok, you're not using cloudflare as a cdn, just for dns. Your website is here: https://ildani.tk:445/

Validation does not work because validation needs port 80. Make your server answer on port 80 or check if the alternatives work for you (port 443, or challenge dns-01)

2 Likes
5

Just adding on that certbot does not support TLS-ALPN to use port 443 directly.

3 Likes
6

the real problem is that the port 80 (also the 443) is going to the router Fastweb setting page.. the help-desk wasn't able to disable it and release the port.. I removed to DMZ only port forwarded the port 445.. is there another way to create the cert without the port 80?

7

You're hosting your dns on cloudflare, you can use challenge dns-01. It's a massive overkill, though.

Are you sure you can't forward 80->80 and 443->443?

8

"latest" means different things to different people.
To me it means... you don't think it has anything to do with the problem - but it might.

2 Likes
9

DNS-01 authentication challenge.
Which avoids HTTP altogether.
But for that you will need a DNS Service Provider (DSP) that supports DNS zone updates via API.
And also, an ACME client that has a DNS plugin that supports your DSP.

1 Like
10

unfortunately yes.. not sure why fastweb blocked them to the router portal.. If I port forwarding them to my server is not working.. and the help desk doesn't help..

11

yes right.. I don't think it's a certbot issue.. but the config of my router

12

If the router responds on a port, that port can't be forwarded.
The forwarding request will be ignored.

1 Like
13

:frowning: so sad

14

ok DNS-01 authentican challenge I dont really think that can work with Fastweb.. can I use Cloudflare?

15

You can use any DNS that supports DNS updates via API.
You only need to CNAME the _acme-challenge.YOUR-DOMAIN entry.
You can even forward them to your own IP [if your ISP doesn't block TCP/UDP port 53]

1 Like
16

but https://crt.sh/?id=6030097872 I can find the cert... why is it not loading on the website? not sure to understand it.. I have to import to my server?

17

That is a public cert [without the matching private key it is useless to try to encrypt & decrypt]
If it was that simple, anyone could get any cert from any site.

Also, that cert was issued by CloudFlare.

What are you trying to do?

1 Like
18

just have a secure cert https.. I was able to setup Nginx Proxy Manager and put a CNAME in cloudflare and it's working now.. not sure why is working only with a CNAME and not to the direct A address.. thank you to all that helped me!

1 Like
19

Yes, you can.

https://certbot-dns-cloudflare.readthedocs.io/en/stable/

Also, if you are using cloudflare as a cdn, you can get a certificate from their internal certificate authority, which only works for letting cloudflare cdn connect upstream.

And check if cloudflare cdn is ok with strange port numbers. I assume the free plan isn't.

1 Like
20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.