Failed renew, firewall issue

Hi All,

this was working for some time,but recently has started to fail for domain chilcote.marlinpropertydevelopment.com. Firewall is verified as open, im not sure why its saying it cant connect as NGINX is actually running. Any pointers? Thank yo!


Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for chilcote.marlinpropertydevelopment.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (chilcote.marlinpropertydevelopment.com) from /etc/letsencrypt/renewal/chilcote.marlinpropertydevelopment.co m.conf produced an unexpected error: Failed authorization procedure. chilcote.marlinpropertydevelopment.com (http-01): urn:ietf:param s:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://chilcote.marlinproperty development.com/.well-known/acme-challenge/xSQ801yktoanmvC4R66yRD3ghB1dAX3YXxV-liOwV7A: Timeout during connect (likely firewall probl em). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chilcote.marlinpropertydevelopment.com/fullchain.pem (failure)


** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/chilcote.marlinpropertydevelopment.com/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

Blockquote

I can't connect to your IP (180.150.42.98) on any port either.

There's plenty of other hosts with port 80 open in your /24, so I would conclude that the problem lies with either the port forwarding setup on your modem/router, or on the Linux server itself.

1 Like

Odd. If i check 80 and 443 using an online port scan it shows open?

Your site appears down from here, too. To avoid getting fooled by where you run a scan, I recommend this site: https://downforeveryoneorjustme.com

It is likely that, somewhere between your server and the outside world, something is blocking inbound packets for ports 80 and 443.

2 Likes

Not for me!

# masscan -p80 180.150.42.0/24

Starting masscan 1.0.3 (http://bit.ly/14GZzcT) at 2020-10-10 20:53:34 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 256 hosts [1 port/host]
Discovered open port 80/tcp on 180.150.42.2
Discovered open port 80/tcp on 180.150.42.121
Discovered open port 80/tcp on 180.150.42.227
Discovered open port 80/tcp on 180.150.42.213
Discovered open port 80/tcp on 180.150.42.94
Discovered open port 80/tcp on 180.150.42.63
Discovered open port 80/tcp on 180.150.42.178
Discovered open port 80/tcp on 180.150.42.122
Discovered open port 80/tcp on 180.150.42.31
Discovered open port 80/tcp on 180.150.42.192
Discovered open port 80/tcp on 180.150.42.220
Discovered open port 80/tcp on 180.150.42.248
Discovered open port 80/tcp on 180.150.42.237
Discovered open port 80/tcp on 180.150.42.244
Discovered open port 80/tcp on 180.150.42.169
2 Likes

Very strange - Im connected to it using RDP for example, which is in the same firewall policy as HTTP and HTTPS.

OK very very odd. thanks guys ill get onto it!

Turns out the site moved to a new ISP who are blocking globally for their customers HTTP!! grrrr

1 Like

Aussie BB definitely don't block port 80 (unless you're on CGNAT, but this IP isn't). Unless you mean they haven't updated their domain to the new IP address yet.

See below.

2 Likes

Apparently they do on whirlpool forums. The firewall is open, so thats the only thing it can be! Yes, not on CGNAT.

It cant be anything else. Just a telstra modem which has the port forwarding rules open, one is RDP and that works without fault (because I use it to connect in to the certbot renew) , the other is a 80 and 443 rule which are forwarded to the server in question.

Edit: looks like I was wrong: https://www.aussiebroadband.com.au/help-centre/nbn/tech-support/port-blocking/

but apparently you can ask them to remove the port blocking.

2 Likes

Yep! Which is exactly I've asked :slight_smile: all good, thanks _az!!

1 Like