Failed to create a certificate: Timeout error

My domain is: staging-api-batiment.wamland.com

I ran this command:

certbot certonly --webroot --webroot-path=/home/rails/rails_project/public -d staging-api-batiment.wamland.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for staging-api-batiment.wamland.com
Using the webroot path /home/rails/rails_project/public for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /home/rails/rails_project/public/.well-known/acme-challenge
Failed authorization procedure. staging-api-batiment.wamland.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://staging-api-batiment.wamland.com/.well-known/acme-challenge/iUyK682qcwpQSr6UUMZpA9YV2UwEZhR50cSALbPMMg4: Timeout

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: staging-api-batiment.wamland.com
   Type:   connection
   Detail: Fetching
   http://staging-api-batiment.wamland.com/.well-known/acme-challenge/iUyK682qcwpQSr6UUMZpA9YV2UwEZhR50cSALbPMMg4:
   Timeout

The web server runs on: nginx version: nginx/1.4.6 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu server 14.04

My hosting provider, if applicable, is: Digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes. However, I’m using a user account with sudo grant.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Few months ago, I didn’t have any problem set up Let’s encrypt on my Digitalocean servers. In fact, several servers already have SSL protocol in place. However, recently I’m not able at all to make it work. I’ve checked that I can have access from the browser to http://staging-api-batiment.wamland.com/.well-known/acme-challenge/test.html and it does works.

Also, I’ve been investingating about the IPv6 problem and my domain does not appear to have any AAAA record:

dig staging-api-batiment.wamland.com A +short
==> Output: 128.199.22x.xxx
dig staging-api-batiment.wamland.com AAAA +short
==> Output: Nothing

Is there someone having a similar issue and knows how to fix it?

It looks like certbot is running into issues with that directory:

Unable to clean up challenge directory /home/rails/rails_project/public/.well-known/acme-challenge

Perhaps check permissions on your webroot or run certbot under sudo?

Thanks for your answer. I checked the permissions and everything is ok and permissions are set for the same user as the one I use to run the script. Is running this as sudo consider a best practice? I wanted to avoid it because I thought it may block me from using it if my user cannot access some part of the server that root can. What do you think?

Certbot probably only has write permissions inside the directory but wants to delete it. This is harmless and won’t cause a timeout. It would have complained earlier if it couldn’t write the verification file it needed to. :grinning:

I cannot connect to staging-api-batiment.wamland.com on either HTTP or HTTPS and get a timeout too, so your connectivity issues are not limited to Let’s Encrypt’s infrastructure. You’ll need to sort out why some of us can’t connect to your domain in order to issue a certificate.

@Patches The server was behind a firewall, that’s why you could not connect (I enabled the access if you want to try). As for the permissions, should I enable full access chmod -R 777 on public while setting up certbot and then restore original permissions later on?

The firewall is your problem. To use http-01 webroot verification your server must be publicly available from the internet. Try again while it is publicly accessible and it should succeed.

If you want certificates for private servers, consider using dns-01 verification. This doesn’t require your web server to be publicly accessible but is more complicated to set up. (You either need to manually add a TXT record to DNS or preferrably use your DNS provider’s API.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.