Failed renew, firewall issue

KrisAU · October 10, 2020, 8:21pm

Hi All,

this was working for some time,but recently has started to fail for domain chilcote.marlinpropertydevelopment.com. Firewall is verified as open, im not sure why its saying it cant connect as NGINX is actually running. Any pointers? Thank yo!

Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for chilcote.marlinpropertydevelopment.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (chilcote.marlinpropertydevelopment.com) from /etc/letsencrypt/renewal/chilcote.marlinpropertydevelopment.co m.conf produced an unexpected error: Failed authorization procedure. chilcote.marlinpropertydevelopment.com (http-01): urn:ietf:param s:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://chilcote.marlinproperty development.com/.well-known/acme-challenge/xSQ801yktoanmvC4R66yRD3ghB1dAX3YXxV-liOwV7A: Timeout during connect (likely firewall probl em). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chilcote.marlinpropertydevelopment.com/fullchain.pem (failure)

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chilcote.marlinpropertydevelopment.com/fullchain.pem (failure)
DRY RUN: simulating 'certbot renew' close to cert expiry
(The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

The following errors were reported by the server:

Domain: chilcote.marlinpropertydevelopment.com
Type: connection
Detail: Fetching
http://chilcote.marlinpropertydevelopment.com/.well-known/acme-challenge/xSQ801yktoanmvC4R66yRD3ghB1dAX3YXxV-liOwV7A:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.

Blockquote

_az · October 10, 2020, 8:40pm

I can't connect to your IP (180.150.42.98) on any port either.

There's plenty of other hosts with port 80 open in your /24, so I would conclude that the problem lies with either the port forwarding setup on your modem/router, or on the Linux server itself.

KrisAU · October 10, 2020, 8:48pm

Odd. If i check 80 and 443 using an online port scan it shows open?

dk_means · October 10, 2020, 8:52pm

Your site appears down from here, too. To avoid getting fooled by where you run a scan, I recommend this site: https://downforeveryoneorjustme.com

It is likely that, somewhere between your server and the outside world, something is blocking inbound packets for ports 80 and 443.

_az · October 10, 2020, 8:54pm

Not for me!

# masscan -p80 180.150.42.0/24

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2020-10-10 20:53:34 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 256 hosts [1 port/host]
Discovered open port 80/tcp on 180.150.42.2
Discovered open port 80/tcp on 180.150.42.121
Discovered open port 80/tcp on 180.150.42.227
Discovered open port 80/tcp on 180.150.42.213
Discovered open port 80/tcp on 180.150.42.94
Discovered open port 80/tcp on 180.150.42.63
Discovered open port 80/tcp on 180.150.42.178
Discovered open port 80/tcp on 180.150.42.122
Discovered open port 80/tcp on 180.150.42.31
Discovered open port 80/tcp on 180.150.42.192
Discovered open port 80/tcp on 180.150.42.220
Discovered open port 80/tcp on 180.150.42.248
Discovered open port 80/tcp on 180.150.42.237
Discovered open port 80/tcp on 180.150.42.244
Discovered open port 80/tcp on 180.150.42.169

KrisAU · October 10, 2020, 8:55pm

Very strange - Im connected to it using RDP for example, which is in the same firewall policy as HTTP and HTTPS.

OK very very odd. thanks guys ill get onto it!

KrisAU · October 10, 2020, 11:25pm

Turns out the site moved to a new ISP who are blocking globally for their customers HTTP!! grrrr

_az · October 10, 2020, 11:27pm

~~Aussie BB definitely don't block port 80 (unless you're on CGNAT, but this IP isn't). Unless you mean they haven't updated their domain to the new IP address yet.~~

See below.

KrisAU · October 10, 2020, 11:47pm

Apparently they do on whirlpool forums. The firewall is open, so thats the only thing it can be! Yes, not on CGNAT.

It cant be anything else. Just a telstra modem which has the port forwarding rules open, one is RDP and that works without fault (because I use it to connect in to the certbot renew) , the other is a 80 and 443 rule which are forwarded to the server in question.

_az · October 11, 2020, 1:03am

Edit: looks like I was wrong: https://www.aussiebroadband.com.au/help-centre/nbn/tech-support/port-blocking/

but apparently you can ask them to remove the port blocking.

KrisAU · October 11, 2020, 6:13am

Yep! Which is exactly I've asked all good, thanks _az!!

system · November 10, 2020, 6:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Failed renew, firewall issue

All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/chilcote.marlinpropertydevelopment.com/fullchain.pem (failure) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chilcote.marlinpropertydevelopment.com/fullchain.pem (failure)
DRY RUN: simulating 'certbot renew' close to cert expiry
(The test certificates above have not been saved.)